Phishing is the most common form of cybercrime according to the FBI. In 2021, 323,972 victims were recorded across the US, which marks a 34% increase on the previous year. As cybercriminals continue to develop their attack techniques and leverage advances like crime-as-service and chatbots to create phishing emails, this number is likely set to continue rising.
Year-on-year victim loss comparison for phishing/vishing/smishing/pharming. Source: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
In this article, we'll explore what phishing is and the methods cybercriminals use to get their hands on sensitive data. Plus, we'll share the five best defenses against phishing attacks to help enable you to prevent people in your organization from falling victim to phishing.
What is phishing?
Phishing is a cybercrime where people are targeted with emails that try to make them perform a certain action, such as entering log-in credentials via a phishing website, paying a fraudulent invoice, or downloading a malicious file that then delivers ransomware or spyware.
This information can then be used to access the target's accounts, resulting in data, identity, and financial theft. So, how can you prevent this from happening?
How to protect against phishing attacks
There are several different ways to protect your organization against phishing attacks. Investment should be made in both technical defenses (e.g. anti-phishing solutions) and helping improve employees’ awareness.
As part of this, you will need to ensure your organization is protected against both ‘known threats’ – which have a distinct signature that’s been added to detection libraries – and zero-day and emerging threats, plus advanced attacks such as those sent from compromised legitimate email accounts, business email compromise (BEC) and impersonation attacks, invoice and payment fraud, and social engineering.
In recent years, a new category of email security solutions has emerged, termed integrated cloud email security (ICES) solutions by Gartner. I’ll discuss these solutions, including Egress Defend, in more detail at the end of this article.
1. Phishing awareness training
Almost every organization already has a security awareness and training (SA&T) program, training people periodically (often monthly) about the risks they face and helping an organization meet its compliance requirements.
These programs provide good insight into broad risks and trends, for example times of heightened cyber risk associated with global political developments or phishing attacks centered on specific news stories. Content can also focus on how to spot a phishing link within a malicious email or identify a phishing website, explain what might happen if someone was to click a phishing link, and warn people not to open attachments unless they trust the source.
This is useful, high-level information but people will still make mistakes and it’s unrealistic to expect them to detect every phishing email, as people forget what they’re taught over time. Organizations therefore need to layer their technical defenses to protect their employees. Additionally, real-time teachable moments delivered by intelligent anti-phishing technology augments SA&T by highlighting and explaining risk using real-world attacks as examples.
2. Multi-factor authentication
Multi-factor authentication (MFA) is one strategy organizations can layer into their defenses to deter cybercriminals and help to prevent attacks by requiring additional information from people to verify their authenticity. Think of it as having multiple locks on your data that, in theory, only you can open.
There are three recognized MFA factors, which are:
- Something you know (knowledge): This covers information such as passwords, PIN numbers or combinations
- Something you have (possession): This can include USB drives or token devices (for example, a time-based PIN)
- Something you are (inherence): This could be a fingerprint, facial recognition or other biometrics
You don't have to incorporate all three; many organizations choose to use a two-factor authentication method, which (as the name implies!) incorporates two of the processes listed above.
The majority of account takeover (ATO) attacks start with a phishing email, usually directing the person to a phishing website where they enter their credentials. Using MFA increases your organizations defenses when the cybercriminal uses these credentials to log into the victim’s account.
MFA, however, isn’t a silver bullet and can still be bypassed by cybercriminals under certain circumstances. Find out more about how threat actors can subvert MFA.
3. Use AV and antimalware software and keep it updated
One of the most common phishing attack payloads is an attachment that contains malware. Similarly, some phishing websites are also designed to install malware, rather than stealing credentials. There are many different types of malware, including ransomware, programs that log key strokes, which can be in the form of viruses, programs that steal passwords, recording software, or programs that delete data.
It's important to have AV and antimalware protection that can scan inbound emails, as well as endpoint environments. In particular, organizations are migrating to Microsoft 365 and many are deploying its native anti-phishing controls, which can help to protect them from known viruses and malware within phishing emails by sending any that it detects as malicious to junk. In this regard, secure email gateways (SEGs) provide a similar function.
It’s worth bearing in mind, however, that these solutions rely on detecting ‘known threats’ – ones that have been previously identified and added to their libraries. Organizations require additional layers of defense against zero-day and emerging threats.
4. Open suspicious documents in an isolated environment like VirusTotal
It may be a common part of someone’s job to open attachments from people they don't know personally (e.g. resumes sent to recruiters); however, it isn't always easy to verify whether those files are malicious or not.
Having anti-phishing software in place provides a good level of assurance that only legitimate attachments are arriving in people’s inboxes, however it is possible to avoid opening attachments directly on an endpoint device. Instead, software like VirusTotal can be used to check whether attachments have been previously reported as malicious.
Again, bear in mind that this might not be entirely without risk, particularly against zero-day attacks and emerging threats. If needed, isolated virtual machines can be used as sandboxes for opening and inspecting suspicious attachments.
5. Invest in integrated cloud email security (ICES)
ICES solutions integrate directly into your cloud email platform (Microsoft 365) to provide an additional layer of defense. Unlike the signature-based detection provided by Microsoft’s native controls and SEGs, ICES solutions use AI and machine learning models (like natural language processing (NLP) and natural language understanding (NLU)) to detect advanced phishing threats, including zero-day attacks and emerging threats, BEC and impersonation attacks, supply chain compromise, and invoice and payment fraud. Egress Defend is an ICES solution that takes a zero-trust approach and analyzes all inbound emails to detect advanced phishing attacks. Using intelligent and holistic detection capabilities, Defend provides behavior-based security that can be used to detect social engineering and attacks sent from compromised supply chain accounts, stopping the broad range of advanced threats organizations face. Defend also delivers real-time teachable moments directly within the inbox to tangibly reduce risk and augment SA&T programs.
What is the best defense against phishing attacks?
Governments globally acknowledge that layer defenses are the best way to protect against phishing attacks. Increasingly, organizations deploying Defend as an ICES solution alongside their native Microsoft 365 anti-phishing controls, to stop the broad range of threats they face, including advanced phishing attacks, and to augment their SA&T programs.
Layering additional defenses, such as those listed in this article, can also help to further protect people and organizations from falling victim to a phishing attack and keep data, finances, and systems secure.