The many studies show that the number of victims of phishing is declining. Yet we see that the number of victims is still at the top. As a result, the risks for companies are still considerable. After all, criminals only need a success to have major consequences. How can you make the chance as small as possible? We explain how you and your company can protect against phishing in four logical steps.
1. Protect against phishing? Make it difficult for them
The first step to protect against phishing is to make it as difficult as possible for these cyber criminals. You can already do this by analysing the available online information on your website and social media that are available to criminals. Cyber criminals can often get (too) much information from your online presentation. Not only e-mail addresses, but also how these addresses are structured.
Implement anti-spoofing to stop abuse of your e-mail addresses. Spoofing is assuming a different identity. This can be done with an e-mail address, website or IP address. With e-mail spoofing it seems that mail comes from a certain sender. This counterfeiting of an e-mail address is possible because the e-mail protocol does not check by default whether the person sending the e-mail can do so on behalf of this domain. To build in a check, you can use SPF records. Sender Policy Framework (SPF for short) is a protocol that aims to help reduce spam. Spam is reduced by determining whether the sender of an e-mail message is entitled to send a message on behalf of the sender / domain of the message.
DNSSEC, DKIM and DMARC
In addition, you can implement a few protocols such as DNSSEC, DKIM and DMARC. DNSSEC is an extension for the DNS protocol and stands for “DNS Security Extensions”. This extension to the DNS protocol makes the use of domain names safer. DomainKeys Identified Mail (DKIM) is a technique whereby an organization can take responsibility for a message that is sent by e-mail. DKIM itself is not a technology against spam, but offers a basis for authentication, with which, for example, reputation services can be set up. Finally, with DMARC you can indicate to the receiving mailbox provider that you are using SPF and / or DKIM. But what makes DMARC powerful is the fact that it specifies what the recipient should do with e-mail that does not pass the SPF or DKIM test.
Spam filters or e-mail gateways can then help to filter and block phishing e-mails. A spam filter is software that tries to recognize and remove spam and computer viruses from e-mails. Normally, a spam filter reads the e-mail, decides whether there is spam and, if necessary, takes action. Choosing the right e-mail provider can also help. Office 365 and Google G suite have built in many measures that point you to potential phishing scams. For example with the message: “Please note, you have not communicated with this email address before.”
2. Ensure that employees can identify phishing scams
After all the measures taken, it may still be possible that a phishing e-mail will come through. The second step to protect against phishing is to ensure that employees can identify and report phishing scams. This seems simple, but it is not. Criminals use newer techniques that employees must be trained on. In addition, it is necessary to practice regularly to distinguish fake e-mails from real ones. A phishing training usually consists of two parts. One part is the well-known phishing simulation. Fake emails are sent to employees on a regular basis. After which it is measured how many employees fall into the fake e-mail and how many report it. The second part of the training is to train employees to recognize the phishing emails.
Now that employees are continuously trained in recognizing a phishing e-mail, you must ensure that employees can easily request help and report. You can do this by publishing a procedure on the intranet. Here you explain what employees should do if they suspect they have received a phishing e-mail. A nice tool is to install an extra button in the e-mail program. If employees receive a phishing e-mail, they press that button and a report is immediately made to the security department. They then have the option of investigating this. If it indeed turns out to be a phishing email, they can adjust the spam filters so that they are increasingly able to block phishing emails.
Within every company there are processes that are sensitive to making fraudulent applications. Analyze these and think about what measures you can take to reduce the risk. This can prevent a lot of annoying prosecutions.
3. Minimize the effects of a phishing e-mail
Suppose that after all measures a phishing e-mail comes through and that it is successful, because an employee has nevertheless clicked on the attachment or link. The third step is therefore to ensure that the impact of phishing mail is minimal. Basically, phishing attacks have only a few goals. They want you to download and install malicious software or they want to steal account information from you. With anti-malware programs you can protect the devices against rogue software, also known as malware. Antimalware is a broad term that refers to the programs used to remove viruses, spyware, Trojans, and other threats from computers.
Sometimes this malware is in the attachment of an e-mail, sometimes the phishing e-mail asks you to download it from a website. To ensure that employees cannot access criminal websites, you must first ensure that the internet browser is equipped with the latest updates. Many criminals use programming errors in browsers to get their software on your phone, tablet or computer. Secondly, you can ensure that employees do not have access to malicious websites. This can be achieved by installing a proxy or secure web gateway.
A measure that is very effective is the implementation of two-step verification. In addition to a password and username, you also need a code. Everyone knows it, if you want to make a transfer through your bank account, you must also enter a code. This is a two-step verification, also called multi-factor verification. As a result, if a username and password falls into the wrong hands, it will be worthless. Another measure is to use a different (strong) password everywhere. Strong passwords are passwords that are difficult to crack. Of course it is impossible to remember multiple passwords. It is also quite difficult to keep coming up with unique and strong passwords. Programs, so-called password managers or digital safes are available for this. Here you can save and create passwords and pin codes, so you don’t have to remember them.
4. Respond quickly to phishing incidents
When all previous measures have failed, make sure that you can take action as quickly as possible to limit the damage. The fourth and final step is therefore to ensure that you can respond quickly. Most companies have an emergency plan and continuity plan. Here are scenarios that could occur. For example, a DDOS and phishing attack could also be scenarios in this. Just like with a contingency plan, you have to practice these scenarios so that you know what to do if you really have to take action.
Before you can take action, you must first be able to discover the calamity in time. You can of course use all kinds of resources for this and set up a security operations center. The most obvious thing is to motivate employees to report incidents quickly. This too seems easy, but there is often some sort of shame to report that you have clicked on a phishing email or downloaded malware. Ensure that there is a culture where employees feel safe to report incidents.