Looking for anti-phishing solutions? Worried about increasing incidents of data breaches and security threats?
This article tells you everything you need to know about how to prevent a phishing attack on your organization.
If you are an IT administrator, use our actionable tips, step-by-step guides, and best practices to make sure that your data is safe.
Don’t have time to read the whole guide right now? No Worries. Download the guide as a PDF and Read it on the go yes! give me the pdf
The Relentless Growth of Phishing Attacks
Phishing attacks are the oldest and most effective online threats. Cybercriminals use phishing to obtain sensitive information such as usernames, passwords, and financial details from unsuspecting individuals.
As phishing attacks become more sophisticated, organizations around the world are facing the heat. It takes just one employee to take the bait and that’s enough for attackers to steal intellectual property, login credentials, bank account information, and much more.
Data published by Symantec shows a 49% growth of phishing attacks from January 2017 to May 2018.
According to Andrew Conway
, General Manager for Microsoft 365 Security, about 80% to 90% of the data breaches that his team saw were attributed to phishing. Even though Microsoft and others are taking steps to detect these attacks before they hit a user’s inbox, such algorithms can’t catch all of them — and then it’s up to the user to know what to do!
Here is a first-hand account
from an IT administrator who bore the brunt of a phishing attack.
SO, WHAT EXACTLY IS PHISHING?
When a criminal sends an email pretending to be someone – for example, the CEO of an organization – or something he’s not representing – such as a brand, in order to extract sensitive information from the target, it’s called a phishing attack or a phishing scam.
What are the different types of phishing attacks?
A phishing attack can come in different forms. We picked out 7 different types of phishing scams that account for most of these attacks.
1. Business Domain Impersonation
Business Domain Impersonation happens when an impostor creates a fake brand/company website to conduct activities that can harm the target brand and its customers.
Here is an example of how an employee of Disney
fell prey to a phishing scam and sent over $700,000 to someone she believed to be a Disney vendor.
Brand Impersonation refers to the phishing scam wherein the attacker sends an email that appears to be from a trusted brand or directs a potential victim to a website that resembles a popular brand to gain access to confidential data. These emails or websites could resemble a well-known bank, a credit card company, an e-commerce portal, or even a government agency.
Here is an example: A lot of unsuspecting individuals received the Netflix Account Disabled! notification email. Upon clicking a button in the email, they were prompted to enter their credit card details. Of course, the email was a scam, and if an unsuspecting victim had entered the credit card information, the attacker would have had instant access to the credit card information.
Spammers sometimes hide the URL that’s embedded in their message. The URL visible to the victim usually displays a known domain such as a Google document; however, the actual URL would point to a malicious domain.
The 2017 Anti-Phishing Working Group
report says that people are often fooled by URL shorteners – which hide the destination domain – or by brand names inserted in the URL.
Here is an example of a suspicious link:
Name Impersonation is a type of phishing attack in which a cybercriminal claims to be a known individual and gathers sensitive information from a targeted victim. For instance, imitating a C-suite employee – CFO or CEO – and attempting to steal employee or supplier information.
Content injection is a type of phishing attack where the attackers use a set of macro codes
to create an infected email attachment or a visual content. Clicking on this attachment will either lead the victim to a phishing page or result in the download of a malware from a remote server.
6. Man-In-The-Middle Attack
Man-in-the-middle is a form of phishing attack where communication between two users are monitored and modified by an unauthorized party.
Here is an example
of a phishing attack that came to light in Europe. The attackers used sophisticated techniques to intercept corporate email communications and made payment requests.
Hackers publish malicious pages and rank them on search engines or run paid ads to attract victims to their sites. Clicking on these search results or ads will take the user to a phishing page.
In the screen below, you will see how one attacker managed to place a legitimate ad on Google.
We have put together fifteen actionable steps that you can immediately rollout to dramatically improve the chances of shielding your company from phishing scams.
