Between October 2015 and March 2016, phishing attacks surged by a record-breaking 250% to more than 289,000 incidents, the highest number since the Anti-Phishing Working Group, a coalition of government and industry organizations, began keeping count on phishing in 2004.
As discussed in the AT&T Cybersecurity Insights report, there’s reason for its growing popularity: Phishing is also a profitable business. A recent FBI report estimates that phishing attacks featured in so-called business email compromises have netted their authors more than $3 billion in the last year and a half.
But what’s frustrating for CSOs and other security executives is that phishing scams are entirely preventable — at least in theory. In practice, however, nothing’s that easy — in large part because employees continue to be the perennial weak link in network defenses.
Attackers send emails that purport to represent legitimate organizations when, in fact, they contain links or attachments that install malware that lets intruders into the network.
Sometimes the phishing attack appears to come from a trusted source, where the perpetrators include personal or company details that they’ve stolen from other compromised computers to lend an air of authenticity to the scam. And some phishing emails even automatically execute hidden code as soon as the email gets opened.
Just say no
Organizations can throw more technology at the problem but some phishing emails will still evade the filters. Despite repeated warnings, employees continue to open email attachments or click on links from unfamiliar sources. Here are four strategies for securing organizations against phishing attacks:
1. Employee awareness. Phishing plays on human vulnerabilities and that’s why any comprehensive plan to combat phishing must start by educating employees about the role they play in the organization’s overall information security posture. It may not sound sexy but the best defense against phishing remains a continuous, hands-on employee-training program.
This needs to be more than a once-a-year refresher event. Security awareness training is key to weaning employees away from clicking phishing emails so training ought to involve periodic refresher courses. Mock training sessions with phishing scenarios can help employees envision the types of phishing emails they may receive. It will also help them get a more granular feel for the implications of clicking malicious links embedded in emails.
2. Incident response. Prepare for the event of a breach by creating an incident response plan that automatically goes into effect following a phishing attack. As outlined in the AT&T Cybersecurity Insights report, if there’s a compromise, the organization’s incident response will kick in immediately so that people and processes can turn to the work of blunting the progress of the intruder.
3. Two-factor authentication. On the technology side, make two-factor authentication a requirement. It will block hackers who have compromised a user's credentials from going further. Organizations might also consider introducing code-generating tokens that reduce the possibility that a phishing attack could succeed simply by stealing an employee password.
4. Current patches and updates. Make sure that all systems are current with the most recent security patches and updates. The use of web-content filters and good spam filters will also help stop emails dropping into inboxes from suspicious sources.
A goal of 100% protection against phishing may be a pipedream, and no single “best” technology solution will eradicate phishing attacks entirely. So anything that helps mitigate the threat qualifies as a huge win.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.