Phishing attacks are on the rise in Australia, with the rapid shift to digital services during the pandemic providing a raft of new opportunities for scammers. “Phishing” refers to an attempt to steal sensitive information, typically in the form of usernames, passwords, credit card numbers, bank account information or other important data in order to use or sell the stolen information. Similar to fishing, phishing is a technique to ‘fish’ for sensitive information, from an ‘ocean’ of users.
Email is now the primary source of phishing with cybercriminals posing as legitimate people, companies and institutions online, luring individuals into providing confidential information. Last year 86% of organisations experienced a successful phishing attack, up 36% from 2020. To avoid your business becoming a statistic in 2022, we’ve compiled a list of the top 10 ways you can protect your organisation from phishing attacks.
1. Install security and anti-phishing software
Installing security software is your first line of defence against phishing scams. Antivirus programs, spam filters and firewall programs can be quite effective against phishing attacks.
Anti-phishing software intercepts and analyses the websites that an employee visits and compares them against a comprehensive list of reported phishing and malware sites. If the site the employee visits is found on the list, the anti-phishing software immediately blocks it. It also analyses emails for harmful attachments and links. This prevents malicious and spam emails from getting delivered to your employee’s inbox.
2. Regularly update security patches and software
Keeping software current with the latest security patches and updates decreases your chances of getting caught in a phishing scam. Businesses should instantly update their software as soon as they receive a prompt for it. These updates correct and remove the security gaps arising from vulnerabilities such as cross-site scripting and critical data exposure.
3. Use Domain-Based Message Authentication, Reporting and Conformance (DMARC)
Phishers can spoof a company’s domain name to send phishing emails, however, organisations can protect their domain name from being misused by implementing DMARC. It makes use of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure that the email is sent from an authorised source. If the email is found to come from a spoofed domain, it is either rejected or sent to the spam folder.
4. Educate your employees
Educating your employees on what they can look out for and how to respond is one of the most effective ways of thwarting phishing attempts. Let employees know that if they’re ever unsure about the content of a suspicious email, they should contact your IT department, Help Desk or designated response team before responding. Some of the most common signs of fraudulent email for employees to keep an eye out include:
- Grammatical errors: hackers tend to perform spellchecks but often overlook the unnatural-sounding language used in emails.
- Scare tactics: such emails try to trick the recipient into thinking that their computer has been infected or an account has been compromised.
- Dodgy attachments: the most dangerous file extensions include .exe, .jar, .bat, .cmd, and .vbs.
A good way of ensuring that your entire workforce understands the risks and knows how to identify a phishing scam is by running simulated phishing tests. This allows you to be confident that everyone in your office recognises the risks.
It’s also important to train new users on company security measures as part of their orientation. Regularly update and inform all employees of changes to internet security policies and procedures to keep new information top of mind.
5. Enforce password management policies
Maximise the strength of the passwords used by employees by enforcing a robust password management policy. The policy should make employees aware of the following aspects:
- Employees should create complex and long passwords.
- They should not include critical security information such as a credit card pin or date of birth in their passwords.
- They should use different passwords for their personal and official accounts.
- If employees suspect that their password has been compromised, they should immediately report the incident to the IT Department or Help Desk.
6. Enable multi-factor authentication (MFA)
Businesses can prevent phishing attacks to a great extent by incorporating MFA. Whilst a hacker can steal an employee’s username and password through phishing emails, with MFA activated, cybercriminals will need to provide additional information to gain access. This information can include a one-time password (OTP) sent to the employee’s device or an answer to a security question. As cyber-attackers don’t get access to these additional credentials, the misuse of an employee’s stolen credentials is prevented.
7. Work on end-point encryption
Organisations should encrypt and protect each end-point, such as desktop, laptop, and mobile device, which is connected to their network. End-point encryption software scans and removes identified malicious code and viruses, thereby preventing phishers from causing a breach.
8. Use a Virtual Private Network (VPN)
A VPN secures the connection between an employee’s system and the business’s network. The data is transferred through this protected and encrypted tunnel. The encryption ensures that the data is not disclosed during the transfer. In other words, VPN facilitates the secure transmission of data and ensures that phishers are unable to access or steal it for malicious use.
9. Schedule regular backups
When was the last time you tested your backup and recovery plan? If you can’t remember, chances are you’re long overdue. Scheduling regular backups helps ensure that your data can be fully recoverable in the event of an emergency.
10. Utilise a Managed Services Provider (MSP)
A good IT Support Company or MSP can offer the latest cybersecurity services such as email and spam filtering, strong authentication policies, updated anti-virus solutions, and more to help businesses counter phishing attempts seamlessly.
Boosting your email protection and cybersecurity
With more than 25 years of industry experience, Neo Technologies keeps your company secure, connected and compliant, so you can focus on achieving your current and future business goals. We offer end to end IT services, solutions, support and advisory with a depth and breadth of specialised knowledge that sets us apart from our competitors. Contact us on 1300 661 832 to learn more about ways we can help protect your business from phishing and cybersecurity attacks.