phishing - featured image

Everything Businesses Need to Know About Phishing

Featured image by JLStock

Cybersecurity is a top concern for businesses of all sizes, and phishing is one of the most insidious cybersecurity threats any organization faces.

If you aren’t considering fundamentally how to prevent phishing through the use of single sign-on, multi-factor authentication, training, and policies, your company is at a significant disadvantage.

With that in mind, the following is a guide that every business can use to protect against these types of cybersecurity threats in the new year.

What Is Phishing?

Phishing is one of the cheapest and easiest ways for cybercriminals to gain access to information and sensitive data. Victims can endanger the security of an entire organization just by clicking a link. You can also compromise your personal information if you’re a victim of phishing.

Phishing is a type of attack where a bad actor convinces someone to hand over sensitive information or install malware.

There are two broad types of phishing attacks.

The first is the malicious email attachment. In this scenario, when you click the attachment, malware is installed on your machine when the attachment opens.

Then, there are also malicious links, which are clones of legitimate ones. The login pages will contain scripts to gather login credentials.

Around 91% of all cyberattacks begin with a spear-phishing email, and the frequency of these attacks continues to rise. Between 2019 and 2020, for example, the number of phishing attacks almost doubled.


There Are Several Types of Phishing Attacks

There are a lot of types of phishing attacks, some of which include:

  • Email phishing: These attacks represent the majority of all general phishing attacks. With email phishing, the bad actor will usually register a fake domain that mimics that of a real organization. Then, the attacker can send out thousands of requests. Cybercriminals will often change just one character in the fake domain.
  • Spear phishing: This is a more sophisticated form of this type of attack that also involves email. In these attacks, malicious actors don’t send out emails broadly. Instead, they targeted emails to a specific person. A cyberattack has to take the time to gather information about the victim, like their name and place of employment, as well as detailed information about their role.
  • Whaling: These attacks are even more targeted than spear phishing, and the victims are senior executives and high-value targets. The ultimate goal is the same as other types of phishing, but this technique can be tough to spot. One specific example of whaling attacks is the sending of fake tax returns. Tax forms are very valuable in the eyes of a cybercriminal because of all the private information they contain.
  • Smishing: In a smishing attack, a criminal will send a text message, but otherwise, it’s similar to an email attack.
  • Vishing: In a vishing scam, there’s a phone call rather than an email or text. The criminal will get payment information from the victim for various reasons.
  • Angler attacks: Relative to other types of phishing, an angler attack is somewhat new. Angler attacks use social media to dupe victims. In angler phishing, criminals can use cloned sites, posts, and tweets to convince victims to give up personal information or download malware.

Some Factors Can Make Your Organization More Vulnerable to Attack

You can also divide these types of attacks into different categories. For example, domain spoofing can be one category. In domain spoofing, an attacker will make websites and emails look legitimate. The URL will be just close enough to fool victims.

CEO fraud is another particular type of phishing. Cybercriminals will pretend they’re a company CEO or executive. They’ll then send emails to lower-level employees, usually asking for personal information of some kind.

When your employees aren’t working from one centralized office, which is frequently the case in the modern environment, it puts your organization more at risk of phishing.

Similarly, when you’re scaling your business, these cybersecurity risks and threats tend to go up. Every new user or app you’re adding creates security gaps that can potentially be taken advantage of.

What Damage Can These Cyberattacks Do?

The damage a successful phishing attack can do is almost limitless.

First, when you’re the victim of one of these attacks, it can damage your public brand and the sense of trust customers and partners have in you. It can be difficult for your brand to recover from the embarrassment of a large-scale phishing attack. Even if your brand can recover, it can take years to do so.

There’s a loss of data that occurs, and you often have direct monetary losses stemming from phishing.

Phishing affects an organization’s productivity. You will likely have a period of business disruption as you try to recover lost data and investigate the breach. Your employees’ individual productivity will be affected during this time.

If your customers’ sensitive information is stolen and winds up in the public domain, then you can be held responsible. You may face regulatory fines for not protecting your customers’ data.

Moreover, a successful phishing attack can lead to the theft of intellectual property, leading ultimately to a loss of company value.


Train Employees to Be Alert to Attacks

Proactively training your employees and having effective policies in place are among the most important things you can do to prevent a successful phishing attack in your business. Human error is the most common reason that phishing attacks are successful.

In general, when it comes to training employees to prevent phishing, remember the following:

  • Creating awareness is one of the cheapest, easiest, and most effective things you can do. Your employees need to know what the threats are, how to respond to them, and their overall role in cybersecurity. Regularly train and re-train employees on phishing and how it happens. You can create awareness among employees in different ways. For example, you can have speakers who educate employees or you can provide phishing email training.
  • Conduct phishing simulation training. This is an effective method of training employees, and it’s becoming more common. With phishing simulation training, your employees get the opportunity to see what actual attacks look like, and it can be eye-opening for employees.
  • Remember that cybersecurity training is not one and done. Certainly, neither is phishing-specific training. Every quarter is the minimum interval you should be providing training on phishing and cybersecurity. The threat landscape changes quickly, and training needs to keep up.
  • When it comes to training, be sure to include your senior executives and company owners as well. As we mentioned above with whaling and similar attacks, many bad actors are looking toward high-value targets.

Use Tools to Help Prevent Phishing

There are some specific tools you can use along with training and policies to reduce the risk of phishing or minimize the effects if one of these attacks does occur.

Multi-factor authentication (MFA) is one example. MFA requires users to provide another form of authentication to prove their identity in addition to their password. Passwords can be relatively easy to steal or trick someone into giving away otherwise.

There’s another strategy called step-up authentication. Step-up authentication can protect sensitive information to prevent phishing. Users might be able to access some information without a second authentication factor. When they need access to more sensitive information, however, they must provide further authorization.

Some businesses wrongly assume single sign-on (SSO) will provide protection from phishing. In reality, the exact opposite can be true. If you have an SSO solution and there’s a phishing attack, it could cause more damage. This is because one set of stolen credentials can provide extensive access.

However, when SSO is implemented correctly, along with other elements like MFA and conditional access policies, it can provide robust protection. It just can’t do that if you’re using it as a standalone.

Zero Trust Can Help to Prevent Phishing Attacks

Finally, a Zero Trust security approach can help with the prevention of phishing and many other types of attacks, particularly in the distributed cloud environment. With Zero Trust, the network is always assumed to be dangerous, and threats can come not just from outside but also inside the network. In other words, actors within the network aren’t inherently trusted in a Zero Trust model.

If someone were to gain access to a network using stolen or phished credentials, they could then pose as the so-called approved user, attacking the entire network and moving laterally.

With Zero Trust, there is granular segmentation. Since no one is inherently trusted, even if someone were to gain access they still wouldn’t be given free rein. Zero Trust might not entirely prevent phishing attacks, but this model can significantly reduce the potential damage.

The bare minimum you should do going forward is use password complexity requirements and regular password changes. Then from there it’s much better to also add in multi-factor authentication and conditional access policy.

Then further strengthen all of these with Zero Trust approaches to cybersecurity.

To stay up-to-date about cybersecurity issues, browse our blog regularly for new articles.