Protect your Employees from Phishing Attacks
Phishing emails are one of the top cyber threats to organizations. The FBI 2021 Internet Crime Report published by the FBI’s Internet Crime Complaint Center (IC3) stated that business email compromise is the top cyber threat and that the bureau has received over 19k complaints. What are you to do? You can not turn off email, but you can reduce the risk by using these five techniques to protect your organization and employees from phishing attacks.
1. Phishing Email Training
Not a surprise this is number one on the list. Educating email users on what to look for to identify a phishing email, not opening attachments, and not clicking on any links, is the best way to reduce the likelihood and impact of a malicious click. Most organizations do some phishing testing and training exercises. Others are using the opportunity to fully engage users and strengthen their human firewall.
Phishing Training Suggestions
- Track more than just the users who clicked but which users took the extra and followed the correct reporting procedures. If users aren’t reporting suspected phishing emails, find out why. Ensure they know it improves email security for everyone by updating the email phishing filter.
- Track your happy clickers. Are there people who click every time? Some organizations have severe consequences for happy clickers. But there may be more behind the behavior. Dig in, understand why it is happening, and if there is a fix.
- After the training, follow up with an email that gives a deeper technical explanation of how attackers get footholds into protected networks with phishing emails. Not every user will read it, but some will. Now you can “deputize” those interested people as cybersecurity champions in the organization.
- Phishing email tactics constantly evolve, and so should an organization’s phishing testing exercise. Research the most recent tactics and review the real phishing emails being blocked by the email filter. NIST published The NIST Phish Scale is a method for rating human phishing detection difficulty to quantify the degree of difficulty of the phish testing exercise. The difficulty increases if the phishing test pass rates are 80% or higher.
- Use internal phish training campaigns to educate users on protecting themselves at home. Provide resources such as externally available security awareness training videos or one-page battle cards people can share with children, elderly parents, and friends. Teach them how to protect what they care about, and they bring that knowledge back to work to help you protect what you care about.
2. External Email Notification
Add a vivid email banner to external emails. This is an example of a vivid email banner.
3. Isolate External Emails
Establish separate folders for internal and external emails. Using different folders is simple for a user to do independently, but consider establishing it as a default configuration.
4. Limit Administrative Access
Remove the ability for an email to be read from an administrator account.
5. Create a Secondary Email
For high-risk users, create an additional email account. For example, for John Doe, the CEO firstname.lastname@example.org is their primary account for known user exchanges. Create email@example.com for John to sign up for conferences, download marketing material from third-party organizations, or to give out at informal meet-ups.
Undoubtedly, business email compromise attacks are sophisticated scams that target businesses and individuals through social engineering or phishing emails. They should not be underestimated. These Bad-Actors have targeted small, mid, and large corporations across numerous industries reported in all 50 states and 177 countries. BEC threat actors continue to grow and evolve their techniques and are currently the most significant threat that security researchers don’t discuss.