10 top phishing prevention best practices for 2022

March 1, 2022

EXECUTIVE SUMMARY:

Millions of new phishing threats emerge annually. It’s no secret that organizations are struggling to keep up with the high volume of attacks. Where does this leave us?

Since March of 2020, global cyber security researchers have observed an 81% increase in phishing attacks. Roughly 20% of the workforce may unintentionally click on phishing-related content, and of that group, statistics indicate that nearly 67% will provide credentials to hackers. The probability of compromise is nontrivial. Is your business applying every possible cyber security best practice to prevent phishing?

10 of the best anti-phishing best practices

Prevent attacks from slipping through systems unnoticed. Here’s how:

Email security. You need email security. Implement email security solutions that can easily layer into existing cyber security solutions, and that can detect the most sophisticated of cyber attacks. This type of software is designed to prevent malicious emails from hitting end-users’ inboxes. In addition, consider a solution that can provide sandboxing capabilities; the practice of quarantining suspicious URLs and other potentially malicious content.

Stop spam. More than 5 billion spam messages make their way around the globe everyday, representing roughly 45% of all emails. As these emails can contain malicious links, limit the number of spam emails that your employees receive. While there isn’t a silver bullet when it comes to stopping spam, apply anti-spam technologies that analyze known and emerging distribution patterns and that can block threats.

Security policies. Business Email Compromise (BEC) is a tactic commonly used by cyber criminals and it involves the impersonation of a business’s CEO, CFO, CTO or another trustworthy individual. Upon impersonating the high-level employee, the BEC scammer makes believable requests to other employees, asking them to transfer funds, change billing details…etc.

Sidestep BEC scams by decentralizing your business’s approval process. In small to mid-sized companies, the approval process is often highly concentrated, and there are not many who are authorized to give a green light for projects and requests. If at least two individuals are required to approve something, BEC scams will be more easily identifiable.

Review password policies. Cyber criminals are often after user credentials. Because people commonly recycle passwords across business accounts, a stolen password (combined with “password spraying”) can lead to widespread account access, and can allow hackers to disappear with extensive volumes of data. Consider requiring business passwords of a certain character count, remind teams to avoid sharing passwords, and implement technology that can catch corporate password reuse.

Authentication systems. You can set up authentication systems to identify certain IP addresses, countries and devices as red flags. For example, if you know that your organization does not have any employees in Croatia, you can set filters to flag any requests coming from the country.

With certain technologies, you can also configure systems to provide alerts concerning “impossible travel” or an access request that arrives from a location that would have been impossible to arrive in based on a users’ last known location.

Endpoint security. In addition to email security, endpoint security can help scan incoming messages for malware.

Real-time notifications. Consider implementing tools that allow for real-time security notifications. If your software only checks links against phishing databases every 24 hours, chances are that your tools have missed quite a few threats. Instant feedback can help security admins and individual users alike, and can facilitate the optimization of day-to-day threat prevention strategies.

Protection for all devices. Hand-held devices often fly-under-the-radar when it comes to cyber security. But your phishing protection solution and/or email security solution should enable you to protect corporate-owned devices. In some cases, you may be able to offer protection to employees who use personal devices for work purposes.

Employee vigilance. Employees can be your best defense or your weakest link. Ensure that employees have the knowledge and tools to prevent phishing across electronic environments. Hold security awareness education and information sessions on a regular basis. Be sure to communicate your message in a dynamic and interesting way that’s relevant to end-users. The end-goal is employee behavior modification.

The feedback loop. If you’re reading this article and you don’t work in IT or cyber security, depending on your role, you may want to regularly connect with these departments in order to keep a pulse on phishing emails, incidents, monitoring and potential areas of improvement.

Summary

You deserve the best security in 2022 and beyond. Start with following best practices around phishing. And be sure to see our other phishing-focused content here and here.

Discover additional phishing related content throughout this week, right here on CyberTalk.org. #PhishingWeek2022.