Identifying and Stopping Phishing Attempts: 5 Tactics

Phishing is a common tactic for cybercriminals to gain access to your organization’s sensitive data. Furthermore, a study by Deloitte reveals that phishing attacks represent 38% of all incidents involving cybercrime. With the increasing dependence on technology, cyberattacks have also become more sophisticated, making it challenging to detect and stop phishing attempts. As a CIO or CISO, it’s crucial to ensure that employees are aware of the risks of phishing and know how to identify and respond to these threats. Data from Cybersecurity Ventures predicts that cybercrime, including phishing, will cost the world $6 trillion annually by 2021. In this post, we’ll go over five ways to identify and stop phishing attempts in your organization.

1. Educate Your Workforce

One of the most crucial steps in preventing phishing attacks is to educate your employees. According to a report by Proofpoint, 83% of global respondents experienced phishing attacks in 2018. Cybercriminals often target employees with phishing scams, and employee negligence is the top cause of data breaches. A study by Verizon found that 30% of phishing messages get opened by targeted users. Therefore, it’s crucial to train your employees and make them aware of phishing tactics and how to recognize them. Educate your employees on how to identify suspicious emails, including typos, grammatical errors, and unfamiliar sender addresses. Training should also include the proper response in case of a phishing attempt, such as reporting to the IT department or deleting the email.

2. Foster a Security Culture

Creating a culture of security within your organization is essential in promoting security awareness and preventing phishing attacks. Encourage employees to report suspicious events, share security tips, and seek assistance when needed. Emphasize the importance of maintaining a culture of security, and make it an ongoing, high-priority effort. According to a survey by Ernst & Young, 87% of organizations identified a lack of security culture as their primary obstacle to cybersecurity effectiveness. Similarly, Cisco’s 2020 benchmark study found that organizations with a strong security culture have lower breach costs – a median of $62,000 compared to the median of $330,000 in organizations with a poor security culture. Furthermore, a study from Gartner suggests that a strong security culture helps organizations adapt to the evolving threat landscape, reducing the likelihood of successful cyber attacks by up to 50%. Finally, a study by the Sans Institute suggests that organizations with a strong security culture have reported up to a 70% decrease in phishing susceptibility.

These results of these studies underscore the importance of fostering a security culture within your organization in order to reduce the risk of cyber threats like phishing.

3. Conduct Regular Testing

Regular penetration testing and security assessments are essential to identifying vulnerabilities in your system. The 2020 CREST Penetration Testing report highlights how mock phishing attacks can help uncover weaknesses in an organization’s security protocols, thus providing opportunities for improvement. Conducting these mock phishing attacks, where employees are given email messages that mimic a real phishing attempt, can help uncover weaknesses in your security protocols. These tests enable you to identify areas of weakness and take proactive measures to prevent future attacks.

This testing has a direct impact on cost. A study by the Ponemon Institute shows that organizations employing regular security testing identified breaches 27% faster, with a 38% lower cost of response. Similarly, the 2021 Data Breach Investigations Report from Verizon found that organizations that conducted regular testing and employed an incident response team reduced the cost of a data breach by as much as $14 per worker per year.

4. Use Security Tools

According to McAfee, keeping your software updated can prevent up to 85% of targeted attacks. Your organization should leverage advanced security tools to detect and prevent phishing attacks. Anti-phishing software is an essential line of defense to safeguard against phishing scams. These tools can help identify and block fraudulent emails, websites, and other malicious content. It’s also important to ensure that the software and systems your organization uses are up-to-date with security patches and the latest updates. The Sophos State of Endpoint Security Today offers a detailed examination of how anti-phishing tools can help businesses to detect and block fraudulent emails and malicious content. Deploying up-to-date security tools and keeping software patched is a significant step in minimizing the likelihood and impact of phishing attacks.

5. Enable Multi-Factor Authentication

Several cybersecurity reports underscore the importance of multi-factor authentication (MFA) as a critical element in protecting an organization’s data including the Microsoft Security Intelligence Report and a report by LoginRadius, which both indicate that 99.9% of cyberattacks can be prevented by implementing MFA. Moreover, a Google study found that on-device prompts, a form of two-step verification, helped to prevent 96% of bulk phishing attacks and 76% of targeted attacks.

Having a robust authentication mechanism is essential in protecting your organization’s data. MFA can mitigate the risk of attacks by adding an extra layer of security. A strong password combined with factors such as biometric authentication or two-step verification can make it difficult for attackers to infiltrate your systems.

In Summary

Phishing attacks are a real threat to organizations of all sizes, and the impact of a successful attack can be devastating. As a CIO or CISO, it’s your responsibility to ensure that your organization has the necessary measures in place to prevent and mitigate these attacks. By educating your workforce, fostering a culture of security, and conducting regular testing, using security tools, and enabling multi-factor authentication, you can reduce the risk of a successful phishing attack and protect your organization’s sensitive data. For deeper insights into the severity of phishing attacks and the necessity of the measures outlined above, you might want to consult the following resources:

If you are looking for a partner that can assist you in managing the security of your workforce, Montra can help. With our software and processes, we can help you keep your business safe from phishing and other security threats. Contact us today to get started: info@montra.io or +1-404-665-9675.

