Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:


Top Five Best Practices For Preventing Phishing Attacks

Post a Fraud Alert:

The 2015 Anthem health care breach allowed access to over 78.8 million health care records and resulted in Anthem settling a class action lawsuit to the tune of $115 million. Investigators eventually traced the source of the breach to a spear phishing attack, a highly targeted campaign that successfully acquired the credentials needed to access the company’s data.

In the few years since then, phishing attacks have continued to soar. A recent study by Mimecast analyzed over 28 million emails delivered into corporate inboxes. Nearly 500,000 contained malicious URLs, which equates to one phishing email for every 61 emails, an increase of more than 125% over the previous quarter.

Worse yet, phishing has grown more sophisticated. Where once a plethora of misspellings and poor grammar would be dead giveaways, hackers have cleaned up their act. Phishing emails have always targeted our base instincts (like greed), but they are also increasingly playing to our tense social and political climate to evoke a response.

So, what are organizations to do about this growing and sophisticated threat lurking in our inboxes? Improved anti-phishing technology may seem like the obvious solution, and it will help decrease the number of phishing emails employees actually receive, but the bad guys will always find new ways to outsmart even the most sophisticated technologies. The most effective antidote for phishing comes from best practices focused on what is both your greatest asset and threat — your own people.

1. Train your employees with a structured program that includes anti-phishing education, awareness campaigns and engaging tools

One of the most effective ways to thwart phishing attacks is by promoting secure behaviors across people, processes and technology. By making sure your people fully understand the impact of breaches from phishing attacks, you’ll build security awareness that is as reliable a defense as the most impenetrable firewall.

A strong anti-phishing education program should include mandatory compliance training, ongoing education and awareness campaigns. To avoid complacency, aim to keep content consistently fresh, using video, infographics and other tools that keep end users engaged.

Workshops are another tool in the anti-phishing arsenal, which can be especially effective with high-risk departments or teams. You can even keep it fun with a game-show style theme or using live polling for quizzes or challenges that everyone can access from their mobile device, perhaps gaining points for a prize.

2. ‘Test’ your people with a mock phishing campaign

More and more organizations are testing their employees with mock phishing campaigns. For some IT managers, testing can be uncomfortable. However, if the tests are implemented properly, addressing sensitivities and avoiding negative a “got you!” perception from employees, testing can be an extremely effective defense.

The key is to ensure your tests are a positive and constructive effort so your employees stay motivated. Frame testing campaigns around positive goals like “spot it.” You can even offer rewards for identifying the scam to positively reinforce the behavior.

Offering constructive feedback to employees who fail tests is important, too. Review what was “phishy” about the email with them and provide remedial training to ensure they treat the next test email or actual attack with the right security mindset. Also, conduct tests as frequently as possible, ideally once a month.

3. Use multifactor authentication and consider emerging passwordless technologies

Up until now, we’ve focused on human behavior, but multifactor authentication (MFA) is a small technical control that can make a big difference. MFA keeps information from being hijacked by using multiple authentications — a secondary, one-time password delivered via SMS message, a physical token, a biometric ID — versus just a user name and password. If a user name and password is the gate, multiple authentications are the moats that keep phishers from storming the castle and getting the keys to the kingdom.

4. Train your people to trust but verify

Even the strongest two-factor authentication system will not work if your people circumvent controls and lay down bridges across multiple moats. As unlikely as it sounds, there’s plenty of risk from individuals offering up multiple authentication data when they are thoroughly convinced a phishing email contains a legitimate request.

That’s why part of your phishing training should include “trust but verify” training. If controls are in place and an email asks an employee to deviate from the normal process — even if the email is perceived to be from a trusted source, like their manager or a CEO — part of your awareness campaign should be focused on verifying authenticity first before taking any action. Reinforce the need to follow your company’s controls at all times.

5. Instead of sacrificing usability for security, use technology to improve the user experience in a secure way

IT professionals often must deal with tradeoffs between the end user experience and safe access to systems and data. But MFA can be combined with other technology to improve the user experience without sacrificing security.

For example, authentication systems can be set up to identify certain IP addresses, countries and devices as red flags, requiring additional authentication from the user. The concept of “impossible travel,” where access requests come from a new end user location that would have been impossible to arrive at based on the time of their last known location, could be another red flag.

From an end user perspective, the same authentication system can be configured to skip additional authentication in the absence of suspicious devices or locations, making it easier and faster to access systems.

Education, awareness and technology

On the surface, defending against evildoers attempting to gain access to your systems and data might seem like a technology issue. It’s true, a strong MFA system is essential. But when it comes to these specific types of phishing attacks, addressing the risks created by human behavior will give your organization the best chance of preventing costly breaches.

Article source: https://www.forbes.com/sites/forbestechcouncil/2019/06/21/top-five-best-practices-for-preventing-phishing-attacks/