15 Easy Hacks to Prevent a Phishing Attack
1. Use spam filter for Gmail and Office 365/Outlook
Spam is an email with failed validation protocols like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The status of these protocols indicates whether the domain and the IP address are authorized to communicate with your domain or not.
All email applications provide IT administrators the option to configure spam filters; however, there is a fine line between stopping malicious emails or spam and blocking legitimate emails that could impact your organization’s business!
Here is how you can configure the spam filter settings for Gmail:
- Go to “Gmail Admin Console.”
- Choose “G Suite” from the “Apps Tab.”
- Select “Settings for Gmail”→“Advance Settings”→“Spam Settings.”
Gmail also provides users with the option to report spam as well as phishing emails. The only catch is that as an IT administrator, your role goes beyond managing spam settings. You may also have to educate the employees in your network to report suspicious emails.
administrators can also access a report on spam detected in their network. By analyzing the spam report, an administrator can gain useful insights such as:
Unsafe browsing behavior: Any unusual spike in the spam graph can be a result of users visiting unauthorized websites.
Irrelevant subscriptions: Personal subscriptions using a business email address can trigger a jump in spam.
Pretexting attacks: A sudden growth in spam could indicate the possibility of attackers attempting to gather personal details of employees before launching a phishing attack.
Spam Filtering in Office 365
also has a comprehensive set of features to control spam. This feature is available for all subscription levels.
Go to “Admin”→“Security and Compliance”→“Home”→“Mail filtering”→“Anti-spam settings”
The admin can choose standard settings or customize it.
2. Use Multi-Factor Authentication
When attackers manage to get an employee in your network to click on a malicious link sent via a phishing email, you could still save the day for your organization if you had implemented a multi-factor authentication system.
We recommend at least a 2-factor authentication system in place; however, for sensitive applications in your network, adding more levels of authentication is advisable.
Here is how you can piece together a multi-factor authentication system for your organization.
Make sure you have implemented a mandatory password policy. You can refer to this TechNet
article in case you don’t have a password policy yet.
Integrate Google Authenticator with your applications. It is an app that generates 2-Step verification codes on your mobile device. In addition to your password, you’ll also need a code generated by the Google Authenticator app on your phone to sign-in to an account. Refer to this Asaf
article to enable Google Authenticator for your applications
A popular alternative for Google Authenticator is Duo Security
Another way to prevent unauthorized access is by enabling the security code settings in your email account. All subscription plans of G Suite and Office 365 – except trial versions – enable users to get a security code on their mobile device to verify their identity. The administrator can also set the mode of communication for receiving the security code – as a text message or a call.
USB Device as Authenticator/Signature Device
Critical applications or sensitive data stored in your network can be protected with the help of a USB device. The USB authentication will require employees to insert the USB device encrypted with the signature and enter a security code to access the application. Yubico
is one such authentication device.
3. Configure Email for Secure Data Flow
DomainKeys is an email authentication mechanism that verifies the credibility of the emails generated from a domain. Emails with authenticated DomainKeys are termed as DomainKeys Identified Mail (DKIM)-Passed. Using this DKIM protocol, the administrator can whitelist various business domains to prevent phishing attacks from external domains.
Below is the image of Google Interface that allows the administrator to add DKIM for email authentication.
Email service providers give a preview of the data sharing activities happening from your domain to an external domain.
In the above images, you can notice an unusual sharing activity on May 14, 2018. Such unusual data transfer needs to be identified and questioned, as any confidential data shared with an external domain can put your organization at risk.
How to enable/disable email authentication and file sharing settings for Gmail:
For enabling email authentication:
- Go to “Admin console”→“Apps”→“G Suite”→“Gmail Suite”→“Settings for Gmail”→“Authenticate Email”
- Customize the outgoing email settings with DKIM authentication
For enabling secure sharing settings:
- Go to “Admin console”→“Apps”→“G Suite”→“Settings for Drive and Docs”
- Select the suitable option and apply for your domain
How to enable/disable sharing settings for Office 365:
& #BFE6F4 In Office 365, email authentication is an inbuilt feature.
