Did you see our infographic the other day on how to spot and avoid falling victim to phishing attacks? In today’s post, we look at phishing attacks in some more depth and outline the top 7 ways to avoid anyone in your organisation getting hooked. After all, end users pose the biggest threat to your organisations security, so knowing how to get them up to scratch is a win win!
Train your employees
Employees are the biggest weakness in your company’s cybersecurity chain. The majority of cyber attacks or personal data breaches are as a result of your employee’s activity – especially clicking phishing attacks.
Employees within your organisation should have clear guidelines on what to do if they are suspicious of an email. Emails that vouch for a raised eyebrow include: very personalised emails (or the use of your username as opposed to your real name), spelling and grammar mistakes or scare mongering call to actions (e.g. “act now or risk losing your account”).
Be wary of clicking links within emails
Phishing emails are filled with malicious links that will take unsuspecting users to a number of different sites, often spoofing popular domains like eBay or Amazon. Users are then presented with a spoofed sign in page that will capture their log in credentials, leaving their accounts open to the attackers.
One way to combat this is to again train your users on ways to identify phishing emails. If users do receive emails from outside of the organisation, they should think twice about clicking any links that are in them. A good port of call would be to inform the relevant IT contact within the organisation of the email so that they can check it out. You should also encourage users to have a look at the domain from which the email has been sent. What we see a lot of the time is the changing of just 1 or 2 characters from the existing domain. For example, a legitimate email from PayPal will come from the domain @paypal.com. Whereas a phishing attempt may come from the email @peypal.com.
Use two-factor authentication
If you have never heard of two-factor authentication, it is the practice of needing not only a password to access your account but also a mobile generated code alongside your password each time you sign in.
This means that turning on two-step verification adds an extra layer of security for organisations to defend against phishing attacks -should your employees fail to recognise a phishing attack and end up clicking the links as described above and they unknowingly hand attackers their log in credentials, the attackers will not be able to gain access to said account unless they also have access to the users security code generator, which is usually their mobile phone.
Update your software regularly
One of the biggest flaws in your organisations security is your software. Attackers are becoming increasingly more intelligent in their attack methods and are capable of exploiting security vulnerabilities in software that has not been updated for some time.
One way in which you can do this is through the monitoring of your user endpoints. Most Managed Service Providers will actively monitor all workstations and servers on your network, getting alerts when their software requires an update. Having a monitoring tool like this will greatly improve your defence against phishing attacks along with other attack techniques, as attackers have one less vulnerability to exploit.
Use different passwords across your systems
Teams now rely upon so many different online tools and platforms to go about their daily tasks. It is not uncommon for users to use the same password across all these platforms, although it is definitely not recommended.
There are lots of different log in tools that can be employed to secure your employees accounts – systems like LastPass allow users to have one master password for all logins. It will then generate a random password for each account every time you log in. This works in a similar way to two-factor authentication in the fact that if attackers gain access to one of your passwords, they will still not be able to access your accounts.
Test your employees
In reality you will never know if your efforts to protect your organisation from a phishing attack work unless you put them into practice. The best way to test your employees is to circulate a simulated phishing email across your teams and see if you get any bites. If you do, then you know the areas of the business that you need to focus on.
Install reliable enterprise grade antivirus
It may seem like a no brainer, but it is highly important to install a reliable piece of antivirus software – we promote the use of Webroot. Although no anti-virus software is guaranteed to prevent your organisation falling victim to a phishing attack, they are a step in the right direction.
As with any cybersecurity threat, a multi layered security approach is key. It is important to combine anti-virus software with all of the recommendations that we have outlined above – you need to train your users, regularly patch your software, promote the use of two-factor authentication and test your employees. If they fail the test repeat all of the above steps!
If you are unsure as to whether you are defending your organisation from cyber threats like phishing attacks as effectively as you could be, book a meeting with us today.