Employees can unknowingly fall prey to a phishing attack with just one click. That one tiny click can shake your business’ foundation to the core. After all, the average cost of a single data breach in the U.S. in 2019 was $3.92 million. And, phishing attacks were accountable for 32% of those breaches, according to a recent report by Verizon.

It’s up to your company to educate your employees on how to identify malicious emails. In this article, we’re sharing five ways to protect your employees from phishing attempts.

What is Phishing?

Phishing is a type of cybersecurity attack during which a hacker sends an email with a link or document that looks legitimate but is designed to steal information. A phishing email looks as though it’s from a trusted source (e.g., your bank, another employee, a well-known company). Once someone clicks on the malicious link or attachment, however, he or she will be prompted to enter confidential information. The link could also download malware onto the employee’s device. Employees could hand hackers precisely what they need to gain access to important company accounts without ever knowing what happened.

Types of Phishing

Phish can appear in different forms from generic to highly targeted. It’s important to understand the differences in order to properly respond to a phishing attack. Here are the four main types of phishing attacks and a brief description of each attack’s goals.

  • Phishing—Generic attempts via email to acquire sensitive information by tricking users.
  • Vishing—Cold calls to an entity, attempting to trick the recipient of the phone call into performing some action.
  • Spear phishing—Targeted phishing attempts aimed at specific individuals or groups within an organization, where the attempts are personalized to increase credibility.
  • Whaling—Highly targeted attempts, using email as the communication medium to gather sensitive information from high-value individuals within an organization.

The Anatomy of a Phish

Phishing attacks are cybercrimes conducted through email, telephone, or text messages, typically performed by a cybercriminal posing as an institution or a trusted person to trick individuals into offering personal information, banking or credit card details, and other types of sensitive data. Cyber-criminals use this sensitive data to access bank accounts and steal identities. The following is a brief overview of the anatomy of a phishing attack and what IT can do to help prevent, detect, and respond to phishing campaigns.

Taking into consideration a high-level overview, it’s good to focus on how a threat actor may achieve the initial foothold on a corporation’s systems before pivoting mercilessly to harvest sensitive data. When considering this initial foothold, the following approach outlines some steps that can demonstrate how the process works. The presentation (download in the right column of this page) highlights specific details involved with each step.

  • Research the Company— Initial research is done on the fake company to understand organizational structure, business drivers, vendors, employee’s social media content, and other information repositories.
  • Obtain a List of Emails—When the company information is known, along with some good phishing approaches, it’s time to harvest publicly available emails, in addition to “mangling” (see below) known employee names.
  • Decide Where the Email Should Originate—With the knowledge of the company, internal personnel, and a list of emails, the next step involves figuring out where the email should originate. This could involve purchasing a domain name similar to the fake company’s or another business the company is associated.
  • How to Mangle a Domain— Mangling a domain is a common technique for phishermen to use when they want their message to appear as if it’s from someone at a given company. Mangling a domain can be performed with multiple tools and consists of taking a list of known ways to mistype a domain, while still having it resemble the original domain.
  • Strategize What You Want Phishing Targets to Do—A common approach is to clone a familiar website that resembles the fake company’s login portal users would authenticate to, or develop a document with malware that someone inside the company would likely open.

How to Protect Your Employees from Phishing Attacks

1. Conduct a company-wide cybersecurity training.

Security-savvy employees are your primary defense against phishing attacks. Creating a mandatory company-wide security training goes a long way in protecting your company’s data. Implement this training into your onboarding procedure with regularly scheduled refresher courses to follow.

Keep in mind that security education doesn’t have to be boring or formal. Your program will be more effective if you find ways to engage your employees. If they perceive the exercise as a mandatory session that they need to “get through,” your lessons will fall on deaf ears.

Training should cover best practices, but you shouldn’t stop there. Ensure that your employees know what to do if they notice something suspicious and the steps to take to alert management of the issue.

2. Teach employees how to identify a phishing email (and quiz them).

The most critical element of protecting employees from phishing attacks is to teach them how to identify phishing emails quickly. Because hackers use real company logos and add small details to make their emails seem legitimate, red flags can be difficult to spot if you don’t know what you’re looking for.

