Looking for anti-phishing solutions? Worried about increasing incidents of data breaches and security threats?
 
This article tells you everything you need to know about how to prevent a phishing attack on your organization.
 
If you are an IT administrator, use our actionable tips, step-by-step guides, and best practices to make sure that your data is safe.
 

 

Don’t have time to read the whole guide right now?

No worries. Download the guide as a PDF and read it on the go.

 

Yes! Give me the PDF
 

 

 

The Relentless Growth of Phishing Attacks

Phishing attacks are the oldest and most effective online threats. Cybercriminals use phishing to obtain sensitive information such as usernames, passwords, and financial details from unsuspecting individuals.

As phishing attacks become more sophisticated, organizations around the world are facing the heat. It takes just one employee to take the bait and that’s enough for attackers to steal intellectual property, login credentials, bank account information, and much more.

Data published by Symantec shows a 49% growth of phishing attacks from January 2017 to May 2018.
original graph

According to Andrew Conway, General Manager for Microsoft 365 Security, about 80% to 90% of the data breaches that his team saw were attributed to phishing. Even though Microsoft and others are taking steps to detect these attacks before they hit a user’s inbox, such algorithms can’t catch all of them — and then it’s up to the user to know what to do!

 
Here is a first-hand account from an IT administrator who bore the brunt of a phishing attack.
original reddit
In addition to financial loss and potential loss of reputation for the targeted company, phishing attacks can dramatically increase workloads for IT administrators.
 

So, What Exactly Is Phishing?

When a criminal sends an email pretending to be someone – for example, the CEO of an organization – or something he’s not representing – such as a brand, in order to extract sensitive information from the target, it’s called a phishing attack or a phishing scam.

What are the different types of phishing attacks?

A phishing attack can come in different forms. We picked out 7 different types of phishing scams that account for most of these attacks.

1. Business Domain Impersonation

Business Domain Impersonation happens when an impostor creates a fake brand/company website to conduct activities that can harm the target brand and its customers.

Here is an example of how an employee of Disney fell prey to a phishing scam and sent over $700,000 to someone she believed to be a Disney vendor.

domain (1)

2. Brand Impersonation

Brand Impersonation refers to the phishing scam wherein the attacker sends an email that appears to be from a trusted brand or directs a potential victim to a website that resembles a popular brand to gain access to confidential data. These emails or websites could resemble a well-known bank, a credit card company, an e-commerce portal, or even a government agency.

Here is an example: A lot of unsuspecting individuals received the Netflix Account Disabled! notification email. Upon clicking a button in the email, they were prompted to enter their credit card details. Of course, the email was a scam, and if an unsuspecting victim had entered the credit card information, the attacker would have had instant access to the credit card information.

original4

3. Suspicious Link

Spammers sometimes hide the URL that’s embedded in their message. The URL visible to the victim usually displays a known domain such as a Google document; however, the actual URL would point to a malicious domain.

The 2017 Anti-Phishing Working Group report says that people are often fooled by URL shorteners – which hide the destination domain – or by brand names inserted in the URL.
Here is an example of a suspicious link:
original5
The display link looks like a Google Docs file, but the actual destination is a blacklisted page.

4. Name Impersonation

Name Impersonation is a type of phishing attack in which a cybercriminal claims to be a known individual and gathers sensitive information from a targeted victim. For instance, imitating a C-suite employee – CFO or CEO – and attempting to steal employee or supplier information.
nme (1)
John Kahlbetzer, the founding member of a well-known Australian company, lost $1 million to a name impersonation phishing attack.

5. Content Injection

Content injection is a type of phishing attack where the attackers use a set of macro codes to create an infected email attachment or a visual content. Clicking on this attachment will either lead the victim to a phishing page or result in the download of a malware from a remote server.

original7

6. Man-In-The-Middle Attack

Man-in-the-middle is a form of phishing attack where communication between two users are monitored and modified by an unauthorized party.

