Defending Your Organization From Phishing Attacks

Cyberattacks occur every day in organizations around the world. There are many types of ways cyberattacks originate, but the most common is phishing.

Studies show that 80 percent of cyberattacks are due to phishing.  In the first quarter of 2021, 611,877 unique phishing sites were detected, representing a four percent increase from 637,302 unique sites in the preceding quarter. This was determined by the unique base URLs of the phishing sites.

What is a Phishing Attack?

A phishing attack is a type of cyberattack that uses email or text messages to trick victims into clicking on a malicious link or attachment.

The attackers pretend to be someone the victim knows, such as a trusted website or their bank.

Once the victim clicks on the link, they are taken to a fake website that looks real. The attacker then steals the victim’s personal information, such as passwords, credit card numbers, and Social Security numbers.

Phishing Techniques

There are many different types of phishing techniques attackers use to try and trick victims. In summary, attackers attempt to trick users into clicking malicious links, allowing malicious actors to gain access to sensitive data, gain login credentials, and install malicious code.

Email Phishing Attacks

Email phishing attacks are the most common type of phishing. In an email phishing attack, the attacker sends an email to the victim that appears to be from a trusted source.

The email may contain a link to a malicious website or an attachment that infects the victim’s computer with malware.

Spear Phishing Attacks

Spear phishing is a type of phishing attack that targets a specific person or organization.

The attacker creates an email that appears to be from a trusted source and contains personal information about the victim, such as their name, address, or job title.

The email may also contain a malicious link or attachment. Spear phishing attacks are more difficult to detect than other types of phishing because they appear to be legitimate.

Whaling Attacks

Whaling is a type of spear-phishing attack that targets high-level executives in an organization, such as the CEO, CFO, or president.

The attacker creates an email that appears to be from a trusted source and contains personal information about the executive.

The email may also contain a malicious link or attachment. Whaling attacks are difficult to detect and can have devastating consequences for an organization.

8 Tips to Defend Against Phishing Attacks

Over the years, you have likely heard of countless different tactics and products that help prevent cyberattacks. Some information might have been overlooked due to the technical jargon, or the information is no longer valid due to new technology and new threats. Either way, we are here to give you practical advice for your organization’s cybersecurity. 

• Keep hardware up to date

Old hardware may not have the ability to get the latest level of security updates. This leaves your hardware vulnerable to cyberattacks. Research the lifespans of your equipment and replace them when necessary. WatchGuard recommends replacing firewalls and access points every 5 to 8 years. 

• Keep software up to date

Software updates keep your device up to date with the latest security features. If you do not update your device regularly, your device is more likely to get infected with malware. We recommend automating this process, so you do not have to perform updates manually. 

• Deploy a next-generation antivirus software

Malware is always changing. This means, your antivirus needs to be able to protect your device against all threats. Next-generation antivirus uses artificial intelligence and machine learning to protect your device against known and unknown malware. Traditional antivirus is only able to protect against known malware. 

• Change your passwords regularly

It is recommended to change your passwords once every 3 months. It is also recommended to use a different password for every account. 

• Enable two-factor authentication

Having multi-factor authentication enabled on your accounts provides an extra layer of defense.  Even if your password is compromised, the attacker will not be able to access your account without the second factor. The most common second factor is a code that is sent to your phone.

• Back up data

It is always recommended to back up your data (especially your important data) in multiple places – locally and in the cloud.  This way, if your device is lost or stolen, you will still have a copy of your data.

• Be cautious of suspicious emails

Always be cautious of emails from unknown senders. If the email looks suspicious, chances are it probably is. If you are ever unsure, never click on any links within the email and get a second opinion. 

• Educate employees

Your employees are the first line of defense against phishing attacks. Educate your employees on how to spot a phishing email and what to do if they receive one. We recommend conducting regular training sessions and conducting phishing simulations.

• What are the signs of a phishing attack?

There are several things you can look for to determine if an email is legitimate or not. Here are some tips:

• Deceptive Email Address

Phishers will often spoof the name of a legitimate company or person. They may also use an email address that is very similar to a legitimate email address. For example, if you receive an email from support@example.com, but the actual email address is support@examplr.com, this is likely a phishing email.

• Link Discrepancies

If you hover over a link in an email, you should be able to see the actual URL that the link will take you to. If the URL looks suspicious or does not match the text in the link, do not click on it!

• Poor Grammar and Typos

Legitimate companies and organizations do not send out emails with typos. If you see any typos in an email, it is likely a phishing email.

• Sense of Urgency

Phishing emails generally build a sense of urgency to encourage a victim to quickly click the infected link or download the attachment before any thought goes into the legitimacy of the email.

Not sure what to do?

If you are ever unsure about an email, do not hesitate to reach out to the company or person directly to confirm that they actually sent the email. And remember, if an offer seems too good to be true, it probably is!

Example Spear Phishing Email

This email is an example of a spear-phishing email. The sender is spoofing the name of a legitimate company in order to try and get the recipient to click on the link. The link in the email goes to a malicious website that will infect the recipient’s device with malware. This email is also full of typos, which is another red flag that this is a phishing email.

Sophisticated phishing attacks are becoming more and more common. It is important to be aware of the signs of a phishing email and to know what to do if you receive one. If you think you may have received a phishing email, do not click on any links or attachments. Forward the email to your IT department or security team.

Contact our Cyber Security Team if Your Organization has been Compromised

CEI is a WatchGuard Gold Partner which gives us access to the latest and most effective products and technology from WatchGuard to help prevent phishing, malware, and ransomware.

Our team can help recognize suspected phishing emails, provide phishing training, and protect your organization from data breaches.

Learn more about how our cybersecurity products and services could benefit your organization, or call us at 919-781-8885. We are here to help your business navigate the ever-changing cybersecurity landscape.