By Lee Schor, Chief Revenue Officer of VIPRE

Phishing remains one of the biggest security threats to all businesses – regardless of size and industry. This was reflected in the Cyber Security Breaches Survey 2021, as phishing was identified as the most common type of security attack (82%) last year.

The accelerated shift to hybrid work environments, triggered by the COVID-19 pandemic, has played a fundamental role in increased phishing activity. Shifting to remote working opened the door even wider to phishing, malware and other cyber threats – with attackers targeting users away from the office.

Phishing is a threat that cannot be avoided, but it can be controlled. In June 2022, VIPRE produced a whitepaper which highlights that there are solutions that businesses can put in place to help stop valuable data from reaching the wrong hands. Lee Schor, Chief Revenue Officer of VIPRE outlines the crucial technology tools and training needed to reduce the threat of phishing attacks and ultimately, for organisations to create a phishing prevention toolkit.

The Evolution of the Phishing Landscape

Phishing is the practice of sending a deceptive message to trick the user into revealing sensitive information, or to deploy malicious software, such as ransomware, onto an organisation’s IT network. Once sensitive information has been captured, the consequences can be severely damaging to a business – from financial repercussions, to loss of customers and damaged reputation.

In the modern threat landscape, cyber-attack methods are becoming increasingly sophisticated, and specifically, phishers are now using advanced social engineering to lure users into giving away confidential company data. For example, in 2021, Microsoft Office 365 users were targeted with a sophisticated phishing email to trick users into giving away their credentials via a compromised SharePoint website.

Over time, phishing has also become increasingly harder to detect, as it is highly targeted and constantly evolving to take advantage of both users and organisations – ever more so with the increase in hybrid working. VIPRE’s whitepaper outlines that there are now more phishing tactics than ever before, from vishing (voice), angler phishing (social media) to smishing (SMS phishing). Therefore, it is crucial that businesses prioritise how they can protect themselves and their users from falling victim to an attack. To get started, it is crucial that organisations invest in the right solutions to create a layered prevention toolkit, but what should this consist of?

Protecting IT Systems with Software Solutions

Technology solutions can support businesses by acting as a layer of security protection to help identify, stop and block potential phishing threats from entering the network. But, with the evolution of phishing tactics, it is crucial that organisations deploy the right digital tools across the business to cover every potential attack entry point.

Email is the leading attack vector used by cybercriminals to deliver phishing, ransomware and malware attacks. The first step in preventing phishing via email, is to ensure that businesses have the right protection in place at the time of receiving and handling emails; such as email attachment sandboxing; anti-phishing protection; data loss prevention tools (DLP) and outbound email protection.

Innovative technologies such as machine learning can be used to scan emails for possible phishing scams by comparing links to known phishing data. If phishing is suspected, the malicious links are removed from the email message to mitigate any chance of the user clicking on them. Additionally, DLP tools help to stop sensitive information from leaving the organisation at the time an employee sends an email by offering a crucial double-check. For example, DLP tools can be used to prevent emails from being sent to the wrong person, as when a user clicks ‘send’ they are asked to confirm the email address(es) for the recipient(s) they are sending it to.

The initial step of having email security in place helps to neutralise malicious links before they enter the user’s inbox. But with the emergence of zero-day threats, having website security, such as URL sandboxing, has become a necessity. This is because phishing emails will often redirect a recipient to a website to enter personal information. Therefore, when a user clicks on a URL in an email, the destination web page and its content can be automatically sandboxed – where the user will be shown a detailed block page with a sanitised live preview of the page they are trying to access – shielding the business from any potentially malicious payloads.

Empowering Users with Education and Training

Digital tools can help to identify and stop potential phishing emails – but these technologies are not the complete solution. Employees need to also be regularly made aware of existing threats, wherever they are working and on whatever device they are using – which is especially important in the hybrid working environment.

No phishing prevention plan is effective without users understanding the threat landscape. Human intervention is sometimes the only way of spotting or stopping a phishing attempt. Therefore, it is crucial that businesses implement a security and phishing awareness training programme which educates users

on the different types of phishing and potential threats. Such education should be continuous and conducted on a regular basis throughout the year – not just a one-off tick box session. This is because cyber threats constantly evolve – so if the training is out of date – so is the business’s security protection.

It is vital that this training includes phishing simulations and penetration testing so that employees can face real-life scenarios. This type of education will help identify areas of weakness where organisations need to provide support to employees through additional training, for example, and will help businesses to continuously assess the success of a phishing awareness programme.

Conclusion

Investing in a phishing toolbox is essential to fully protect your organisation against ever-changing attacks and zero-day threats delivered via SMS, phone, and email. By implementing the right technology, combined with user education and security awareness training to give all-around protection, businesses can carefully manage and avoid phishing threats. As the growth of the cyber security threat landscape shows no signs of slowing down, organisations can be reassured that they have the necessary protective layers in place to combat the modern threat landscape by using the right tools and training.