In this technological age, phishing — a form of hacking used to steal personal information or digital credentials — has become a threat to individuals and businesses alike. Generally speaking, phishing is a technique hackers use to trick you into surrendering sensitive information or allowing access to your computer system.
In this article, we explore some countermeasures your company should take to fend off this type of attack. Here are some best practices an organization can implement to stop phishing or limit the impact of a successful phishing attempt.
When a phishing expedition succeeds in tricking your employee to turn over their log-in credentials, multi-factor authentication can potentially still keep the attackers out. Multi-factor authentication adds an extra layer of protection when your system is accessed remotely. Access is granted only after entering a correct username and password along with a second factor, such as a text message with a sequence of numbers sent to the employee’s personal cell phone. Some third-party services, such as Microsoft’s Office 365, cannot be placed behind a company’s multi-factor remote access, but multi-factor authentication can sometimes be set up within the third-party environment. In the case of Office 365, Microsoft instructs users how to set this up. Securing Internet-facing services for internal employees with multi-factor authentication can stop an attacker even if credentials are compromised via a phishing attack.
Educate employees regularly to raise awareness on what phishing is and how it is a threat to businesses. Make phishing training mandatory for users who interact with computer systems. Online phishing quizzes (here’s another one) can be used along with monthly phishing email reminders and visual reminders around the office (such as educational posters) to keep users aware of the phishing threats an organization faces and to help them identify them when they show up in users’ inboxes.
Assess training effectiveness
Conduct regular phishing assessments to evaluate whether your phishing training is effective. An assessment should look at the various types of phishing: general campaigns (phishing), calling employees by phone for requests (vishing), targeting a handful of users (spear phishing) and targeting C-suite executives (whaling). Metrics from a simulated phishing campaign can highlight areas where training can be improved or identify employees who need additional help.
Keep systems up-to-date
Make sure that corporate information systems are up to date for both operating system and application patches. It’s common for attackers to gain remote access to a system due to unpatched vulnerabilities. This can happen, for example, when a user clicks on a malicious attachment. Regular patch audits of all software on systems to check that updates are current can prevent an intruder’s payload from executing successfully, even if a user was initially tricked.
Make sure that working backups of corporate information systems are maintained. This means the back-ups have gone through a verification process showing the backup could be successfully restored. In doing so, a business can quickly recover in the event of a ransomware attack, which would usually encrypt corporate data in such a way that it can’t be used by the owner of the company. While the data may be able to be recovered in some instances of ransomware attacks, there will be no question about whether or not the data can be restored if working backups are maintained.
While not a cure-all, an email gateway with spam detection will have an impact on the amount of spam and phishing attempts that reaches end users. Preventing excess spam from delivering to end users will prevent message fatigue and make it more likely that users will a spot phishing attempt that does make it through.
Limit access to system resources and do not grant users overly permissive administrator rights or rights to mapped file systems. Limiting user permissions will lessen the impact of a phishing attempt in the event a user is tricked.
Use scripts to identify mangled domains
As a reminder, a mangled domain is where the domain, such as falseinc.com, is subtly but intentionally mistyped to something like fa1seinc.com. It is common for attackers to buy these domains knowing that company employees are less likely to notice the company name mistyped by only one letter. To identify these mangled domains, scripts such as dnstwist and urlcrazy will generate mangled domain names for your company, which you can then use to create a blacklist of domains to be blocked by your email gateway. Alternately, the word EXTERNAL can be appended to the subject line of an email coming from a mistyped/mangled version of your domain or on any email coming from an external source. This can serve as a visual indicator to help identify possible phishing attempts and lessen the likelihood the attack will be successful.
A Domain Keys Identified Mail policy can address concerns by identifying email that did originate from the domain identified in the FROM field while also analyzing whether the message was modified in transit. DKIM is a complex subject, but you can learn more about it here. Implementing this policy requires a relatively low amount of effort and can prevent phishing attacks that spoof a legitimate domain.
Having pictures of users within the mail client directory is another visual cue to determine an email’s authenticity. If the corporate policy states users must have their picture taken, anyone who purports to be from inside the organization via email but doesn’t have a picture associated with their message is suspicious and should be reported to the company’s help desk.
Consider a software plug-in for reporting phishing emails. Microsoft’s Outlook client can be configured to allow users to report suspected phishing attempts with the click of a button. At least one mail gateway vendor also offers a plug-in download that can be pushed to workstations. Keeping this button in front of users is a reminder to users that it’s important to be alert to phishing.
Implementing these recommendations will improve your company’s security against phishing and other forms of attacks. Given the prevalence of phishing, it’s important for a company’s tech staff to help everyday users more easily recognize phishing attempts.
Derek Rush is a manager in LBMC Risk Services. LBMC Information Security, a member of the LBMC family of companies, is a leading service provider for information security. They offer a full spectrum of services in the areas of intrusion prevention, compliance and consulting.