Here is an example of a phishing attack that came to light in Europe. The attackers used sophisticated techniques to intercept corporate email communications and made payment requests.

original8

7. Search Engine Attack

Hackers publish malicious pages and rank them on search engines or run paid ads to attract victims to their sites. Clicking on these search results or ads will take the user to a phishing page.

In the screen below, you will see how one attacker managed to place a legitimate ad on Google.
original9
As you can see from these examples, a phishing attack can strike your organization in many shapes and forms.

We have put together fifteen actionable steps that you can immediately rollout to dramatically improve the chances of shielding your company from phishing scams.
 

15 Easy Hacks to Prevent a Phishing Attack

1. Use spam filter for Gmail and Office 365/Outlook

Spam is an email with failed validation protocols like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The status of these protocols indicates whether the domain and the IP address are authorized to communicate with your domain or not.

All email applications provide IT administrators the option to configure spam filters; however, there is a fine line between stopping malicious emails or spam and blocking legitimate emails that could impact your organization’s business!

Here is how you can configure the spam filter settings for Gmail:

  • Go to “Gmail Admin Console.”
  • Choose “G Suite” from the “Apps Tab.”
  • Select “Settings for Gmail”→“Advance Settings”→“Spam Settings.”

new1
Gmail also provides users with the option to report spam as well as phishing emails. The only catch is that as an IT administrator, your role goes beyond managing spam settings. You may also have to educate the employees in your network to report suspicious emails.
spoof
G Suite administrators can also access a report on spam detected in their network. By analyzing the spam report, an administrator can gain useful insights such as:

  • Unsafe browsing behavior: Any unusual spike in the spam graph can be a result of users visiting unauthorized websites.
  • Irrelevant subscriptions: Personal subscriptions using a business email address can trigger a jump in spam.
  • Pretexting attacks: A sudden growth in spam could indicate the possibility of attackers attempting to gather personal details of employees before launching a phishing attack.

Spam Filtering in Office 365
Office 365 also has a comprehensive set of features to control spam. This feature is available for all subscription levels.

Go to “Admin”→“Security and Compliance”→“Home”→“Mail filtering”→“Anti-spam settings”
new3
The admin can choose standard settings or customize it.

new4

2. Use Multi-Factor Authentication

When attackers manage to get an employee in your network to click on a malicious link sent via a phishing email, you could still save the day for your organization if you had implemented a multi-factor authentication system.

We recommend at least a 2-factor authentication system in place; however, for sensitive applications in your network, adding more levels of authentication is advisable.

Here is how you can piece together a multi-factor authentication system for your organization.

  • Password
    Make sure you have implemented a mandatory password policy. You can refer to this TechNet article in case you don’t have a password policy yet.
  • Google Authenticator
    Integrate Google Authenticator with your applications. It is an app that generates 2-Step verification codes on your mobile device. In addition to your password, you’ll also need a code generated by the Google Authenticator app on your phone to sign-in to an account. Refer to this Asaf article to enable Google Authenticator for your applications.

   A popular alternative for Google Authenticator is Duo Security.

  • Security Code
    Another way to prevent unauthorized access is by enabling the security code settings in your email account. All subscription plans of G Suite and Office 365 – except trial versions – enable users to get a security code on their mobile device to verify their identity. The administrator can also set the mode of communication for receiving the security code – as a text message or a call.
  • USB Device as Authenticator/Signature Device
    Critical applications or sensitive data stored in your network can be protected with the help of a USB device. The USB authentication will require employees to insert the USB device encrypted with the signature and enter a security code to access the application. Yubico is one such authentication device.

3. Configure Email for Secure Data Flow

DomainKeys is an email authentication mechanism that verifies the credibility of the emails generated from a domain. Emails with authenticated DomainKeys are termed as DomainKeys Identified Mail (DKIM)-Passed. Using this DKIM protocol, the administrator can whitelist various business domains to prevent phishing attacks from external domains.

Below is the image of Google Interface that allows the administrator to add DKIM for email authentication.
new6
Email service providers give a preview of the data sharing activities happening from your domain to an external domain.
new7
In the above images, you can notice an unusual sharing activity on May 14, 2018. Such unusual data transfer needs to be identified and questioned, as any confidential data shared with an external domain can put your organization at risk.

