Phishing is a type of scam where a cyber criminal sends a phony email in an attempt to get you to give information or click on a dangerous link that could download malware onto your device. Because phishing has been going on for decades, you would think we would have a surefire way to prevent it, but that isn’t the case. Though much of your cyber security can fall onto your IT team’s shoulders, phishing scam prevention is something that every person in your company needs to be aware of and actively working on.
Here are some tactics for phishing scam prevention so you can know what to look for and what to do when you encounter a phishing email.
1. Don’t Fall for Psychological Triggers
One of the most common baits that phishers will use is psychological triggers. They tell you something is time sensitive and urge you to act quickly. These could be anything from alerting you to a missed delivery to a prize you must claim immediately. The scammers are trying to trick you into acting before you get a chance to analyze the email deeper, because once you do you will be able to see some of the signs it’s a scam. Trying to trigger this common human reaction of leaping before you look is called social engineering.
When you receive an email, you need to think before you act. Is the email pushing you to do something quickly? Are they trying to manipulate you? Phishers are so successful because even once people are aware of the dangers, they don’t realize what is happening in the moment.
You need to step back for a minute. Look at the email. Ask yourself “is this phishing?” If the email looks odd in some way, is pushing you to immediate action or simply seems too good (or bad) to be true, it could be. Do not hesitate to contact your IT specialist for any suspicious email. It is easy for them to quickly and definitively recognize if an email is phishing. Don’t worry about “bothering” them with it. Even if you asked them to verify hundreds of emails, it is still nothing compared to the difficulty of fixing issues after a phishing attempt succeeds.
2. Create Policies and Procedures for Emergency Requests
Cyber criminals may play with your emotions by posing their emails as emergencies within your company. Cyber criminals want the recipient to be too worried about the company to notice any red flags. Gaining login credentials or other information or even asking for transferred funds are common objects of these emails.
The employees receiving these threats are under pressure to act immediately. Putting a few simple policies and procedures in place could help keep employees from falling into the trap.
- Make it clear to employees when and how emergency requests would be made of them and how to tell if the request is legit.
- Explain requests that will never be made, so they can immediately be noticed as a scam. For instance, you’ll never be asked to provide credentials by email or buy several gift cards for the CEO.
- Set a procedure so that all requests for sensitive information need to be verified with another party. This can be made as simple as, “If you get an email request from someone, contact them directly to ask about it.”
- Give your employees specific instructions as to how they are to share sensitive information, such as passwords, and with whom they can share them.
3. Teach Your Team to Spot Phishing (and Test Them on It)
Though most of your staff have likely been taught the basics of what to look for, such as grammar mistakes in the emails, these mistakes aren’t always easy to spot. Scammers have begun to notice and improve their grammar using artificial intelligence. Your employees must be educated further and even tested to check how much they understand and apply phishing scam prevention procedures.
Your managed service provider can work with to customize simulated phishing attacks to test your employees. Test emails are crafted to include red flags and tactics that your team has been trained to spot to appear as real phishers to those being tested. These tests are not meant to embarrass or punish staff who may fail to spot the phishing. They are simply a very effective training tool to help your team as a whole get better at spotting potential phishing emails.
4. Encourage Staff to Report Phishing Emails
It’s human nature to be scared to be wrong or waste someone’s time — especially in the workplace. You need to encourage your team to report the emails they suspect as phishing. One method is a rewards system. Put the names of people who identify and report phishing emails into a hat and pull one a month for a raffle prize of $1,000. Or offer a $20 gift card for every successful phishing email spotted. This may sound like a lot of money, but keep in mind that a successful phishing scam can cause millions of dollars worth of damages.
You should also make it easy to report suspicious emails. Employees are much less likely to want to put in the work if the process of reporting an email is complicated or burdensome. If your reporting process is one that takes multiple steps to complete, we recommend implementing a simpler alternative such as a report button.