- Go to “Admin”→“Service Settings”→“Sites and Documents Sharing”
- Select one of the following options accordingly:
1. Turn on external sharing
2. Turn off external sharing
4. Monitor Suspicious External Sites
Fake external websites and links are easy baits for unsuspecting users. Hackers create fake websites that resemble some popular and credible sites. Even if the web page looks legitimate, you will notice that the URL of the page will be different from the original site.
How do you determine if an external site is genuine or fake?
The following factors should be assessed before classifying a website as safe/unsafe:
The Alexa rank
for a website can provide a pointer to the credibility of the website.
For example, the following image shows the Alexa rank for www.google.com.
If you were looking at a duplicate version of the Google website, the Alexa stats will be different.
It is recommended to use a third party tool likeSysCloud Phishing Securityto automate the flagging of suspicious websites that users in your network might have visited.
5. Perform Real-Time Scan
IT administrators can use third-party tools to perform a real-time scan on the data stored within their organization.
SysCloud Phishing Security is one such real-time scanning application. This application allows the administrator to detect and remove threats from a domain. It covers G Suite as well as Office 365 applications.
How to perform a real-time scan with SysCloud Phishing Security application:
- Go to “Admin console”→“Data Loss Prevention”→“Sharing Insights
- Select the domain from the domain drop-down menu and click on “SCAN NOW” to see the results
Real-time scan enables you to:
- Look into the collaborators of a particular document
- Receive details about the threats from scan results
6. User and Entity Behavior Analytics (UEBA)
User and Entity Behavior Analytics (UEBA) refers to the process of tracking user data and activities to detect anomalies. The UEBA software can analyze domain data logs to identify the pattern of traffic caused by the employees/users – both normal and malicious. This helps IT administrators to monitor employee activities and prevent them from accessing unauthorized data.
For example, if you are using Office 365 with the enterprise E5 subscription plan, there is an option called Audit log, wherein the administrator can define suspicious activities for their domain.
The below image shows the “Security & Compliance” page of Office 365, wherein the administrator can search for suspicious activities.
You can create a new alert policy by clicking on the “+New alert policy” option. Enter the details in the next page and click on “Save” option.
If you are not using Office 365, you can also choose from third-party UEBA tools. Here is a list of UEBA vendors published by Gartner
7. Implement Solutions for Malware and Spyware
Malware and spyware come in different shapes and forms such as trojans, worms, virus, ransomware, spyware … to name a few. Every malware is unique and created with a specific objective.
Some of these objectives are to:
- Use the victim’s IT Infrastructure as a host for a mass phishing attack
- Demand a ransom by encrypting the files
In 2017, WannaCry
ransomware made big headlines as it caused significant financial loss amounting to billions of dollars across hundreds of countries.
Here is the 2017 Gartner peerinsights report on the best endpoint solutions chosen by customers.
For a direct comparison of anti-malware security solutions, refer to the comparison table from the PC Magazine.
8. Implement Secure Document Sharing
IT administrators should implement processes to govern document-sharing policies within and outside the domain.
Internal to the Domain:
For G Suite, enabling the “Authorised Email gateways – SMTP” option can whitelist all the channels – like gappssmtp – used for internal communication.
To enable this option, go to “Admin Account→Apps→G Suite→Settings for Gmail.”
This will prevent emails with unauthorized SMTP addresses from being accessed by employees.
For example, in the image below, “syscloud.com” is spoofed through the “smtpservice.net” portal and a phishing link is sent to the employees.
Administrators can prevent this from happening by whitelisting all the channels for internal communication.
External to the Domain:
Communication with an unauthorized external domain may put your organizational data at risk. Cyber attackers often use spoofing to steal sensitive data. For example, “firstname.lastname@example.org” and “email@example.com” look similar, but they are two different domains.
Private among Few Users of the Same Domain:
IT administrators can create multiple internal groups within their domain. This makes communication easier among a group; however, groups can also make it easy for attackers to carry out name-impersonation phishing attacks. A single email can reach a number of potential victims in your organization. For example, “firstname.lastname@example.org” can give the attacker the opportunity to target all key members of the group using a single email.