How to enable/disable email authentication and file sharing settings for Gmail:
For enabling email authentication:

  • Go to “Admin console”→“Apps”→“G Suite”→“Gmail Suite”→“Settings for Gmail”→“Authenticate Email”
  • Customize the outgoing email settings with DKIM authentication

For enabling secure sharing settings:

  • Go to “Admin console”→“Apps”→“G Suite”→“Settings for Drive and Docs”
  • Select the suitable option and apply for your domain

How to enable/disable sharing settings for Office 365:

In Office 365, email authentication is an inbuilt feature.

 

  • Go to “Admin”→“Service Settings”→“Sites and Documents Sharing”
  • Select one of the following options accordingly:
    1. Turn on external sharing
    2. Turn off external sharing

new8

4. Monitor Suspicious External Sites

Fake external websites and links are easy baits for unsuspecting users. Hackers create fake websites that resemble some popular and credible sites. Even if the web page looks legitimate, you will notice that the URL of the page will be different from the original site.
 
new9
For example, if you happen to enter your credentials in this fake Amazon sign-in page, the attacker can have access to your Amazon account.

How do you determine if an external site is genuine or fake?
The following factors should be assessed before classifying a website as safe/unsafe:

  • Search traffic
  • Engagement
  • Popularity
  • Unique visitors

The Alexa rank for a website can provide a pointer to the credibility of the website.

For example, the following image shows the Alexa rank for www.google.com.
new10
new11
If you were looking at a duplicate version of the Google website, the Alexa stats will be different.
It is recommended to use a third party tool like SysCloud Phishing Security to automate the flagging of suspicious websites that users in your network might have visited.

5. Perform Real-Time Scan

IT administrators can use third-party tools to perform a real-time scan on the data stored within their organization.

SysCloud Phishing Security is one such real-time scanning application. This application allows the administrator to detect and remove threats from a domain. It covers G Suite as well as Office 365 applications.

How to perform a real-time scan with SysCloud Phishing Security application:

  • Go to G Suite Marketplace and search for SysCloud Security and Backup. Install and launch the app.
  • Go to “Admin console”→“Data Loss Prevention”→“Sharing Insights”
     
    99
  • Select the domain from the domain drop-down menu and click on “SCAN NOW” to see the results

pi2
Real-time scan enables you to:

  • Look into the collaborators of a particular document
  • Detect data leaks
  • Receive details about the threats from scan results

pi3
Analyzing these reports at regular intervals will allow you to detect possible phishing attacks.

6. User and Entity Behavior Analytics (UEBA)

User and Entity Behavior Analytics (UEBA) refers to the process of tracking user data and activities to detect anomalies. The UEBA software can analyze domain data logs to identify the pattern of traffic caused by the employees/users – both normal and malicious. This helps IT administrators to monitor employee activities and prevent them from accessing unauthorized data.

For example, if you are using Office 365 with the enterprise E5 subscription plan, there is an option called Audit log, wherein the administrator can define suspicious activities for their domain.

The below image shows the “Security & Compliance” page of Office 365, wherein the administrator can search for suspicious activities.
pi4
You can create a new alert policy by clicking on the “+New alert policy” option. Enter the details in the next page and click on “Save” option.
neeee (1)
If you are not using Office 365, you can also choose from third-party UEBA tools. Here is a list of UEBA vendors published by Gartner.

pi6

7. Implement Solutions for Malware and Spyware

Malware and spyware come in different shapes and forms such as trojans, worms, virus, ransomware, spyware … to name a few. Every malware is unique and created with a specific objective.
Some of these objectives are to:

  • Steal confidential data
  • Use the victim’s IT Infrastructure as a host for a mass phishing attack
  • Demand a ransom by encrypting the files

In 2017, WannaCry ransomware made big headlines as it caused significant financial loss amounting to billions of dollars across hundreds of countries.
pi7
IT administrators should consider implementing endpoint security solutions that can detect and block malicious malware attacks originating from both compromised as well as external domains. Endpoint solutions also provide IT administrators with the ability to rapidly respond to new threats and properly investigate and clean up the network after an attack.

