The FBI regularly puts out public service alerts related to one of the most dangerous online threats that individuals and businesses face – Phishing.
One of the FBI’s latest phishing warnings from March 20, 2020 is about scammers leveraging the COVID-19 pandemic to send out phishing emails about multiple subjects. In fact, phishing has increased more than six-fold during the pandemic.
This has caused an uptick in the need for virus removal and other computer repairs for businesses in Connecticut and the rest of the country. Many unsuspecting users have fallen prey to phishing scams promising coronavirus-related cures or information.
Even without a pandemic, phishing is the main delivery mechanism for malware, viruses and links to pages designed for credential theft. That is because it relies on the human factor for detection if it is not stopped by other means. Humans are susceptible to being tricked by the scams that continue to get increasingly better.
1 out of every 99 emails is a phishing attack and nearly 30% of phishing emails make it past default security.
Any business that wants to ensure that is doesn’t fall victim to a data breach, ransomware attack or malware infection should have phishing protection front and center in their cybersecurity plan.
Protect Your Business from Phishing Attacks
Adding anti-phishing safeguards are just like any other part of cybersecurity best practices. You want to take a layered approach so that if one doesn’t catch it, the others will. Each critical tactic described below works together to provide a full ring of protection against phishing attacks.
We will start with system protections and then go into user-based protections.
Add Security Software to All Computers & Mobile Devices
All devices in your organization or any that access your business data that may be employee-owned should be protected with software. Anti-malware/antivirus software can help stop a malicious file attachment that a user accidentally downloads from being allowed to run.
Use DNS Filtering
Approximately 85% of phishing emails use links to malicious websites rather than a file attachment. This is to help them fly under the radar and not get caught in an antivirus program.
To defend against those malicious links, DNS filtering is used. It reviews websites before directing your browser and if it sees a dangerous site, it will block it and send you to a warning page instead.
Deploy Application Whitelisting
While blacklisting stops programs that you have identified as malicious from running, whitelisting goes a step further. It only allows designated applications to run and blocks all others even if you have not specified them.
Enabling application whitelisting on a next-gen firewall or other advanced threat protection (ATP) application can be a strong prevention to keep malicious code from executing system commands.
Hover Over Links Before Clicking
An age-old tactic for detecting phishing is to hover over the link without clicking it to reveal the true URL. This still works and can help the user to quickly spot a fake email.
Whether the link is a button, text, or shortened URL, hovering over it with your cursor can easily reveal the scam.
Look for Inconsistencies or Poor Grammar/Spelling, etc.
Phishing has become much more sophisticated so it’s not as easy to spot grammar and spelling mistakes. However, you may still find them by looking for any inconsistencies.
An example would be a slightly misspelled URL in the “from” area of the email. It might be from an address like “worldheathorganization.net” (notice the “L” is missing from the world “health”).
These misspellings take a little more time to spot, so it pays to look at every email from an unknown party very carefully.
Be Suspicious of Anything Out of the Ordinary
Did you receive a “purchase order” from a company you have never heard of?
Get an email asking you to review a new company coronavirus policy but never heard any colleagues talking about it before?
You should default to being suspicious about an email rather than defaulting to trusting it. This change in approach can help you more easily spot fakes and take the time to verify them before clicking anything.
In the case of the mysterious PO, double check with your sales team or other colleagues to see if they were expecting it. Look up the company online to see if it is legitimate.
For unexpected emails that purport to be from within your company, take the time to double check by phone or video chat with a supervisor or colleague to ask if it is for real.
Put a Reporting Mechanism in Place
If one employee gets a phishing email, there is a good chance that everyone else in your organization will as well. If savvy users that detect and avoid phishing are not sharing information centrally, the other users will not know to be on the lookout for that scam.
Give users a place where they can forward suspected phishing emails and then send alerts regularly to all employees about known phishing attacks so they can watch out for them.
Provide Ongoing Phishing Awareness & Drills
It is easy for employees to get comfortable and relax their cybersecurity defenses if you don’t continually keep it at the front of their minds.
Businesses should conduct ongoing cybersecurity awareness training that includes anti-phishing tactics. It is also a good idea to do phishing drills where fake (safe) phishing emails are sent unexpectedly to employees so they can be gauged on how well they can spot and avoid them.
Need Help Keeping Your Users Phishing Aware?
Sound Computers has security experts on staff with over 20 years of combined technology experience. We will help you put a strong phishing awareness program and security infrastructure in place.
Contact us today to schedule a free consultation. Call 860-577-8060 or reach us online.