Every year, phishing attacks grow in scale and complexity and become extremely hard to detect
A 2020 Webroot Threat Report highlights that phishing URLs encountered grew by 640 percent in 2019. One in four malicious URLs were found hosted on an otherwise non-malicious domain. The companies or websites we trust are the ones commonly impersonated. These include Facebook, Microsoft, Google, Apple, PayPal and DropBox.
Given the techniques employed by hackers to evade detection, how can organizations better protect themselves? Based on our experience, here are five simple ways to avoid phishing attacks.
#1 Don't click before verifying link
Most phishing attacks are successful because the person who receives an email is enticed to click a link which leads him or her to a third party data harvesting site, or a link which installs malware on his computer or mobile phone. First hover over the link to check if the link is supposed to lead the user where they are supposed to go. Also check the URL in the browser before you enter any sensitive information. For example, in one recent phishing incident, an email was sent to alert users to check for the listed card transactions they had made. Users who clicked the ‘No’ button were directed to a fake, similar-looking website, where they were asked to enter their confidential details. Checking the URL in the browser is one way to see that it is a fake website.
#2 Keep your Internet browser updated
To protect yourself against phishing attacks, keep your browser completely updated. For example, a browser security loophole in Google Chrome last year allowed a fraudster to install programs, create new users and redirect users to a shady website. Google released an update to address this vulnerability. Organizations must ensure that they regularly keep their browsers updated by installing security patches released by the developers. Controls can be enforced through the enterprise secure web gateway that restricts unpatched or old versions of browsers from accessing the Internet.
#3 Use two factor authentication to add another layer of security
Using two factor or multifactor authentication (hardware token, SMS in mobile) can protect your account if your password is stolen or compromised. This adds one more layer of security, and considerably reduces the chances of getting hacked. This also helps the security administration team as attacks get fewer.
#4 Focus on employee education
While technology is important, equally critical is user awareness. Users must be shown real life examples of how phishing emails work, and why should they not click on unknown links. Enterprises must also put up posters in prominent locations so that users are always aware that they are a link away from getting their organization hacked. Organizations can also conduct regular drills or test emails to check if unsuspecting employees click on these test emails. All of this should be done with an aim to improve the culture of thinking about cybersecurity risks by employees in their professional and personal lives.
#5 Use the best anti-phishing software to prevent attacks
Anti-phishing software can be used to keep a watch and monitor websites that try to redirect users. Anti-phishing software can also be used to identify malicious links and ensure that malware is not downloaded in case an employee clicks on the link and a malware tries to download itself on the client (either a mobile device or computer). Anti-phishing software regularly checks reputation databases and ensure protection against zero day vulnerabilities. Firewalls must also be used as they are the first line of defense for any organization. While these would prevent employees from accessing phishing websites, organizations should also leverage threat intelligence service providers that can detect if their domains are being phished, and then take down the phishing sites.