Experts estimate that 7% of all spam emails carry some form of malware. One of the most common forms of malware happens to be phishing, where hackers create an email that seems like it is originating from a trusted source (from banks to online shopping sites). After clicking the link, the victim is redirected to a clone website of the service and asked for credentials and other personal information.
What can you do to reduce the phishing threat?
Step 1: Get rid of spam
If you want to greatly reduce the amount of hooks, you will need to address the spam problem. Phishing is an evil byproduct of spam, and is just one of the many spam scams we encounter daily. The real problem is the sheer volume of spam, and the fact that so much of it is evil.
The Microsoft Security Intelligence Report spelled out the dangers. “More than 75 percent of the e-mail messages sent over the Internet are unwanted. Not only does all this unwanted e-mail tax recipients’ inboxes and the resources of email providers, but it also creates an environment in which e-mailed malware attacks and phishing attempts can proliferate,” the report said.
Get rid of spam, and your phishing days are over. The most sure fire way of preventing phishing attacks on your users is to never serve them the threat in the first place – and that means stopping spam before it enters your network. Filtering at the gateway is where you want to start.
Step 2: Train yourself
With anti-spam measures in place you can now move on to the next task; training! Here at GFI we always sing the praises of staff cybersecurity awareness because there is no patch for social engineering.
IT admins need to understand the important of user training and how much saved dollars can be reaped.
Notorious hacker Kevin Mitnick, who instead of doing damage teaches individuals how to avoid hackers through his security training company, has proved the worth of anti-phishing training.
His company studied 372 organizations, which together, have nearly 300,000 endpoints. Phishing attacks were too often successful before training, with close to 16% of end users vulnerable to these schemes. After training, only 1.2% were likely victims. These trained employees become a ‘human firewall’, Mitnick said. Still think cybersecurity awareness is a waste of time?
Step 3: Train your users
Next, it’s time to train your users. There are specialist companies who run training exercises but this can also be done in-house. Here are some of the things you should teach your users:
- Learn how to spot a phishing email (more about this below),
- Only click links in email you know for certain are legitimate,
- Do not open or interact with emails from businesses unless you were expecting them. Ignore the message and go directly to the website if worried about the contents,
- Never, EVER, enter your credentials or credit card information on an email. Also make sure you enter your sensitive information on secure websites,
- If by accident you clicked a malicious link or somehow fell under attack by malware, shut down your machine or immediately start a virus scan and get in touch with the IT admin.
Another technique phishers use is to keep sending the same bogus email repeatedly, hoping the victim will eventually fall for it. Unfortunately, this technique has proved to work. In a recent report by Verizon it was revealed that “running a campaign with just three e-mails gives the attacker a better than 50 percent chance of getting at least one click. Run that campaign twice and that probability goes up to 80 percent.” The report continued, “sending 10 phishing e-mails approaches the point where most attackers would be able to slap a ‘guaranteed’ sticker on getting a click.”
What the phishing lure looks like
One way to spot a phishing attack is to know what it looks like. Phishing emails will use similar branding to the emulated service but there are certain things you can look out for and Microsoft Security Center offers the following example.
Some items to look for are misspelled words and bad grammar typical of phishing messages from Eastern Europe and China. Phishing emails sometimes include links within the email that look legitimate but really link to bad sites and they either contain threats or promote gifts.
There are other indicators that a trained eye will spot easily. Check the email address of the sender; place the cursor (DO NOT CLICK) over the address and check in the bottom left of your browser where that link is pointing to. You can do the same for links in the body text.
For years, banks and ecommerce sites have implemented clear guidelines on how they contact customers and request information. They don’t ask for your details by email. Simple. If, for example, you use online banking services, any messages will be sent to customers inside that system which most likely uses 2 factor authentication.
One final word of advice you can give to users is “think before you click”. Tell them to take a few extra seconds before opening attachments or clicking on links. Even better, if they have any doubts, call helpdesk and forward that email. If it’s spam, helpdesk will quarantine the email and add it to their blocklist.
When users start identifying phishing email and passing them on to IT, you know your message has hit home.
Tools of the anti-phishing trade
Remember, you’re not alone in this fight. There are many tools out there designed to help you get rid of the scourge that is unwanted emails and email attacks. GFI MailEssentials does just that by getting rid of 99% of spam messages, and has special anti-phishing features built right in.