Phishing in the Workplace: 3 Attacks and 3 Ways to Protect Yourself

About the time most people learn how to spell phishing, they realize that it is an email-based social engineering tactic to get access to a user’s account or financial information. It probably won’t come as a surprise that phishing is now fairly common on LinkedIn and Text. 

No matter whether it is email, LinkedIn, or text, the tactics the scammers use are consistent. Here are three of the most common tactics being used by scammers today: 

1. Fake Messages from the “Boss” 

This is a particularly insidious and effective tactic. A message is sent via email/text/LinkedIn to the user with an urgent request to contact them from the CEO, CFO, or other high-ranking employees at the company. The scammer typically uses more targeted language in the messages that applies to the business to make the attack more effective. This is typically called a spear-phishing attack because of its more targeted nature.

2. Fake Tech Support Messages  

Some phishers try to mimic the IT support staff rather than an executive to get people to engage. The focus of this type of attack is to get the target to give up their credentials to important company accounts. The attacks usually start with something like “Important Alert: Your Account Has Been Hacked”. The user will then be instructed to click on a link to reset their password and/or give up other important information. The links will always go to fake sites that will not match the company name or name of the software that has been supposed hacked. 

3. Fake Contact Requests 

This is used most often on social platforms like LinkedIn, but it is seen on email and text also. When a fake LinkedIn request comes via email, the link embedded in the email will go to a nefarious site that can load malware or ask for login information. We are often excited to receive a request that might lead to new business, so these attacks are particularly effective on sales and finance staff. 

These are just a few examples, and it is important to know that the types of phishing attacks and the format by which employees are targeted in the workplace continue to expand. Regardless, there are some basic tactics that apply across email, text or LinkedIn. Here are three ways to keep yourself from getting “social engineered” by one of these attacks:

1. Look at the Sender Information 

Whether in email, text, or LinkedIn, the sender’s information will look wrong. Most sending info will have the right name with the incorrect email like: 

Boss Lady <badactor234@gmail.com> 

In the case of LinkedIn, you need to look at their profile picture, name, and work history. The picture will typically be pulled from publicly available photos and the work history will be very limited. 

2. Look for Poor Grammar and Terminology 

While the sophistication of attacks continues to improve, it is difficult to completely mimic a message from a boss, customer, or colleague. If the fake sender is using the term “customer” when you know the real sender always says “client”, you should be concerned. 

“Hey, send me your phone number. I have some important work for you” 

Also, if they send an email to ask for your phone number, you need to think whether that fits with how they would really interact with you. Once they ask for your phone number, and they text you rather than call you then it is 100% a scam. 

 3. Reach out Separately or Just Don’t Respond 

In most workplace phishing attacks, you have alternate ways to communicate with the supposed sender. If you are concerned, reach out to them by a different method – phone call or Slack – and see if that is really them. If you do not have another way to verify the information, and you are not certain if it is legitimate then ‘do nothing’ is not a bad option.

“John, I just received a strange email message that is supposedly from you. Did you just send me something?” 

If the scammer is trying to create a false sense of urgency for the boss or a customer, this is difficult to do. Just remember, though, if it is really an emergency – even in today’s world – they will call you. If it is a social network connection request, just login to the service separately and view the request there rather than clicking the email link. 

There is a lot more your company can do to help including using email filters and text blockers on company accounts and providing cybersecurity training on an annual basis. In fact, for many companies, these actions are required for them to follow industry cybersecurity regulations. If you aren’t certain what tools are available to you, reach out to your company’s IT staff or service provider. They will be happy to help you stay safe!  

PSAP Cyber Risks to 911

CISA Report on Cyber Risks to 911: TDoS

A telephony denial of service (TDoS) attack is a specific type of DDoS attack directed towards a telephone system to bring the targeted system down. These attacks can affect anyone, including our 911 infrastructure, and may often include ransomware requests. 

As such, TDoS attacks present a unique risk to public safety communications stakeholders, including Emergency Communications Centers (ECC), Publics Safety Answering Points (PSAP), and other 911 centers. 

In response, the Cybersecurity and Infrastructure Security Agency (CISA) developed the Cyber Risks to 911: Telephony Denial of Service fact sheet to educate the public safety community on TDoS threats. 

Specifically, the fact sheet reviews:

  • The most common TDoS attack vectors
  • Real-world TDoS incidents and impacts
  • Best practices to mitigate TDoS vulnerabilities

One of the key takeaways is for ECC/PSAPs should consider a managed service provider to address two of these migrations:

  • Implement the National Institute of Standards and Technology Cybersecurity Framework to improve cybersecurity posture
  • Conduct cybersecurity assessments, identify capability gaps and vulnerabilities, and determine appropriate cybersecurity standards

Take Action to Prevent Attacks:  Download CISA’s TDoS fact sheet to see the seven steps to prevent cyber attacks.