5. Monitor the Dark Web for Company Data
The information stolen in breaches or data leaks ends up on the dark web, sometimes for sale and sometimes it’s just posted there. Many phishing operations start with leaked company credentials found or bought on the dark web. Part of your phishing scam prevention plan should be to monitor the dark web for your company’s credentials such as the name or email addresses. Monitoring this can alert your company if any passwords have been sold, so you can take action to change and update them before the scammers can cause damages. Dark web monitoring can also alert you if your company name or information appears in forum discussions, which could indicate phishing operations are targeting your company.
6. Know What Makes You a Target
Though everyone needs to be aware of phishing and that they may be a target, new employees are particularly vulnerable. Phishers will often keep tabs on databases such as LinkedIn and target new employees because they are typically easier targets. You should talk to all new employees about this, and warn them that phishers may target them specifically and even use their personal emails or phone numbers.
Senior leaders are also a major targeted group (a practice called whaling) because they have access to more company information and systems. Plus, once they gain access to a senior-level employee’s account, it is easier to trick employees with email requests. If you think an email request is coming from your boss or CEO, you’re less likely to think twice before acting. We recommend to all members of the C suite to make security protocols to ensure the safety of their information.
One of the big mistakes is sharing too much information on social media. Phishers can use your personal information like your birthday to access your accounts. A good bet to keep yourself safe is to hire a company to do a cyber security assessment. As part of this assessment, they will analyze your company’s website and social media along with employees’ personal profiles.
7. Use Tools and Technology to Your Advantage
In a perfect world, there would be a solution that would make it so you never receive phishing emails, but we all know that’s not the case. But there are ways to lower the frequency and amount of phishing emails you get, including:
- Email filters that separate out scams before they get to you.
- Microsoft 365 Advanced Threat Protection for companies using Microsoft 365.
- Multi-factor authentication (MFA), which can prevent a phisher from getting into an account with stolen credentials.
- Secure web gateway (SWG) and single sign-on (SSO) to allow you to enable MFA in one place and it will be enforced in all of your accounts. When using an SSO, that is the only place that any of your credentials should be entered, so making a policy stating this to your employees would be a good idea.
- Password managers that store passwords securely and encourage strong password management practices such as not repeating passwords. As an added bonus, a password manager can also help people recognize that they’re on a phishing site instead of where they intended to log in. Saved passwords do not autofill on a spoofed site.
- Multi scanning technology to help scan and filter your emails. It is important to understand that using a single antivirus tool will not prevent or detect scams all of the time. That is why it is recommended that you use multiple engines to scan your emails.
There is one more option that can help you — a drastic measure only suitable for certain companies: Allowing only plain text emails along with restricting types of attachments. This prevents phishing because it will block any emails with links or attachments that aren’t specifically permitted.
8. Mark External Emails and Create a Blacklist
Help your employees be more vigilant by marking all emails not sent from within the company as “external.” This is an immediate warning to look for possible red flags. Still, make sure your team knows this isn’t foolproof. If a company email has been spoofed, it will be sent from a legitimate internal email. To prevent spoofing, make sure your email DNS (domain name system) is set up correctly.
A blacklist can also make dangerous emails more noticeable. Blacklisting involves integrating your company’s email system with an intelligence feed to prevent you from receiving emails from a known unsafe source. It works by tracing emails back to their IP addresses and blocking emails from blacklisted IPs.
9. Plan Your Response to a Successful Phish
You can take all these recommended precautions, but your company will never be 100 percent safe from phishers. Scammer tactics evolve daily and it only takes one moment from one employee to make a mistake. You need to be ready for that to happen and have a plan. Never blame or shame the victim. Instead, step up your cyber security awareness training and other prevention techniques, run a cyber security assessment to find and close weak areas of your security plan and work to mitigate any damage done. By outlining the potential breach scenarios in advance and how to respond, you’ll be able to hit the ground running after one occurs.
We’ve talked a lot about email, but it’s worth keeping in mind business-related communications channels are proliferating rapidly — and phishers can use them all, including social media, messaging apps and even phone calls. Include all these tactics in your plan.
We Can Help
You know that you’re at risk and you know how you can try to protect yourself. But don’t try to do it alone. That is what your managed service provider is for. Contact us so we can figure out how to best protect your company.