Administrators should always consider disabling group email addresses for all external communications. It’s also not advisable to add local administrators to manage email groups.
9. Prevent Phishing on Your G Suite Domain
G Suite provides different options to prevent phishing attack in your business domain. To enable these options, follow the steps given below:
Go to “Admin Account” →“Apps”→“G Suite”→“Security.”
2-Step Verification: Enabling this option will provide a multi-factor authentication for the users in your domain.
Access Permission for Only Trusted Apps: Enabling this option will prevent suspicious apps from accessing your data.
Avoid Unsafe Attachments: Enabling this option will protect the user from receiving attachments via suspicious emails.
Links and External Links: Enabling this option will help the admin to block unsafe links and images.
Spoofing and Authentication: Enabling this option will stop name impersonation/spear phishing attacks.
10. Enable Office 365 Phishing Protection
To protect your organization from phishing attacks, you can set up an ATP anti-phishing policy:
Go to protection.office.com and sign in with your work or school account.
- Choose the “Office 365 Security & Compliance Center” option.
- In the left navigation pane, choose the following: “Threat management”→“Policy”→“ATP anti-phishing.”
- To add a new policy, click on “Create” option.
- To edit an existing policy, click on the specific policy name and choose “Edit policy” option.
- Specify the name, description, and settings for your policy.
- Click on “Create this policy” or “Save,” as required.
11. Enable Secure Browsing with Virtual Desktop Infrastructure
Deploying a Virtual desktop infrastructure (VDI) could provide IT administrators better control over potential threats such as a phishing attack.
Because the data does not reside on the user’s computers or mobile devices, there is added security against hackers who might have launched a phishing attack to access data stored in the victim’s computing device.
VDI has now evolved into Desktop as a Service (DaaS) and provides out-of-the-box security features like firewall, antivirus, and malware protection and pre-built security policy templates. Citrix
, and VMware
are the major DaaS vendors in the market.
12. Deploy Password Alert Extension for G Suite
“Password Alert” is a Chrome extension that gives additional login protection for G Suite users. This extension scans each website visited by the user for page impersonation.
Password alert extension notifies the administrator if a user enters their G Suite credentials anywhere else – other than the Google sign-in page. It also gives an option for the administrator to enforce deployment of the Password Alert Chrome extension on users’ laptops and mobile devices.
To access this option, go to “Device management”→“App Management”→“Password Alert.”
Select “Force installation” under “User Settings and Public session settings.”
13. Use Encryption for Data Transmission
Data encryption allows administrators to ‘lock’ the data and make it unusable without a password. The encrypted data is known as “Ciphertext” and can be decrypted only with a key or a password – That’s how an encryption protects.
Gmail and Outlook provide out-of-the-box encryption options for administrators. Administrators can set outbound email communication for either Transport Layer Security (TLS) – standard encryption or S/MIME – enhanced encryption.
To enable email encryption in Outlook, follow these steps:
- Go to File tab, click on “Options→Trust Center→Trust Center Settings→Email Security.”
- The encryption setting will be on the right pane of the window in the section “Email Security.”
- Click on “Encrypt contents and attachments for an outgoing message.”
- Click on “OK” to finish the process.
G Suite Enterprise and G Suite Education users can set S/MIME encryption by following the given steps. Please note that G Suite Basic and Business editions do not have this feature.
- Scroll down to the S/MIME setting and check the “Enable S/MIME encryption for sending and receiving emails” option.
- Under the “Organizations” option, select the domain or organization you want to configure.
- Go to “Apps→G Suite→Gmail→User settings.”
Open Google Admin console.
- Optional setting: If you want to let users upload certificates, click on “Allow users” option.
- Additional controls: If you want to upload and manage root certificates, use the S/MIME trusted certificates controls:
Open Authorization helps the administrator in controlling the accessibility of third-party applications – like Facebook – from fetching the employees’ confidential data.
