With 3.7 billion users and 269 billion messages sent every day, email is the most popular channel of communication in the world. It is also, unfortunately, the victim of its own success and cybercriminals’ favorite medium for company phishing.
What’s more, today’s phishing attacks are increasingly sophisticated. Fraudsters use very advanced tactics including replica email templates and fake, yet visually identical, landing pages to deceive targets — as recently happened in the email scam affecting Netflix users. This threatful environment puts a lot of pressure on IT security managers’ shoulders who must balance efficient corporate emailing with the proactive detection and prevention of email phishing.
In light of the potential damages ranging from executive identity theft to substantial financial losses to severe reputational harm, this post takes a look at what companies can do to fight back and protect their employees, corporate data, and IT systems.
Start an Anti-Phishing Awareness ProgramThere is a human error component attached to most phishing attacks. Hence one or more misled individuals often manually enter sensitive information on a compromised form or download an attachment without bearing in mind that it could be malicious. The good news is that harmful actions like these are preventable, notably by keeping employees alert to the dangers of email.
For example, you can create an internal security newsletter covering high-profile email phishing cases and detailing how scammers operate. Additionally, you might design learning modules that describe your security policies and what steps to take when phishy emails make it to the inbox.
Keep Track of Malicious Phishing DomainsAnother way to mitigate the impact of email phishing is to record and block domain names and IP addresses which have posed a threat in the past. That should be a collaborative effort. In fact, anyone noticing suspicious communications should immediately report them to a designated IT security administrator who can then assess risks to both the individual(s) concerned and your company as a whole.
You can also integrate public and private databases of blacklisted domains and senders, or even collaborate with a third party offering anti-phishing services if you lack the time or necessary expertise in-house.
Encrypt All Email CommunicationsThrough man-in-the-middle attacks, hackers frequently try intercepting messages between two or more parties with the hope of getting access to highly-sensitive information. They then use their illegitimate findings to make their phishing attacks more credible.
You can significantly reduce the risk of fraudulent interception by ensuring your messages are secure and encrypted. Three authentication technologies have gained in popularity over the past years, and might already be adopted by your email service provider: SPF, DKIM, and DMARC.
In a nutshell, SPF verifies whether an email’s originating IP address matches those published on a domain owner’s DNS, bouncing messages otherwise. DKIM adds a digital signature to guarantee that emails and attachments were not modified while in transit. DMARC is overarching, noticing recipients when both SPF and DKIM verifications fail.
Beware of Man-in-the-Email AttacksOver the past years, cybercriminals have found it highly lucrative to create fake identities and impersonate credible sources. Also known as business email compromise (BEC) or spear phishing, the fraud consists of forging the email address of a senior manager or long-term vendor and tricking victims into revealing confidential details, paying invoices with altered billing details, or transferring money to fraudulent bank accounts.
Employees are usually deceived because they treat such requests as routine tasks or feel the need to comply without asking questions. You can prevent scammers from exploiting these weaknesses by tightening your corporate security policies — always requiring a secondary sign-off via another channel and the go-ahead of at least two department heads for high-value transactions, for example.
On top of that, you can deploy one or more email data loss prevention (DLP) solutions designed to flag potentially dangerous email sending behaviors such as answering a spoofed email address or downloading attachments from an unknown sender.
Phishing scams are more sophisticated and credible than ever with cybercriminals using advanced tactics to exploit email users’ weaknesses and organizational security gaps. Bottom line: Companies need to be proactive in combining security best practices and technology to prevent, detect, and eliminate email phishing threats.
Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us: firstname.lastname@example.org.