Phishing is the main way that cyberattacks on businesses start and attacks increased significantly during the pandemic. Phishing has also become much more sophisticated and harder to block; however, there are best practices for preventing phishing attacks that can greatly reduce the risk of an attack succeeding. If these best practices for preventing phishing attacks are adopted and routinely followed, the risk from phishing can be significantly reduced.
Phishing is a type of social engineering where attackers try to trick individuals into taking a certain action, such as disclosing sensitive information or executing malicious code. Phishing is most commonly associated with attacks via email (email phishing), and while email is the main vector used in phishing attacks, phishing can be conducted in other ways. Phishing occurs via SMS messages (smishing), over the telephone (vishing), or via social media and other websites (angler phishing).
Phishing can be conducted in large-scale or highly targeted campaigns – spear phishing – where only small numbers of individuals are targeted. Often company executives are targeted to obtain their credentials, as they have far higher privileges and greater access to valuable information. Phishing attacks targeting executives are often referred to as whaling attacks because they target the big fish.
Phishing is the initial attack vector in many cyberattacks. For instance, the biggest malware threat, Emotet, is primarily delivered via phishing emails and phishing is also one of the main ways ransomware gangs gain remote access to victims’ networks. Some of the largest ever data breaches started with a phishing email, such as the hacking of the U.S. health insurer Anthem Inc, which allowed hackers to steal the records of 78.8 million health plan members.
The Most Important Best Practices for Preventing Phishing Attacks
Listed below are the most important best practices for preventing phishing attacks, but before delving into the key anti-phishing best practices to follow, it is important to make one thing clear: there is no silver bullet when it comes to preventing phishing attacks. No single best practice or technical safeguard will block all attacks, and it will not be possible to totally eliminate the threat of phishing.
Cyber threat actors are constantly changing their tactics, techniques, and procedures (TTPs) and even with the most comprehensive anti-phishing strategy, there is the potential for an attack to succeed. The best practices for preventing phishing attacks are concerned with reducing risk to a low and acceptable level and limiting the damage that can be caused as far as is possible. To do that, businesses need to implement several layers of protection.
Implement Technical Defenses to Block Phishing Attacks
There are many best practices for preventing phishing attacks, some of the most important of which involve implementing technical safeguards to prevent individuals from encountering phishing threats.
Email Security
Email is the most common attack vector, so phishing defenses naturally need to include email security solutions. Secure email gateways and spam filters inspect all inbound emails and block phishing emails containing malicious links and dangerous file attachments to stop them from reaching inboxes. Advanced email security solutions are required to combat ever increasingly sophisticated threats and the constantly changing TTPs of threat actors. In addition to blocking messages from known malicious IPs and domains with poor reputations, links in emails must be assessed. All attachments must be checked against antivirus engines and subjected to behavioral analysis to identify novel malware variants. Email authentication measures are also required to verify that the sender of an email is authorized to use an email address/domain, such as DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
Web Security
Web security solutions are required to block the web-based component of phishing – The websites hosting malware, phishing forms, or code that exploits known vulnerabilities and silently downloads malware. Email security solutions will check emails for known malicious links in emails, but web security solutions provide time-of-click protection and will analyze websites in real-time. This is vital as the URLs used in phishing campaigns rarely stay live for long. Web security solutions such as web filters and DNS filters can also be configured to block access to risky websites, where malware downloads often occur.
Patch and Update Software
While credential theft and malware delivery via email are common, employees may be directed to malicious web pages that probe for and exploit unpatched vulnerabilities in software and operating systems. These exploit kits can provide the attackers with access to devices simply by a user visiting a malicious website. It is vital to patch promptly and keep all software up to date and ensure that the latest versions of web browsers are installed.
Provide Security Awareness Training
Technical defenses against phishing are concerned with limiting attacks on individuals but they will block every attack. It is therefore important to provide security awareness training to the workforce to raise awareness of the threat of phishing and other malicious attacks. Employees need to know about the threats they are likely to encounter, learn cybersecurity best practices for reducing risk, and develop the skills to allow them to identify phishing emails. Training should be engaging, have interesting and relevant content, and include computer-based training, classroom sessions, infographics, videos, and other tools to maximize engagement. Security awareness training needs to be an ongoing process and be provided regularly throughout the year. A platform that can provide training in response to real-time events is likely to be the most effective, such as when an individual takes a specific action – opening a malicious email, saving data to an incorrect location, or attempting to email data externally.
Conduct Phishing Simulations
It is important to run phishing simulations. These are mock phishing campaigns that are used to test the security awareness of employees. These simulations provide a baseline against which the effectiveness of training can be assessed and allow security teams to identify weaknesses in defenses. That could be an employee who regularly clicks on links in emails who needs retraining, or certain types of phishing emails that are consistently fooling employees. Phishing simulations are not about catching and punishing individuals. They are about proactively identifying and addressing weaknesses. Without these simulations, businesses will not know where weaknesses exist.
Block Popups
Popups are often used on websites to direct visitors to malicious web pages or harvest credentials. These popups can be found on attacker-owned websites and may be added to compromised legitimate websites. Browsers should be configured to automatically block pop-ups, either through the browser, a dedicated pop-up blocker, or another web security solution.
Use a Password Manager
One of the most often neglected best practices for preventing phishing attacks is to use a password manager. Password managers are used to generate and securely store passwords so they do not need to be remembered by users. These solutions also play a role in phishing defenses. When a user visits a website that requires a password, their password will be automatically filled by the password manager, but only when the domain they land on matches the domain associated with the stored credentials. If the password manager does not auto-fill the password, it is a good indication that the user is not on the correct website, prompting them to carefully check the domain.
Secure all Endpoints
Endpoint security solutions are required on all devices for blocking malware. Traditional antivirus solutions are only effective at detecting and neutralizing known malware, but new malware variants are always being released. It is important to choose endpoint security solutions that are also capable of behavioral analysis to allow novel malware infections to be detected.
Block the Use of Stolen Credentials
When credentials are stolen in phishing attacks, they can be used by threat actors to remotely access systems. In addition to blocking phishing emails and malicious websites, 2-factor or multi-factor authentication should be configured. 2FA and MFA require a further form of authentication in addition to a username and password before access to the account is granted. 2FA/MFA will prevent the vast majority of attacks on accounts using stolen credentials.
Incident Response and Remediation
It is important to develop an incident response plan for dealing with successful phishing attacks. It is easy to focus on best practices for phishing prevention but fail to plan for when an attack succeeds. An incident response plan should be developed to ensure that all individuals involved in the response know what they need to do and in what order. A solid incident response and remediation plan can greatly reduce the damage that can be caused by phishing attacks.
Summary
All of these best practices for preventing phishing attacks should be implemented as part of a defense-in-depth strategy. Should any of these best practices for preventing phishing attacks fail, others will be in place to provide continued protection. Phishing prevention is a continuous process and requires defenses to be regularly evaluated and updated in response to the changing TTPs of cyber threat actors.