Phishing is bad. Really bad. There’s probably no other web phenomenon that has so many worrying statistics.
- 60% of small companies that suffer a cyber attack are out of business within 6 months.
- In 2018 cybercrime generated more than $1.5 trillion of profit.
- More than 80% of security breaches come from phishing and credential theft.
- There are 1.9 billion stolen passwords and usernames available on the black market, and up to 25% of them still work on Google accounts.
Yet people are still pretty careless about the thing.
We all got in the past emails from Nigerian prince trying to share his wealth with us, didn’t we?
‘There’s no way I’m not falling for this!’ you may say.
‘Who can get fooled with that anyway?’
Well, for Nigerian prince scam hopefully no one anymore.
There is no single week without news informing about new successful phishing attack.
Millions of dollars are lost and thousands of valuable data compromised.
So how can companies protect against phishing?
Emails are where most of the phishing attacks come from.
- You get an email that looks legitimate.
- You follow the instructions in that email.
- Your data or credentials get stolen.
Email content filtering focuses on the content of a message you receive. The software analyzes things like From, Subject, Date, To, etc. and determines if the email is legitimate or not.
Messages that look suspicious are marked as spam and stored in a separate folder or removed.
This service is offered practically by all software security vendors. This includes companies like Kaspersky Internet Security, Spam Assassin or GoldPhish.
You can set up a phishing filter for privacy protection on your own in Chrome, Firefox, Outlook, and all other popular email agents. You can also check with your IT Security team at work and make sure that you’re using the best available phishing protection offered by your company. Business email solutions usually feature standard security functions.
Fast & Easy
Easy to implement and relatively inexpensive. Security software can be installed in just a few minutes.
First Line of Defence
Phishing filters are the first tool to reach out for and offer a lot of useful features: whitelisting, blacklisting, file blocking and customizable rules.
Human Factor Necessary
The software does recognize all suspicious emails and needs to be trained. A base of suspicious senders should be frequently updated. Because of that, the human factor is still necessary and a person needs to decide if a new website should be blocked or not.
Content filtering protection can be compromised by spammers who know how to effectively decrease the effectiveness of spam filters. Bayesian filtering intents to determine if an incoming mail is a spam or not. Adding words that usually don’t appear in spam messages can effectively cause spam filters to believe the message is legitimate.
There’s a great article here discussing in detail how reliable are email filters. The brief version:
‘It is fair to say that spam filters don’t provide all of the protection from targeted malicious emails that users need’.
I really recommend reading this article and going through more detailed takeaways. The author performed a test on the most popular brands like Gmail, Outlook, Yahoo, AOL and Apple mail.
Phishing Awareness Training
These kinds of trainings are usually held in a longer timeframe. They are conducted by a hired organization who acts as an attacker and try to compromise employees.
So-called white hat hackers perform staged phishing attack to see how many people will fall for this. Later the data is analyzed and depending on results appropriate steps are taken usually in a form of some additional training and monitoring.
There’s a number of organizations that offer phishing awareness trainings with companies like Cofense, Wombat or Barracuda to name a few.
If you want to learn more about this and find out the best companies that can help you with that you can type in Google phishing as a Service (PHaaS) and list some companies, reach out to them and then compare their offer.
Building awareness of your workforce
Properly applied education in a long-term can cause great effects and lead to the situation where employees turn into security ambassadors and an effective anti-phishing filter a company.
In every organization, there are always some people that are somehow immune to trainings. According to Wombat Security, the healthcare industry employees repetitively score low on security awareness trainings answering 23% of data security best practice questions incorrectly every time.
Companies with high employee fluctuation and multiple applications in use are almost always vulnerable to human errors. In corporations that hire thousands of employees, it’s impossible to keep employees security awareness on the same level when there are new employees hired every month.
Far from sight
According to securityintelligence.com effectiveness of security trainings depend on location. While employees working in the HQ were more likely to comply with company security policies those working in remote locations were usually much more careless and didn’t pay much attention to security best practices.
2FA /MFA Technology
No matter how many security measures you will introduce your organization may get compromised anyway. That’s why technology still needs to be introduced into the process.
Chances are, you’ve heard of or even used two-factor authentication before. This security method requires each user to provide a password and an additional piece of information he or she owns to verify the login credentials.
There are many different setups that can be used with two-factor authentication, with FIDO Universal 2nd Factor Authentication being the most secure of them all. Also known as U2F, this setup requires users to provide a physical USB key as well as their password to gain access to the information they need.
Battle tested. U2F technology is so efficient that none of Google’s 85,000 employees have been phished successfully since the company adopted U2F back in early 2017. U2F is on its way to becoming the next golden security standard in the global business world because it even protects users against themselves.
Hard(ware) protection. You may not be aware of it but you use two-factor authentication already. When you take money from your ATM you use your card (login) and your pin code (second factor). So when you lose your debit card you don’t have to worry cause it’s still protected with a second factor that the thief most likely doesn’t know.
Not all 2FA methods are 100% phishing proof. At the moment of writing this article, the only method of protection that has not yet been compromised is U2F protection where you need a physical security key. Other 2FA methods offer an incomparably higher level of protection that only a password however you need to be aware that SMS as a second factor has been compromised before.
Convenience. In cybersecurity, there’s always a struggle between making a solution safer or more convenient. Since U2F is a method that has not yet been compromized it still requires a physical object that a person needs to have when intending to log in. Losing a security key, contrary to popular belief is not a problem. You can register a couple of keys and if you lose one you can use another. But that being said is still one extra object to carry with you all the time.
What’s the best anti-phishing protection?
A mix of all above-mentioned elements.
You can have a trained team, but one employee that gets tricked can jeopardize the whole company.
You can have most advanced philters but more advanced hackers can always go around.
The physical security key U2F would need to get physically stolen from your employee’s pocket to be used by a third party but that’s also a scenario that you should consider.
Below this article, I will share some links to the companies offering anti-phishing protection in each of above-mentioned ways. It’s up to you to decide which approach is the best for your organization at the current stage.
Once again, if you have some comments or would like to help to make this article better please let me know in the comments or add me on Linkedin.