7 tips for preventing phishing attacks
With more and more sensitive information being stored on the internet, phishing attacks are on the rise. According to ZDNet, three billion phishing emails are sent every day. Understanding the types of phishing emails and how to counter them is essential to avoid the financial and reputational harm that comes with a security breach.
What is phishing?
Have you ever received an email requesting sensitive information from you? Maybe it was an email about a package being delivered, and it asked you to provide your SSN before delivery? That is a phishing attempt: when an individual or entity attempts to convince you to give out important information about yourself or your company.
Phishing generally begins with someone pretending to be a person or an organization you trust. With this confidence, they’ll attempt to get you to give out information, or use a link/file to infect your devices with malware.
Early examples of phishing were the famed Nigerian scams of the early 2000s. Someone would contact you acting like a friend or lover to build a rapport. With that trust, they would then attempt to obtain money or bank account information. One of the most famous groups of Nigerian phishers was called “Yahoo Boys,” after the 90s search engine.
Naturally, phishing has evolved past the Yahoo Boys, both in terms of complexity as well as targeting. Instead of someone spending weeks to build a rapport, they’d send you an email posing as a company you trust. The email would ask you to click on a link or reply back with some information. In addition, rather than exclusively targeting individuals, phishers are more likely to target companies to access sensitive information or implement ransomware. Overall, phishing has become a far more multifaceted process, and the consequences are greater as well for impacted companies.
What are the different types of phishing attacks?
Modern phishing attempts try to hit both companies, their customers, and the general population. Here’s a look at some of the most common types:
- Impersonating your company. This is probably the most common type of phishing. It works by someone impersonating your brand using an email that looks similar to an official one. For instance, if your company uses an email like Name@Company.com, a phisher might use an email like Name@Company-support. These attacks are difficult to note because cybersecurity teams won’t be aware they took place unless they are alerted, or a member of your team falls prey to it.
- Phone phishing. This uses Voice over Internet Protocol (VoIP) to impersonate a company or business. The phisher might also use personal details about the person they’re targeting and a member of company leadership to try and convince the target to volunteer sensitive information.
- “Spear” phishing. Have you ever had a sales rep from a company include key details about you in their pitch? It’s an attempt to show that they understand you and your needs. Spear phishing functions in a similar manner, except the phisher is using a fake name and your real details to gain your confidence. They may get that info from social media sites like Facebook, Instagram, or LinkedIn. If your email has been previously hacked, that can be a source of details as well.
- Email takeovers. This is where a phisher gets an employee’s email sign-in info and takes over that account. Then, they can use that email to gain sensitive information from customers, coworkers, or colleagues. For example, someone who gets access to your email might then create a fake page asking for customer information. Then, the phisher would email that fake page to customers and ask them to fill it out, getting their personal information that way.
How do I spot a phishing attack?
Even though phishing attacks are becoming more sophisticated, there are still some signs that you can educate client teams on tracking to spot them. Here are some things to look for when identifying phishing attacks:
- Urgency. Is the email reading like you need to act right away? That could be a red flag. Most businesses and government agencies don’t try to encourage you to act in a rush. So, if the message is giving you a short timeline to act or attempting to intimidate you, it might be a phishing attempt.
- Look for inconsistencies. A lot of phishing emails try to mimic the company or agency they are impersonating, but don’t do this perfectly. Check to see if anything looks off or inconsistent with how a legit email from the company might look.
- Check for spelling. Phishing emails are often written by people who don’t have an editing staff to spot-check spelling, grammar, or syntax errors. Repeated mistakes are generally a common giveaway of a phishing email.
- Are the graphics off? Do they look low-res? Some criminals will grab a logo from the site they are trying to mimic, but don’t have access to the official internal image files. As a result, the image quality is generally lower than an official email.
- Does the email address you as “Dear Customer”? Addressing clients or prospects by their first name is a basic principle of email etiquette. Even if you are sending out thousands of emails at once, there are tools that help you address each recipient personally. A phisher might not have access to said tools and will default to generic greetings.
