While phishing comes in many forms, such as through text messages or phone calls, email is one of the most widely used channels of communication, especially in business.
A phishing email is a false email message where fraudsters impersonate a legitimate source or someone you trust in an attempt to trick you into downloading malware, giving confidential information, or wiring money.
There are more employees, or even executives, that fall victim to phishing attempts than you think. CISCO’s Cybersecurity 2021 Trends Report mentioned that over 90% of data breaches are attributed to phishing incidents.
The standard phishing attack focuses on quantity instead of quality. In these attempts, hackers will launch an attack on a lot of targets at once, with the minimal degree of personalization. It’s rare for scammers to attempt a pure phishing attack—one that doesn’t rely on malicious links or attachments—without research and personalization.
That said, scammers behind these phishing emails are improving at a frighteningly rapid pace especially in the past decade. Although they still produce your standard spam emails, this spray and pray method also includes some very convincing messages that might, sometimes, slip through your SPAM filters.
IC3’s latest cybercrime report shows that phishing has the highest victim count among cybercrimes reported in the US for three years running, with spear phishing being one of the most used strategies.
With today’s email users being more proficient at avoiding scams, fraudsters are moving on to more sophisticated strategies. That means more convincing messages, backed with a likely scenario, appropriate formatting, and various social engineering techniques, that can fool employees who are used to seeing legitimate emails with similar formats land on their inbox.
The best way to prevent phishing is through proper training. Keep your organization safe with security awareness training through Inspired eLearning today.
The best case scenario would be that you and your employees have received such sufficient training that they can recognize phishing messages from miles away. However, with how convincing phishing emails can be (yes, even from “people you know”), it’s not unheard of for an accident to happen – especially when responding quickly or on mobile devices.
Understanding what you need to do after a successful phishing attack will help you minimize the damage. Here are a few steps that you need to do if you realize or suspect that you’ve fallen victim to a phishing email.
1. Change your account passwords.
This is especially necessary if you’ve encountered a phishing attack that spoofed a login portal. The email may have contained a link that redirected you to a page that looked familiar and asked you to login so you can proceed. Although it may have seemed legitimate at first glance, logging in on this fake page may have sent your login credentials to the attacker.
If that’s the case, once the cybercriminals get your credentials, they will try to use it to enter other known accounts. We don’t recommend using the same password, or one with slight variations, for multiple accounts, but it happens. If this is the case with you, you’d need to hunt down those accounts and change the passwords before they’re compromised.
2. Report phishing immediately.
Phishing attacks are frequently carried out in bulk, meaning they are sent out to a large number of people at once. Usually, the attack targets personnel with the same traits. If they’re targeting your organization, scammers might send a phishing attack to all known employees, vendors, or customers of your organization. Reporting the incident as soon as possible can prevent more accounts from being compromised.
Report phishing attacks to your IT service desk or according to your organization’s cyber incident response policies (CIRP). Immediate reporting of the incident will help the information security team to start gathering information about the attack.
3. Investigate the phishing attack.
It’s important to determine how widespread and severe the attack is. IT teams need to launch a preliminary investigation into the phishing incident as soon as it’s reported. Other than checking how many people were hit by the attack, it’s important to purge the phishing email from users’ inboxes.
Consequences of phishing can vary, ranging from compromising the user’s email account to the attacker having unauthorized access to the organization’s network. Your IT team should also investigate affected users’ computers or associated networks, as there’s a possibility for malicious programs to be installed during the attack.
Meanwhile, phishing attack victims should be wary of identity theft. If necessary, they can ask their other accounts to be blocked or monitored for unusual activities. If the phishing email came from a known associate, the owner of that account should be notified as well, as there’s a possibility that they’re also a victim of cyberattack.
4. Include the necessary regulatory authorities and law enforcement.
Certain standards and cybersecurity laws require organizations to disclose phishing attacks within a certain time frame once the incident is first discovered.
For example, organizations in the healthcare sector have to make sure the incident is handled according to the Health Insurance Portability and Accountability Act (HIPAA) regulations in order to assure continuous compliance.
Depending on the severity of the damage caused, it may be necessary to file a case with the proper law enforcement agency, such as IC3.
5. Talk to your IT team about remediation strategies.
In order to prevent other incidents, organizations need to ensure that employees are well-informed about methods likely to be used by attackers. Thorough security education and training will help to make sure employees are ready. Internal phishing scam simulations are quite effective to help your employees spot phishing emails and avoid them.