Google applications use two forms of OAuth:
Two-Legged OAuth (For administrator-managed applications):
Here, the administrator controls the permission settings for all the applications. This defines the scope of access to employees’ data by third-party applications.
Three-Legged OAuth (For user-managed applications):
Usually, an employee can download applications from G Suite Marketplace and install it on their devices. In three-legged OAuth, employees require the administrator’s permission to install any third-party application.
In G Suite, Administrators can set OAuth by following these steps:
- Go to “Admin console→Security→Advanced Settings→Authentication.”
- Click on“Manage API client access.”
In Office 365, the administrator can set the OAuth settings by following these steps:
Connect to Exchange Online PowerShell.
- Do any one of these steps:
15. Communicate the Latest Attacks
In spite of the security measures taken by IT administrators, some malicious emails may still find their way to inboxes undetected.
To prevent such events, it is necessary to create awareness among the employees about the latest threats and how new techniques are being used for phishing.
Here are some of the successful scams that target employees:
Dropbox Scam: An email that’s designed to look like a Dropbox notification can easily infect the organization network with malware.
DHL parcel scam: Here, users are asked to verify their personal details for parcel delivery.
FedEx Scam: This is a package delivery scam. In the below image, clicking on the “here” option will download malware into the system.
Here is an example of an automated update from Google Alerts.
- Select a topic or a cluster of relevant keywords for a topic.
- Click on “Create an Alert” option.
- Go to the Google Alert email in your inbox.
- Click on “More”→“Filter messages like these”→“Don’t include chats”→“Continue.”
From the “What happens when the message arrives” setting, click on “Forward to:” option to add the respected group of people.
- Click on “Create filter” option.
16. Use Third-Party Tools
SaaS providers like SysCloud help users to spot suspicious emails and provides IT administrators with real-time data to take proactive actions and implement policies. While vendors like SysCoud provide coverage for cloud applications like G Suite and Office 365, other vendors may provide a wider coverage.
Here is how third-party tools like SysCloud help in protecting your network from a phishing attack.
How to create a phishing policy?
Click on “Compliance” tab→“ Policies.”
- Click on “Create Policy” to create a new policy.
- A new policy will be created with the standard name “Phishing policy_MM/DD/YYYY HH:MM:SS” – You can enable the policy for the entire domain, or individuals, or business units accordingly.
- Define the cloud applications that will be covered by the phishing policy. The administrator can select G Suite, Office 365, or both.
- Select the protection level.
The administrator can define real-time actions against phishing attacks:
a. Audit only: This action will retain the infected email in the inbox, but it will report the issue in the admin console.
b. Add banners and labels to email: This action will add caution banners and quarantine labels to the flagged email.
c. Move to trash: This action will move the email to the spam folder.
- Exception management is an add-on feature for users. Here, users can raise an exception query if they feel that the received email is safe.
Click on “✓ Finish & Active” button to enforce the policy.
17. Use a Phishing Simulator
Phishing simulators can be used to check the state of awareness among employees about suspicious emails. Specifically, simulators are meant to help employees understand key aspects of a phishing attack. This includes:
- The dangers of opening emails with enticing subjects
- Perils of emails prompting you to take action immediately
- Brand impersonation and domain impersonation
Anti-phishing vendors offer phishing simulators either as a free tool or as a part of their service offering. Here are some of the options that IT administrators can evaluate:
- Simple Phishing Toolkit (sptoolkit)
- SpeedPhish Framework (SPF)
If you have implemented Office 365, and also have Enterprise E5 subscription plan – which is the highest subscription level – you can simulate phishing attacks
An Office 365 administrator has three attack options to choose from for a selected set of employees. The three phishing attack options available include:
1. Spear Phishing Attack,
2. Brute-force Password Attack, and
3. Password spray Attack.
After the simulation is completed, administrators can access data on how successful the attacks were. Remedial actions such as training sessions, multi-factor authentication solutions or any other recommended approach can be implemented based on the results of the simulation.
If you have follow-up questions or want to learn more about SysCloud, please contact us.