What is a Phishing Attack?
In recent news, several large companies including Microsoft and Facebook have been affected by phishing attacks. Phishing is a type of cybercrime that happens when an attacker poses as a legitimate company or website in order to divulge sensitive information from the victim. This can be the victim’s social security number, credit card number, or login credentials. Phishing attacks can take place over the phone, instant messaging, or email. Phishing differs from other cybercrimes as it requires human interaction; attackers target end- users rather than the actual computer systems. These attacks can be damaging to a company; however, they can be prevented.
How Does a Phishing Attack Work?
A common example of phishing occurs when a company employee receives an email prompting them to change their company password. This email usually includes a link that brings the victim to a legitimate looking website. Here, the victim inputs their credentials. The attacker now has the victim’s login information and access to the company network. After gaining access to the company network, the attacker may be able retrieve confidential information to hold as Ransomware or find other security holes to exploit.
How Can I Prevent a Phishing Attack?
1. Use Web and Email Filters
Applying web and email filters can help filter out spam content from legitimate content. See examples of web filters.
2. Compose New Hire and Annual Security Training for Employees
Many times, attackers can bypass web or email filters, so it is vital to provide comprehensive security trainings to employees. Educate employees on the different methods attackers may use and the consequences phishing attacks may have on the company. Send a fake phishing email to employees to familiarize them with illegitimate emails and webpages. Train them on ways to identify a phishing email. Also, have a well- written Acceptable Use Policy and Security Awareness Policy.
3. Stay Updated
It is crucial to frequently update your anti- virus software, firewalls, and operating systems to prevent an attacker from exploiting any security holes. Run routine security scans on all machines and perform regular Security Risk Assessments. Additionally, check that your Disaster Recovery Plan is updated frequently and working.
4. Review Company Website and Information
Phishing attacks require the attacker to research the company such as employee names and contact information. Attackers may also look into the vendors the company uses such as types of machines and operating systems. Ensure that accessibility to employee and vendor information is limited.
5. Be In the Know
Be aware of new cybercrime cases and vulnerabilities in the news, blogs, and security bulletins. Often, security cannot keep up with attacks, so it is important to be alert of new types of attacks. Websites such as The Cyber Wire post daily security briefings.
Prevention is Key
Recovering from cybercrime can be rigorous and exhausting, so having preventive measures in place is the most practical solution. By combining technical controls with security awareness, you can mitigate the risk of a phishing attack against your company.