While email service providers, such as Microsoft Outlook, Gmail, and Apple, might have basic spam filtering, it’s not enough considering the loss you could face from a single successful phishing attempt.
Your IT team might also want to adopt proper technical safeguards, such as blocking phishing emails with email security approaches like email filtering, sandboxing, machine learning models and browser isolation.
After you’ve dealt with the issue, it’s easy to fall into a false sense of security and forget about your recent incident. However, protecting yourself and your data from future phishing attacks is even more critical, especially after you just proved that your system is vulnerable to suspicious emails. Here are some tips to help prevent future phishing accidents in your company.
Learn what a phishing scam looks like.
Technical safeguards, such as a secure email gateway, anti-malware software, or sandboxes, can help reduce the volume and risk of phishing attacks. However, if your employees are trained to detect phishing emails, you can eliminate any window of opportunity for hackers to attack in the first place.
This is where effective security awareness training comes in. Regular security awareness training helps your employees keep up with current trends in the cyberthreat landscape. This introduces them to what’s at stake and shows common patterns to help them better recognize a phishing attempt in the future.
In addition, consider using phishing simulations to gauge your employees’ comprehension of phishing emails and stay up to date on the latest phishing patterns used by attackers. Being aware of the patterns—and common examples—will help employees develop an instinct to help them detect phishing attempts. With a phishing simulation, you can train your employees, without the risks of an actual phishing attack. Tools like Inspired eLearning’s PhishProof™ can help.
Don’t click on links in emails or instant messages.
Restrain from clicking links, whether on your PC or mobile devices, especially if the message is unprompted or uncharacteristic.
Consider typing them into your browser instead. This way, you’ll be able to catch unusual errors in the link, which might be a sign that the link is actually redirecting to a lookalike.
Scammers might also write a legitimate link but hyperlink it to a different source. If you’re using your PC, you can verify that this is not the case by hovering over the link to see the destination.
Download anti-phishing and antivirus software.
Technical safeguards implemented by IT teams can reduce the volume of phishing emails users are exposed to as well as the risk of future phishing attacks. In this case, anti-phishing software can help tag possible phishing emails, according to various analyses. Depending on which platform being used, your software might even be able to remove it entirely from your user’s inbox so they don’t see it and notify your IT security team.
An antivirus software will help you detect and quarantine malware if it makes its way into a device. That said, this won’t be effective against zero-day attacks or malware that’s not listed in the database. However, installing an antivirus still helps stave off most of the risk that comes with phishing emails.
Update your passwords regularly.
Changing your passwords on the regular can prevent your old credentials from being used by phishers.
That said, who has the brain capacity to remember a million passwords, for multiple accounts, and keep track of which passwords you’re using right now?
If, like most people, you find it too hard to remember so many different passwords for different accounts, you can always use a reputable password manager to store that information. Additionally, when it’s time to change your passwords, most password managers can generate a random one that will fulfill security requirements.
Install firewalls.
A firewall acts as a barrier between your company network and the outside world. IT teams should implement firewalls to make sure that anyone using your network isn’t led to a possibly malicious URL.
Avoid giving out important information unless it is necessary.
If an email asks you to go to a website to update any personal information, check the link and make sure that it’s legitimate before filling in any sensitive information, such as your social security number, credit card number, or bank account number. If you’re at all suspicious, go with your gut and err on the side of caution. Check in with the company behind the email or the website in question and verify the email’s legitimacy beforehand.
This also applies to any other data, especially sensitive company information. Avoid sending important information via email, especially if it’s unprompted, unexpected, or there’s a tone of urgency to the request. Instead, follow up with the relevant party through a secondary channel of communication you usually use.
While it is true that phishing attacks are more advanced and sophisticated, the main objective that hackers are after has always been the same: access, data, or money. And everything comes at the expense of you or your organization.
That said, it’s important to acknowledge that attackers move with the times. The methods will evolve and what works now might be obsolete in the future.
It’s necessary to stay up to date with how phishers work and how to prevent it. Other than making sure your IT security team is up to the task, employees need to be aware of the security threats they might face as well.
Regular security awareness training, like the packages offered by Inspired eLearning, is necessary to keep up with cybersecurity trends.
Even if you’re not ready for a full-blown training program, you can review these security tips and share them around the office to make sure that your employees are at least aware of the basics of good cybersecurity hygiene.
