blog hero2x
Data Security & Privacy

5 Best Practices for Guarding Against Phishing Attacks


By Josh Young Sep 12, 2017

guard against phishing attacks

If you think you've seen a marked increase in phishing attacks directed at your company -- don't worry, you're not crazy.

According to the US Federal Bureau of Investigation (FBI), cybercriminals are increasingly using business email compromise (BEC) attacks -- scams targeted at compromising legitimate business email accounts to conduct unauthorized fund transfers. And in less than a three-year period (from October 2013 to December 2016), scammers and criminals have pilfered more than $5 billion worldwide using BEC attacks.

Are you ready for the unknown? Take our Cybersecurity Threat Quiz to learn about the risks that your employees face every day.

Similarly, Kasperksy Labs reported that in Q2 2017, 8.26 percent of its user base experienced a phishing attack, reflecting a spike of more than 46 million attempts. And Symantec found that "one in every 1,968 emails" that it monitored in the month of July 2017 was a malicious phishing message -- the highest rate all year.

What Measures Can Your Business Take to Prevent Phishing Attacks?

Embrace knowledge

The most likely reason that your business will fall prey to a successful phishing attack won't be a lack of technology. It will be due to an employee's mistake or negligence.

According to the most recent Verizon Data Breach Investigations Report (DBIR), 7.3 percent of evaluated employees fell for a successful phishing attack in 2016 -- either clicking a malicious link or opening a suspicious attachment. But by employing regular cybersecurity training among your staff, you can improve your workers ability to identify and avoid these scams.

Alongside proper security protocols and effective password management, your cybersecurity training should discourage your workers from:

  • Opening unsolicited attachments
  • Providing personal username or password credentials
  • Clicking on hyperlinks in emails from unknown senders
  • Entering sensitive information into popup windows

Repeat when necessary

Verizon also found that in a typical company -- one with 30 or more employees -- roughly 15 percent of users who fell for a successful phishing attack did so again in the same year. Rather than risk contributing to this statistic for next year, target phishing victims for additional education and support. Your business might also consider adjusting email and messaging settings to offer additional filtering or security restrictions for these "problem users."

Demand better

Don't trust that your employees have taken your training and security notices to heart. Test them. And test them regularly.

According to Verizon, "[t]he data shows simulated phishing makes a difference." So to keep your workers on their toes -- and create teachable moments when they make mistakes -- enlist your IT staff to conduct regular, random phishing tests for your staff.

Prepare for failure

If your business hasn't fallen prey to a successful attack, it likely soon will. And while you should definitely work to prevent attacks, you also need to take measures to react appropriately when your security plan fails.

Create simple, straightforward reporting tools that allow your workers to alert IT staff if they've fallen victim to an attack. In addition, keep your antivirus and security software up to date, configuring them to proactively scan for potential intrusions or malicious code. According to Verizon, 95 percent of successful phishing attacks in 2016 that led to a data breach included some form of software installation.

Back up key systems

Ransomware attacks are also on the rise, and frequently this malicious code uses phishing attacks to penetrate your systems. In fact, Verizon found that among the ransomware incidents it studied from last year, 21 percent included social engineering techniques, particularly phishing -- while only 8 percent of ransomware attacks used these techniques in 2015.

To mitigate the potential damage of such an attack, routinely back up critical data and business systems. Consider a tape-based recovery platform or some other offline data storage that can isolate these records, providing increased resiliency and security.

The Next Step

Whether you're a multinational conglomerate, a small startup, or a family restaurant, cybercriminals want your money and your data, and they'd be more than happy to take it from you. Luckily with a little planning, forethought, and education, your business can make their scams much less likely to succeed.

To learn more about how we can help you prevent phishing schemes and other attacks from hurting your company, check out a demo of our cybersecurity awareness courses today.

Workplace Answers &
Click 4 Compliance Join Forces

We’ve created the world’s most comprehensive and engaging online compliance training library for companies around the globe.

Learn more View courses