Here are a few elements used to identify phishing emails:

  • Typos and poor formatting. Unlike legitimate companies, cybercriminals likely do not have writers on staff to create their emails. If you notice obvious typos or pieces of the text that aren’t clear, this is a tip-off.
  • No specific greeting. If the information seems generic (i.e., the email doesn’t reference your name or any identifying information), this could be a sign of a phishing email. Hackers will not usually take time to personalize emails. They will instead use the same one to cast a wide net and hope that someone bites.
  • No domain email. Check the sender email address to identify whether it originated from a legitimate source. A reputable company will own their domain email (e.g., example@linkedin.com), whereas an imposter will alter the address (e.g., example@linkedin123.com) if they even put in the effort to make the address look authentic.
  • Unsolicited attachments or information requests. Legitimate companies do not send attachments that you didn’t ask for, nor do they request sensitive information via email.

Add a quiz into your training to test your employees’ skills. Show example emails and ask them to identify if the email is authentic. This quiz is a great opportunity to add an engaging element to your security education. For example, make a game of it and recognize employees who answer correctly or participate with the most enthusiasm.

3. Show real-life examples of data breaches caused by phishing.

To help employees understand what you’re up against, show real examples of companies that have suffered a data breach as a result of a phishing email. Your employees will learn the most powerful lessons through raw data: dollars lost, people affected, damage to the company, and other tangible facts.

It isn’t that your employees don’t care about the company’s security; however, without seeing what could actually happen, they may feel as though this training is more of a formality than a necessity.

4. Use trusted antivirus software and ensure it’s routinely updated.

  • Mistakes happen. Even with excellent security training, an employee could accidentally fall for a phishing email. If that happens, you’ll want a robust antivirus software installed on your devices.
  • Remember that antivirus isn’t a set-it-and-forget-it solution. Always ensure that your software is updated and running at its best. Your IT department or service provider should keep an eye on antivirus for all your company’s devices; however, consider that if some employees use their personal devices, your IT team will need to ensure those devices are protected as well.

5. Make sure executives are involved in your security initiative.

A gap in many security programs often occurs with higher-level management. Though those are the teams that arrange for security training to take place, they are also often left out of the training. It’s assumed that they don’t need it or that they have more pressing issues to focus on.

Executives without security training are extreme liabilities to any company. Because they have the highest level of access to confidential data, hackers will target higher-level employees specifically, which is known as a whaling attack. Everyone in the company—from the very top to the very bottom—should be included in security training.

As phishing attacks become increasingly more sophisticated, it’s vital that your employees know what they’re up against. Through understanding the possible effects of a breach, employees will feel ownership over protecting the company’s data from being exploited.

Phishing - Frequently Asked Questions

Why Site Cloning?

Site cloning is a popular tactic used by phishermen where a login portal is cloned, hosted on a threat actor’s server, and modified slightly, so that whatever a user types in for the username and password is sent back to the attacker. Alternatively, the threat actor could include an exploit on the cloned site that they believe would be effective. Email portals, remote access portals, social media login portals, and anything else a user may login to are good choices.

Why Documents with Malware?

Malware within electronic office documents is another popular tactic used by phishermen, where a purportedly legitimate document contains malicious code that will either trigger when the user opens the document or when the user opens the document to enable macros. Macros and recent exploits for Microsoft, Java, Adobe, and other common third party products are used to conduct successful phishing campaigns.

How IT Can Help

The role of an organization’s IT department involves education, technology, and policies in limiting the damage of phishing attempts, if successful. In addition, IT should work to prevent phishing attempts from the start. Here are some of the methods and tactics an IT department should have in place.

  • Multi-Factor Authentication—All remotely accessible services that are facing the Internet should be secured with multi-factor authentication.
  • Employee Awareness—All employees should be regularly educated to raise their awareness of phishing attacks and what they look like.
  • Assessment of Training Effectiveness—Employees’ level of awareness can be assessed by conducting regular phishing campaigns internally or through a third party.
  • Keeping Systems Patched— In the event of a successful phishing campaign, having systems patched is critical to preventing the initial foothold of a threat actor.
  • Spam Detection—While not a cure-all, an email gateway with spam detection capabilities will have an impact on the amount of spam and phishing attempts that reach each end user.
  • Limit Access/Least Privilege—Users need access to do their jobs, but many companies suffer from access creep or allotting more permissions than needed for an employee to do their job effectively.
  • Visual Indicators for Employees—Additional visual cues should be in place to assist employees in identifying phishing attempts.

Cybersecurity Sense Podcast: Not All Phishing Assessments are Equal

LBMC's cybersecurity experts discuss social engineering via phishing and the difference in using phishing software solutions versus penetration testing services.

Listen Now!

Best practices an organization can implement to stop phishing or limit the impact of a successful phishing attempt.