Here is the 2017 Gartner peerinsights report on the best endpoint solutions chosen by customers.

pi8

For a direct comparison of anti-malware security solutions, refer to the comparison table from the PC Magazine.

8. Implement Secure Document Sharing

IT administrators should implement processes to govern document-sharing policies within and outside the domain.

Internal to the Domain:
For G Suite, enabling the “Authorised Email gateways – SMTP” option can whitelist all the channels – like gappssmtp – used for internal communication.

To enable this option, go to “Admin Account→Apps→G Suite→Settings for Gmail.”
pi11
This will prevent emails with unauthorized SMTP addresses from being accessed by employees.
For example, in the image below, syscloud.com” is spoofed through the smtpservice.net” portal and a phishing link is sent to the employees. Administrators can prevent this from happening by whitelisting all the channels for internal communication.
pi9
External to the Domain:
Communication with an unauthorized external domain may put your organizational data at risk. Cyber attackers often use spoofing to steal sensitive data. For example, “abc@businessdomain.com” and “abc@businessdomain.co” look similar, but they are two different domains.
pi10
A general best practice will be to always whitelist alias domains and encourage users to report suspicious emails from external domains as spam/phishing.

Private among Few Users of the Same Domain:
IT administrators can create multiple internal groups within their domain. This makes communication easier among a group; however, groups can also make it easy for attackers to carry out name-impersonation phishing attacks. A single email can reach a number of potential victims in your organization. For example, “management@acme.com” can give the attacker the opportunity to target all key members of the group using a single email.

Administrators should always consider disabling group email addresses for all external communications. It’s also not advisable to add local administrators to manage email groups.

9. Prevent Phishing on Your G Suite Domain

G Suite provides different options to prevent phishing attack in your business domain. To enable these options, follow the steps given below:

  • Go to “Admin Account” →“Apps”→“G Suite”→“Security.”

0

  • 2-Step Verification: Enabling this option will provide a multi-factor authentication for the users in your domain.

00

  • Access Permission for Only Trusted Apps: Enabling this option will prevent suspicious apps from accessing your data.

qi
To enable the following options, go to “Admin Account”→“Apps”→“G Suite”→“Settings for Gmail” and select the “Enable” radio button.

  • Avoid Unsafe Attachments: Enabling this option will protect the user from receiving attachments via suspicious emails.

qi4

  • Links and External Links: Enabling this option will help the admin to block unsafe links and images.

qi5

  • Spoofing and Authentication: Enabling this option will stop name impersonation/spear phishing attacks.

qi6

10. Enable Office 365 Phishing Protection

For Office 365 users, ATP anti-phishing protection – part of Office 365 Advanced Threat Protection – is available for Office 365 Enterprise E5 subscription plan.

To protect your organization from phishing attacks, you can set up an ATP anti-phishing policy:

  • Go to protection.office.com and sign in with your work or school account.
  • Choose the “Office 365 Security & Compliance Center” option.
  • In the left navigation pane, choose the following: “Threat management”→“Policy”→“ATP anti-phishing.”

qi7

  • To add a new policy, click on “Create” option.
  • To edit an existing policy, click on the specific policy name and choose “Edit policy” option.

qi8

  • Specify the name, description, and settings for your policy.
  • Click on “Create this policy” or “Save,” as required.

qi9

11. Enable Secure Browsing with Virtual Desktop Infrastructure

Deploying a Virtual desktop infrastructure (VDI) could provide IT administrators better control over potential threats such as a phishing attack.
 
VDR
How does VDI prevent phishing?
Using VDI, the administrator would have a greater control and visibility on what the users are doing. For example, you can view a log of all the websites and links attributed to all the users in the network. Administrators get instant access to a detailed activity report, including the location, IP address, and user details to identify data leak and potential threats to the server data.

Because the data does not reside on the user’s computers or mobile devices, there is added security against hackers who might have launched a phishing attack to access data stored in the victim’s computing device.