- Reach out to the company. In some cases, there may not be an obvious issue with the message itself, but there’s a request for information that seems like a red flag. If that is the case, reach out to the company through an email address you know and trust. This way, you can act in complete confidence.
- Use filters. Some email programs or websites have the tech that filters out potential spam and phishing emails into a separate folder. Sometimes these programs will outright tell you to avoid a given message. You can easily delete it and move on with your day.
The most important thing you do once you’ve found a phishing attempt is to delete the email. Don’t reply, don’t click on any links, and report it. If you did accidentally give out any passwords, don’t panic. Just reset them ASAP.
Preventing phishing attacks as an MSP
As an MSP, preventing phishing attempts for your partners involves a lot more than just checking emails. You have to employ a multi-faceted approach that covers all bases. Like other cyberthreats, phishing is constantly evolving, and your team needs to both adapt to proactively address those threats, while also having mitigation plans when a phishing incident does happen. Here are seven common practices you can implement for preventing phishing.
1: Watching the security landscape
A key part of supporting your clients with the best advice is keeping yourself and your company updated on security threats. Find trustworthy industry publications and regularly follow them for updates on phishing trends and new methods of how to prevent phishing attacks. For more support, check out industry communities like IT Nation that pull together thought leaders, experts, and peers. Through events like IT Nation Secure and in-depth training sessions, you can educate yourself on how to tackle phishing and other security risks. Staying educated and providing that insight to your clients is a key part of an MSP’s duties.
2: Keeping client software upgraded
This is a simple, yet essential step in how to stop phishing emails. Often, companies release updates that include bug fixes and patches to security problems. However, your clients may not perform updates right away, so it’s important for MSPs to step in and make sure this is taken care of. Proper patch management is also important if clients use an app-based email, since those updates might provide better phishing prevention filters and security features.
3: Encouraging clients to reduce team access to sensitive information
“Loose lips sink ships” is a World War II-era slogan designed to stop the spread of sensitive information. It still applies today. As client teams expand and they get more confident in your members, there’s a temptation to give them higher tiers of access and more sensitive knowledge. But the more information they know, the more information they can accidentally let slip. In fact, IBM reported that 95% of cyber-attacks were caused by human error.
Make sure your clients are limiting who knows sensitive information. If the information is not part of their job function, then they don’t need access to it.
4: Conduct regular cybersecurity audits and testing for clients
When a phishing attack is successful, how much damage the malicious actor can do is contingent on a client’s existing cybersecurity procedures and protocols. The only way to confirm client security is through regular audits and system tests. There are several ways to do this. One is called penetration testing, or pen testing. It involves finding out how easy it would be for a hacker to penetrate your systems. You can do this by using methods a hacker might use to get in. Pen testing is great for discovering exploits and for finding out how easy your system is to hack.
5: Train client teams to identify phishing
Along with MSP security measures, it’s also important to educate clients on what phishing looks like and how to handle it, should they be targeted for an attempt. One way you can do this is to send out fake phishing emails to team members and see which ones fall for them and which ones don’t.
If anyone took the bait, let them know and retrain them on your security policies and what to do should they get another phishing email.
6: Create a security policy and program for your clients
On that topic, if your clients don’t have a policy in place, work with them to create one now. This helps both your team and the client team should what to do if they spot something dangerous, and who to contact should something happen.
The policy should include information on:
- Acceptable work device use
- Email protection
- Incident response
- Cell phone use
- Network security
- Password protocols and what password apps you use
- Security training materials for them to refresh themselves on best practices
7: Maintaining consistent monitoring
You might think everything is fine once everyone is trained, tested, and informed on the current policies. But phishing prevention and cybersecurity in general are not “set it and forget it” situations since all threats evolve. Be sure to constantly have monitoring protocols in place to keep track of threats, but also to guide client teams if they need to upgrade or shift your policies. What’s best practice now may not be in a year’s time.
Cybersecurity management software from ConnectWise
ConnectWise knows that security threats are always changing. Cybercriminals are constantly trying established tactics like phishing as well as new ones to gain access to networks and systems. Don’t get caught off-guard. If you’re looking for cybersecurity management software, contact us today to see how we can keep your company safe and secure.