1. Multi-factor authentication

When a phishing expedition succeeds in tricking your employee to turn over their log-in credentials, multi-factor authentication can potentially still keep the attackers out. Multi-factor authentication adds an extra layer of protection when your system is accessed remotely. Access is granted only after entering a correct username and password along with a second factor, such as a text message with a sequence of numbers sent to the employee’s personal cell phone. Some third-party services, such as Microsoft’s Office 365, cannot be placed behind a company’s multi-factor remote access, but multi-factor authentication can sometimes be set up within the third-party environment. In the case of Office 365, Microsoft instructs users how to set this up. Securing Internet-facing services for internal employees with multi-factor authentication can stop an attacker even if credentials are compromised via a phishing attack.

2. Employee awareness

Educate employees regularly to raise awareness on what phishing is and how it is a threat to businesses. Make phishing training mandatory for users who interact with computer systems. Online phishing quizzes (here’s another one) can be used along with monthly phishing email reminders and visual reminders around the office (such as educational posters) to keep users aware of the phishing threats an organization faces and to help them identify them when they show up in users’ inboxes.

3. Assess training effectiveness

Conduct regular phishing assessments to evaluate whether your phishing training is effective. An assessment should look at the various types of phishing: general campaigns (phishing), calling employees by phone for requests (vishing), targeting a handful of users (spear phishing) and targeting C-suite executives (whaling). Metrics from a simulated phishing campaign can highlight areas where training can be improved or identify employees who need additional help.

4. Keep systems up-to-date

Make sure that corporate information systems are up to date for both operating system and application patches. It’s common for attackers to gain remote access to a system due to unpatched vulnerabilities. This can happen, for example, when a user clicks on a malicious attachment. Regular patch audits of all software on systems to check that updates are current can prevent an intruder’s payload from executing successfully, even if a user was initially tricked.

5. Maintain backups

Make sure that working backups of corporate information systems are maintained. This means the backups have gone through a verification process showing the backup could be successfully restored. In doing so, a business can quickly recover in the event of a ransomware attack, which would usually encrypt corporate data in such a way that it can’t be used by the owner of the company. While the data may be able to be recovered in some instances of ransomware attacks, there will be no question about whether or not the data can be restored if working backups are maintained.

6. Spam detection

While not a cure-all, an email gateway with spam detection will have an impact on the amount of spam and phishing attempts that reach end-users. Preventing excess spam from delivering to end-users will prevent message fatigue and make it more likely that users will a spot phishing attempt that does make it through.

7. Limit access

Limit access to system resources and do not grant users overly permissive administrator rights or rights to mapped file systems. Limiting user permissions will lessen the impact of a phishing attempt in the event a user is tricked.

8. Use scripts to identify mangled domains

As a reminder, a mangled domain is where the domain, such as falseinc.com, is subtly but intentionally mistyped to something like fa1seinc.com. It is common for attackers to buy these domains knowing that company employees are less likely to notice the company name mistyped by only one letter. To identify these mangled domains, scripts such as dnstwist and urlcrazy will generate mangled domain names for your company, which you can then use to create a blacklist of domains to be blocked by your email gateway. Alternately, the word EXTERNAL can be appended to the subject line of an email coming from a mistyped/mangled version of your domain or on any email coming from an external source. This can serve as a visual indicator to help identify possible phishing attempts and lessen the likelihood the attack will be successful.

9. DKIM policy

A Domain Keys Identified Mail policy can address concerns by identifying email that did originate from the domain identified in the FROM field while also analyzing whether the message was modified in transit. DKIM is a complex subject, but you can learn more about it here. Implementing this policy requires a relatively low amount of effort and can prevent phishing attacks that spoof a legitimate domain.

10. Employee photos

Having pictures of users within the mail client directory is another visual cue to determine an email’s authenticity. If the corporate policy states users must have their picture taken, anyone who purports to be from inside the organization via email but doesn’t have a picture associated with their message is suspicious and should be reported to the company’s help desk.

11. Use plug-ins

Consider a software plug-in for reporting phishing emails. Microsoft’s Outlook client can be configured to allow users to report suspected phishing attempts with the click of a button. At least one mail gateway vendor also offers a plug-in download that can be pushed to workstations. Keeping this button in front of users is a reminder to users that it’s important to be alert to phishing.

Implementing these recommendations will improve your company’s security against phishing and other forms of attacks. Given the prevalence of phishing, it’s important for a company’s tech staff to help everyday users more easily recognize phishing attempts.