VDI has now evolved into Desktop as a Service (DaaS) and provides out-of-the-box security features like firewall, antivirus, and malware protection and pre-built security policy templates. Citrix, Amazon, Microsoft, and VMware are the major DaaS vendors in the market.

12. Deploy Password Alert Extension for G Suite

“Password Alert” is a Chrome extension that gives additional login protection for G Suite users. This extension scans each website visited by the user for page impersonation.

Password alert extension notifies the administrator if a user enters their G Suite credentials anywhere else – other than the Google sign-in page. It also gives an option for the administrator to enforce deployment of the Password Alert Chrome extension on users’ laptops and mobile devices.

To access this option, go to “Device management”→“App Management”→“Password Alert.”

Select “Force installation” under “User Settings and Public session settings.”
 
ei1

13. Use Encryption for Data Transmission

Data encryption allows administrators to ‘lock’ the data and make it unusable without a password. The encrypted data is known as “Ciphertext” and can be decrypted only with a key or a password – That’s how an encryption protects.

Encryption

Gmail and Outlook provide out-of-the-box encryption options for administrators. Administrators can set outbound email communication for either Transport Layer Security (TLS) – standard encryption or S/MIME – enhanced encryption.

To enable email encryption in Outlook, follow these steps:

  • Go to File tab, click on “Options→Trust Center→Trust Center Settings→Email Security.”
  • The encryption setting will be on the right pane of the window in the section “Email Security.”
  • Click on “Encrypt contents and attachments for an outgoing message.”
  • Click on “OK” to finish the process.

Email encryption in Outlook

G Suite Enterprise and G Suite Education users can set S/MIME encryption by following the given steps. Please note that G Suite Basic and Business editions do not have this feature.

  • Scroll down to the S/MIME setting and check the “Enable S/MIME encryption for sending and receiving emails” option.
  • Under the “Organizations” option, select the domain or organization you want to configure.
  • Go to “Apps→G Suite→Gmail→User settings.”
  • Open Google Admin console.
  • Optional setting: If you want to let users upload certificates, click on “Allow users” option.
  • Additional controls: If you want to upload and manage root certificates, use the S/MIME trusted certificates controls:
    • Click on “Add to Accept these additional Root Certificates” for specific domains
    • Click on “Upload Root Certificate.”
    • Browse to select the certificate file and open it.
    • From the “Encryption level” option, select the encryption level that needs to be used.
    • Under the “Address list,” enter at least one domain that will use the root certificate.
    • Click on “Save.”

14. Enable OAuth

Open Authorization helps the administrator in controlling the accessibility of third-party applications – like Facebook – from fetching the employees’ confidential data.

Google applications use two forms of OAuth:

  • Two-Legged OAuth (For administrator-managed applications):

Here, the administrator controls the permission settings for all the applications. This defines the scope of access to employees’ data by third-party applications.

two legged authentication

  • Three-Legged OAuth (For user-managed applications):

three legged authentication

Usually, an employee can download applications from G Suite Marketplace and install it on their devices. In three-legged OAuth, employees require the administrator’s permission to install any third-party application.

In G Suite, Administrators can set OAuth by following these steps:

  • Go to “Admin console→Security→Advanced Settings→Authentication.”
  • Click on“Manage API client access.”

Manage API clients

In Office 365, the administrator can set the OAuth settings by following these steps:

  • Connect to Exchange Online PowerShell.
  • Do any one of these steps:
    • Run this command to enable modern authentication in Exchange Online:
      • Set-OrganizationConfig – OAuth2ClientProfileEnabled $true
    • Run this command to disable modern authentication in Exchange Online:
      • Set-OrganizationConfig – OAuth2ClientProfileEnabled $false
    • To verify that the change was successful, run this command:
      • Get-OrganizationConfig | Format-Table – Auto Name, OAuth*

15. Communicate the Latest Attacks

In spite of the security measures taken by IT administrators, some malicious emails may still find their way to inboxes undetected.

