Every year, phishing attacks grow in scale and complexity and are becoming extremely hard to detect. A 2020 Webroot Threat Report highlights that phishing URLs encountered grew by 640 percent in 2019. One in four malicious URLs were found hosted on an otherwise non-malicious domain. The companies or websites we trust are the ones commonly impersonated. These include Facebook, Microsoft, Google, Apple, PayPal and DropBox.
Given the techniques employed by hackers to evade detection, how can enterprises better protect themselves? Based on our experience, we list down five simple ways to avoid phishing attacks
- Don’t click before verifying link
Most phishing attacks are successful because the person who receives an email is enticed to click a link which leads him or her to a third party data harvesting site, or a link that installs malware on his computer or mobile phone. One should hover over the link to check if the link is supposed to lead the user where they are supposed to go. One should also check the URL in the browser, before you enter any sensitive information. For example, in one recent incident of phishing, an email is sent for alerting users to check for the listed card transactions they have made. Users who click the ‘No’ button are directed to a fake similar looking website, where they are asked to enter their confidential details. If a customer checks the URL in the browser, he will know that it is a fake website.
- Keep your Internet browser updated
To protect yourself against phishing attacks, it is recommended to keep your browser completely updated. For example, a browser security loophole in Google Chrome last year allowed a fraudster to install programs, create new users and redirect users to a shady website. Google released an update to address this vulnerability. Hence, enterprises must ensure that they regularly keep their browsers updated by installing security patches released by the developers. Controls can be enforced through the enterprise secure web gateway that restricts unpatched or old versions of browsers from accessing the Internet.
- Use two factor authentication to add another layer of security
Using two factor or multi factor authentication (hardware token, SMS in mobile) can protect your account if your password is stolen or compromised. This adds one more layer of security, and considerably reduces the chances of getting hacked. This also helps the security administration team as attacks get lesser.
- Focus on employee education
While technology is important, equally critical is user awareness. Users must be shown real life examples of how phishing emails work, and why should they not click on unknown links. Enterprises must also put up posters in prominent locations so that users are always aware that they are a link away from getting their organization hacked. Enterprises can also conduct regular drills or test emails to check if unsuspecting employees click on these test e-mails. All of this should be done with an aim to improve the culture of thinking about cybersecurity risks by employees in their professional and personal lives.
- Use the best anti-phishing software to prevent attacks
Anti-phishing software can be used to keep a watch and monitor websites that try to redirect users. Anti-phishing software can also be used to identify malicious links and ensure that malware is not downloaded in case an employee clicks on the link and a malware tries to download itself on the client (mobile or computer). Anti-phishing software regularly check reputation databases, and ensure protection against zero day vulnerabilities. Firewalls must also be used as they are the first line of defense for any enterprise. While these would prevent employees from accessing phishing websites, organizations should also leverage threat intelligence service providers that can detect if their domains are being phished and to takedown the phishing sites.
By Rishikesh Kamat, Vice President – Products & Services, NTT-Netmagic