3 Ways Small Businesses Can Protect Against Phishing Attacks
Phishing is on the rise, with over 85 percent of businesses having fallen victim to date. A seemingly simple type of attack, they’re so successful because they are targeted at unsuspecting victims and leverage social engineering to get the job done.
With how successful phishing has been just in the past year alone, you can bet attackers will continue using this method of attack and come up with new and more creative ways to succeed. Because it can seriously damage, or even take down, an entire small business, in this post we’ll explain what exactly phishing is, how it works, and how you can protect your business from it.
What is Phishing?
Phishing is a deceptive tactic whereby an attacker sends a seemingly harmless email to thousands, or hundreds of thousands, of people, masquerading as a reputable entity (e.g. a CEO or bank). Their goal is to get victims to open an infected attachment or click on a link that will take them to a malicious website. Once opened or clicked, the attacker can infect and take control of their machines to collect desired information, such as passwords.
There is another more targeted form of phishing called spear phishing. Unlike traditional phishing attacks, these attacks are only sent to a few select people who the attackers know have information they need, such as sensitive financial information.
In a spear phishing attack, attackers find their way into a trusted person’s email account, such as the CEO of a company, or create a mock email address that looks real. Then, they send an email from the account to targeted employees (e.g. an accounting department) with a request for information, whether it is employee records, bank account numbers, or financial statements.
Because the email looks like it’s from the CEO, employees often take the bait and send over whatever information is being asked of them. On the other side, the attackers now have the information they need to steal money from an online bank account, hold data hostage for a ransom, or publish the information for the world to see.
If you’re familiar with the Snapchat security snafu that happened earlier in 2016, this is exactly how it played out, and there are many, many more just like it.
To keep your business out of the line of fire of both traditional phishing and spear phishing attacks, here are three ways you can protect your data, systems, and users:
1. Educate Employees About Phishing
Education can be one of the biggest forms of protection. With an informed workforce, more eyes can be on the lookout for attacks to prevent information from being leaked or stolen.
Recognizing a phishing email isn’t easy since they often look like regular emails coming from a trusted source. But there are many signals employees should be on the lookout for that can help identify a phishing email before it’s too late:
- The email asks for personal information. If an email asks for a password, bank account number, or sensitive data, encourage employees to approach it with skepticism, as reputable organizations will rarely make an ask like this via email. Instruct them to flag any emails that look even remotely suspicious for the IT team to review.
- Look for grammar errors. If an email has misspelled words, random capitalizations, or just doesn’t sound like the person who supposedly sent it, it may be phishing. While we all make typos once in awhile, if the email looks particularly suspicious or like it’s not from the sender, employees should ask IT before responding.
- Check the links. Encourage employees to examine URLs before clicking on them. They can do this by hovering over it or right clicking it and copying it into a Word doc to view it first. If the email says the link is taking them to a Google Doc but the link is badsite.example.xyz, it’s a phishing link. And even if it does look like it’s going to Google Docs, there could be misspellings in the URL or extra periods or dashes before the forward slash, such as this: http://gogledoc.com-stz.info/.
While each of these steps will take a bit more time, and as a small team that’s not something you have a lot of, it’ll pay off when you don’t get hit by the next phishing attack and your data is safe.
2. Enforce a Password Security Policy
While phishing attacks aren’t the result of a password breach (they hope your users will click on a link or download a malicious attachment in order to get into their machines), being diligent about your password policy is a way to minimize damage from a phish.
Here are a few good policies to employ:
- Mandate Complex Passwords. Complex passwords (those with over a dozen characters, uppercase and lowercase letters, numbers, and punctuation) make guessing a password a lot harder. Even more, passwords should never be reused among different accounts. Many apps and sites have password security measures you can enable to mandate and verify that employees are following the policy.
- Enforce Regular Password Changes: Even with complex passwords in use, you can’t leave anything up to chance. It’s a best practice to change passwords for all company accounts every 60-90 days. Most sites and apps can force employees to change their passwords in specified frequencies so that this is automated.
- Use a Password Management Tool. Of course, your users can’t be expected to remember a password like 0x33FmmyZoekf!, so invest in a password management tool that all employees can use. Popular options include 1password, LastPass or KeePass.
- Enable Two-Factor Authentication (2FA). Even if an attacker manages to get ahold of a password, add another layer of security on by enabling 2FA. This way, they can’t get in unless they have another token (e.g. a phone or email) to receive the authentication code before proceeding into the account. And if employees get an email or text with a code that they didn’t request, encourage them to notify security and IT immediately, as that can signal an attempted attack.
3. Automatically Monitor for Suspicious Activity on the Network
Even with an educated workforce, user access policies, and password tools, sophisticated attackers can and will find ways in. New automated solutions can monitor outbound communications and prevent phishing attacks that may have landed on your systems from carrying out their mission.
Solutions such as Strongarm leverage DNS to determine if there is malicious activity on your network. So if an employee does fall for a phishing attack (and one will), Strongarm can immediately detect the threat, quarantine it, and remove it from your network, adding an extra line of defense without any additional effort on your end.
To learn even more about how to spot, avoid, and report phishing attacks, check out The Anti-Phishing Working Group and the federal government’s OnGuardOnline.gov website. They’re both great resources with up-to-date intel on attacks and best practices.
To employ a trust but verify approach to your businesses’ security, try Strongarm free today for automated monitoring.