GT
Most companies are aware of the persistent problem of phishing attacks – attempts by bad actors to secure sensitive information by impersonating a trusted source. While estimates of their impact vary, phishing attacks are responsible for a large percentage of business security breaches. These days, any company with digital data should be aware of sophisticated phishing tools and tactics.
While there are some technology-focused steps companies can take to enhance their security, phishing attacks are largely based on psychological factors – meaning that human error and ignorance will always be the weakest link. Therefore, to build a strong defense against phishing, it is essential that leaders combine technical strategies with educating team members on how to detect and report phishing attacks. Below, 13 members of Forbes Technology Council Share effective steps companies can take to reduce the risk of a successful phishing attack.
1. Focus on the basics
It’s about nailing the basics and getting the right electronic and tech hygiene efforts together as one in the same strategy. Phishing attacks happen because people think they are too busy or won’t be affected. Lack of awareness – not focusing on content and looking for clues that are early warning signs – will result in phishing attacks winning every time. – Erica VossAnd the Capital One Program
2. Ensure that development teams do not bypass security protocols
Protect debug modes and staging environments with additional secure VPN access and layered password management. Often, development teams bypass security protocols to facilitate testing and deployment. Skipping these additional steps makes it easier for third parties to access the raw information needed to create a phishing website. – Sam MehrbodAnd the rompho
Forbes Technology Council It is an invite-only community of world-class CIOs, CIOs, and CTOs. Am I eligible?
3. Be aware of BEC attacks
Business email hacking is one of the main and effective factors of the attack. In a BEC attack, the employee receives a scam message that appears to come from a senior executive requesting urgent help—usually a money transfer or money transfer—and circumvents normal controls and procedures. The attacks are not overly technical, relying instead on psychological manipulation, but they can be devastating. – Shaun SteeleAnd the Information lock
4. Preparation of exercises and periodic exercises
It’s hard to pick just one attack vector of concern. Email phishing, SMS phishing (text attacks), CEO impersonation and phone calls are all methods widely used by threat actors. Regular training is key (there shouldn’t be a “work done” mentality here), as are regular company-wide security drills and test hacking campaigns. The more employees who see what the attacks look like, the more prepared they will be. – Shelly KramerAnd the future research
5. Educate employees about links sent through various media
Cybercriminals continue to develop their techniques to defraud employees, with the majority of attacks today being of many forms. If a company allows employees to access personal emails, social media platforms, and other collaboration tools (such as Slack and Teams), leaders must teach their employees to be wary of clicking links that come from unknown senders via these platforms. – Sriram TarikerAnd the Alvarez and Marsal LLC
6. Be wary of ‘urgent’ orders
Teach employees to be careful about messages that display a sudden, unexpected sense of urgency – eg, “The CFO needs this data now!” or “<اسم المدير> Needs to get to this immediately for an important meeting.” Creating this sense of urgency increases pressure to act quickly and helps prevent that moment of thought when an attack can be spotted. Jeff WebbAnd the Solution
7. See ‘difficulty logging in’ customer emails
A phishing attack takes the form of a message that comes from a real customer’s email and asks someone to “process” the request because they can’t log into the system to send the request through the normal channels. This has become a common attempt by bad actors to circumvent device-based two-factor authentication. – Libel SternbachAnd the Fusion Capital Management
8. Be suspicious of ‘password expired’ emails
Email password expiration notification is becoming increasingly common. If people aren’t paying attention, they may not notice that the Microsoft or Outlook logo is skewed or that its color doesn’t look perfect. They may then click on the link and try to change the password, thus giving the scammer their current password. – Bobby PatnaikAnd the Lafayette Square Holdings LLC
9. Training team members not to reuse passwords
The most deadly phishing attacks come from the email accounts of real employees whose credentials have been obtained by the threat actors on the dark web. These messages are indistinguishable from a real employee email, which makes it very easy to be fooled. The key to ensuring that employees’ credentials do not reach the dark web is to train them not to use the same credentials on public websites (such as online stores), where they are regularly hacked. – Patrick OstegiAnd the Accedian
10. Multi-factor authentication authorization
Phishing scammers want to pull sensitive information like passwords and bank data from your business. One way to avoid this is to require your team to use multi-factor authentication to access company websites or software. Even if someone manages to steal a password from a teammate, they can’t do much harm without the secondary login device, which is usually a smartphone. – Thomas GriffinAnd the OptinMonster
11. Adoption of zero-confidence criteria
The common element between phishing (email), SMS and phishing (voice) attacks is that they are of endless types and are constantly changing. Target victims must adopt a mindset of mistrust and constantly validate every element in every interaction. The no-trust approach to security is simple: no other party can be trusted until it has been verified. – John JenAnd the Code
12. Be careful with ‘delivery issues’ emails
Phishing attacks “delivery issues” are becoming more and more common these days with the added boom in online shopping during the pandemic. So, unless the email or text lists an item that you remember ordering, avoid clicking any links. Instead, go to the merchant’s website and search for your order right there. – Vikram JoshiAnd the to throb
13. Understanding the new risks remote work brings
With hybrid work now the norm, a flexible, borderless workforce faces sophisticated and sophisticated attackers who take advantage of the fact that company employees don’t know each other as well as they used to. Employees should be wary of urgent, context-required “work-like” emails, as they may come from a domain that resembles their company and from a senior member of the company they may not know. – Carlos MoralesAnd the Newstar Security Services
