Despite being around since the early 2000’s, phishing attacks still continue today. Unfortunately, they do not receive the attention of other high profile attacks such as WannaCry or Petya. Phishing (a play on the word “fishing”) if you are not familiar is a specially crafted email meant to lure a user to reveal sensitive information such as passwords, credit cards, account, or social security numbers. The email typically looks like an official communication from a legitimate site such as Bank of America, Amazon, PayPal, UPS, etc.
Right now, it is estimated that 7% of all spam email carry some form of malware and much of that is still phishing attacks.
What can you do to eliminate the phishing threat?
- Get rid of spam
If you eliminate spam you will likely reduce most of your phishing and malware problems. More than 75% of the email messages sent today on the web are considered spam.
The best method is to stop spam before it ever reaches your email server and end users. You will be lowering the load on your mail server by 75% as well as increasing your user’s productivity.
- Training
There is common phrase among IT people – you can’t patch social engineering. You can increase security through training and awareness.
The famous reformed hacker Kevin Mitnick’s company performed a survey of 372 companies with a combined total of 300,000 users. Training lowered phishing attack success from 16% of employees to 1.2%.
Here are some things you should teach your staff:
- Learn how to spot a phishing scam by using examples
- Only click links that they know are legitimate – Show users how to copy/paste a link into a browser and how to recognize a bad link.
- Ignore unexpected messages from web sites. If they worried about the content they should access the web site directly versus the email link.
- If they accidentally click a link that looks dangerous they should immediately contact their IT administrator or support team.
There are more tricks that bad operators use such as repeatedly sending the dangerous email many times.
Other warning signs include bad spelling or threats such as permanently blocking access to a service.
These are a couple of steps you can take to limit your business’ exposure to phishing attacks which are still alive and well.