To prevent such events, it is necessary to create awareness among the employees about the latest threats and how new techniques are being used for phishing.

Here are some of the successful scams that target employees:

  • Dropbox Scam: An email that’s designed to look like a Dropbox notification can easily infect the organization network with malware.

mi2

  • DHL parcel scam: Here, users are asked to verify their personal details for parcel delivery.

mi3

  • FedEx Scam: This is a package delivery scam. In the below image, clicking on the “here” option will download malware into the system.

mi4
How can administrators stay informed about the latest phishing threats?
Administrators can use Google Alerts to stay updated about the latest phishing attacks.

Here is an example of an automated update from Google Alerts.
alert1 (1)
Here is how you can set up Google alerts:

alert2 (1)
The administrator can also forward these emails to employees by adding a filter.
To add a filter, follow these steps:

  • Go to the Google Alert email in your inbox.
  • Click on “More”→“Filter messages like these”→“Don’t include chats”→“Continue.”
  • From the “What happens when the message arrives” setting, click on “Forward to:” option to add the respected group of people.
  • Click on “Create filter” option.

hth

16. Use Third-Party Tools

SaaS providers like SysCloud help users to spot suspicious emails and provides IT administrators with real-time data to take proactive actions and implement policies. While vendors like SysCoud provide coverage for cloud applications like G Suite and Office 365, other vendors may provide a wider coverage.
B&S1
Here is how third-party tools like SysCloud help in protecting your network from a phishing attack.

How to create a phishing policy?

  • Create an account with SysCloud.
  • Click on “Compliance” tab→“Policies.”

142

  • Click on “Create Policy” to create a new policy.

242

  • A new policy will be created with the standard name “Phishing policy_MM/DD/YYYY HH:MM:SS” – You can enable the policy for the entire domain, or individuals, or business units accordingly.

342

  • Define the cloud applications that will be covered by the phishing policy. The administrator can select G Suite, Office 365, or both.

442

  • Select the protection level.

542

  • The administrator can define real-time actions against phishing attacks:
    a. Audit only: This action will retain the infected email in the inbox, but it will report the issue in the admin console.
    b. Add banners and labels to email: This action will add caution banners and quarantine labels to the flagged email.
    c. Move to trash: This action will move the email to the spam folder.

642

  • Exception management is an add-on feature for users. Here, users can raise an exception query if they feel that the received email is safe.

742

  • Click on  Finish & Active” button to enforce the policy.

442

17. Use a Phishing Simulator

Phishing simulators can be used to check the state of awareness among employees about suspicious emails. Specifically, simulators are meant to help employees understand key aspects of a phishing attack. This includes:

      • What is phishing?
      • What does it look like?
      • The dangers of opening emails with enticing subjects
      • Perils of emails prompting you to take action immediately
      • Brand impersonation and domain impersonation

Anti-phishing vendors offer phishing simulators either as a free tool or as a part of their service offering. Here are some of the options that IT administrators can evaluate:

      • SecurityIQ PhishSim
      • Gophish
      • LUCY
      • Simple Phishing Toolkit (sptoolkit)
      • Phishing Frenzy
      • King Phisher
      • SpeedPhish Framework (SPF)
      • SpearPhisher BETA

If you have implemented Office 365, and also have Enterprise E5 subscription plan – which is the highest subscription level – you can simulate phishing attacks.

An Office 365 administrator has three attack options to choose from for a selected set of employees. The three phishing attack options available include:

  1. Spear Phishing Attack,
  2. Brute-force Password Attack, and
  3. Password spray Attack.

LA1
XA
For configuring a spear-phishing attack, the administrator can configure the email by editing the HTML code to make it more believable. For password-spray attacks and brute-force attacks, the simulator provides an option for the IT administrator to choose the password to be used on a group of employees or a targeted individual respectively.

After the simulation is completed, administrators can access data on how successful the attacks were. Remedial actions such as training sessions, multi-factor authentication solutions or any other recommended approach can be implemented based on the results of the simulation.

If you have follow-up questions or want to learn more about SysCloud, please contact us.
 

 

Leave a Reply