Close

Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Close
Breachquest

Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

Protect your Employees from Phishing Attacks

09.07.22
By: BreachQuest

Protect your Employees from Phishing Attacks

Phishing emails are one of the top cyber threats to organizations. The FBI 2021 Internet Crime Report published by the FBI’s Internet Crime Complaint Center (IC3) stated that business email compromise is the top cyber threat and that the bureau has received over 19k complaints. What are you to do? You can not turn off email, but you can reduce the risk by using these five techniques to protect your organization and employees from phishing attacks.

1. Phishing Email Training

Not a surprise this is number one on the list. Educating email users on what to look for to identify a phishing email, not opening attachments, and not clicking on any links, is the best way to reduce the likelihood and impact of a malicious click. Most organizations do some phishing testing and training exercises. Others are using the opportunity to fully engage users and strengthen their human firewall.

Phishing Training Suggestions 

  • Track more than just the users who clicked but which users took the extra and followed the correct reporting procedures. If users aren’t reporting suspected phishing emails, find out why. Ensure they know it improves email security for everyone by updating the email phishing filter.
  • Track your happy clickers. Are there people who click every time? Some organizations have severe consequences for happy clickers. But there may be more behind the behavior. Dig in, understand why it is happening, and if there is a fix.
  • After the training, follow up with an email that gives a deeper technical explanation of how attackers get footholds into protected networks with phishing emails. Not every user will read it, but some will. Now you can “deputize” those interested people as cybersecurity champions in the organization.
  • Phishing email tactics constantly evolve, and so should an organization’s phishing testing exercise. Research the most recent tactics and review the real phishing emails being blocked by the email filter. NIST published The NIST Phish Scale is a method for rating human phishing detection difficulty to quantify the degree of difficulty of the phish testing exercise. The difficulty increases if the phishing test pass rates are 80% or higher.
  • Use internal phish training campaigns to educate users on protecting themselves at home. Provide resources such as externally available security awareness training videos or one-page battle cards people can share with children, elderly parents, and friends. Teach them how to protect what they care about, and they bring that knowledge back to work to help you protect what you care about.

2. External Email Notification

Add a vivid email banner to external emails. This is an example of a vivid email banner.

3. Isolate External Emails

Establish separate folders for internal and external emails. Using different folders is simple for a user to do independently, but consider establishing it as a default configuration.

4. Limit Administrative Access

Remove the ability for an email to be read from an administrator account. 

5. Create a Secondary Email

For high-risk users, create an additional email account. For example, for John Doe, the CEO jdoe@acme.com is their primary account for known user exchanges. Create bigbear@acme.com for John to sign up for conferences, download marketing material from third-party organizations, or to give out at informal meet-ups.

Undoubtedly, business email compromise attacks are sophisticated scams that target businesses and individuals through social engineering or phishing emails. They should not be underestimated. These Bad-Actors have targeted small, mid, and large corporations across numerous industries reported in all 50 states and 177 countries. BEC threat actors continue to grow and evolve their techniques and are currently the most significant threat that security researchers don’t discuss.

 

 

Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights

12.10.21

Actionable Recommendations for Log4Shell/Log4j (without the hype)

Read more

01.28.22

Simple Steps for Securing an Executive’s Home Office Cyber Security

Read more