Looking into phishing protection? In this blog, we explain what phishing protection is, how it works, and best practices to protect your organization and customers.
What Is Phishing Protection?
Phishing is a sophisticated method fraudsters use to trick victims into revealing confidential information. Phishing protection refers to the measures companies take to protect themselves and their customers against phishing scams—including a combination of education, AI-based detection, and takedown services.
What Is Phishing?
Phishing is the practice of using email, SMS text messages, cloud-based collaboration platforms, and other methods to impersonate trusted companies or individuals in order to fool recipients into revealing login credentials, banking information, or payment details. These attacks employ well-crafted messages, stolen brand images, and cloned websites to appear as much like the real deal as possible.
The information pilfered from victims is typically used to commit numerous types of fraud or is collected and sold on dark web marketplaces. With stolen payment details, cyberthieves can make illegal purchases on e-commerce sites.
With stolen email login credentials, fraudsters can infiltrate personal or corporate email accounts and gather intel for impersonating the account owner in attacks targeting colleagues and others. When they lead to a data breach, the average cost to U.S.-based companies is $9.05 million per incident. Total average costs from phishing-related attacks on business may be as high as $14 million per year.
If the compromised logins are for consumer bank accounts, they are free to drain funds—including personal life savings. As reported in our latest quarterly Fraud & Payments Report, fraudulent transactions made through compromised accounts accounted for 76.5% of all fraud loss in the banking sector during the fourth quarter of 2021—up nearly 20% from the second quarter of the year.
According to Javelin Strategy & Research, the price tag for all forms of phishing-related fraud losses may now be as high as $43 billion per year.
Despite innocence, companies that get impersonated in these phishing scams can pay a steep price as well. Lost business and lawsuits can cause significant financial and reputational harm. And the negative publicity could cause consumer or business recipients to ignore your legitimate, revenue-generated email programs at a time when digital channels are more important than ever. According to Forrester, lost customer trust or even just suspicion can reduce revenues up to 25% for a full year.
Types of Phishing Attacks
But not all phishing scams are created equal. Basic phishing messages are sent to large volumes of recipients, with no particular target in mind. Fraudsters understand that basic phishing is a numbers game, so they focus on quantity over quality. These attacks can target a company’s employees, customers, or the general public.
Spear phishing, on the other hand, takes the opposite approach by using highly-customized messages, domains, and other tactics that target or impersonate a particular individual. In most cases, this is a well-placed, high-value corporate employee. For example, a spear-phishing attack could impersonate a C-suite executive requesting direct employee deposit details from the CFO, or a member of the finance staff.
Before we dive into phishing protection strategies, let’s touch on how you can spot phishing messages in the first place.
Spotting Phishing Messages
Even with phishing protections in place, it’s important to know how to identify phishing messages if they slip through the cracks. Phishing messages are most commonly sent via email, but they can also be found in text messages through mobile phishing and across social media.
Below are some tactics you can use to spot phishing messages before you fall victim to one.
Be Skeptical of Urgency
Fraudsters rely on urgency to trick victims into taking action quickly before thinking to confirm the legitimacy of the message. This can include a past-due notice, a fraud alert, or a password-reset warning requiring immediate attention. When targeting businesses, these emails are often delivered late in the day to amplify anxiety over failing to deliver for a senior executive. If a message seems urgent and requires immediate action, recipients should pause and scrutinize the message for indications of fraud before clicking any links, opening attachments, or taking any action.
Verify the Sending Domain
If a message states it’s coming from Microsoft, verify that the sender’s email address ends in @microsoft.com. Clever phishing attacks will employ “domain spoofing,” which involves buying domain names that are close, but not exact matches to legitimate domain in an attempt to fool recipients into trusting the message.
For example, johndoe@acme.com could be spoofed as johndoe@acrne.com. Recipients that message this address regularly might not catch that fraudsters switched the last three letters in the domain.
Another, more common approach is display name impersonation. This involves changing the display names on free email accounts such as Gmail or Yahoo in order to deceive recipients. Recipients would have to click on the From field to see that the sender is not the same as the display name—an especially big problem with some mobile email clients that only show the display name.
Recipients who aren’t confident about the legitimacy of an email messages should avoid clicking on links, opening attachments, or acting on requests within the message.
Watch for Misspellings and Bad Grammar
Many phishing attacks stem from non-English speaking countries. These fraudsters rely on translation services, which leave behind misspellings, inconsistencies, and bad grammar. While bad grammar alone isn’t a cause for alarm, it should serve as a red flag for identifying potential phishing messages.
Examine Links Before Clicking
You can hover your cursor over a link to preview where it will take you. This is useful for identifying phishing messages that impersonate certain services. For example, a fake Microsoft Teams phishing email might state the link will take you to reset your password. If that link goes anywhere other than the real Microsoft domain, you know it’s a phishing attempt.
Below is an example of previewing a customer service hyperlink in an email. We can see from the preview that the link redirects to the company domain as it should.
This method isn’t foolproof. Fraudsters can use a series of redirects and spoofed domains to appear legitimate or confuse the victim. System administrators should implement phishing protection that prevents phishing links from reaching their user’s mailboxes.
Be Wary of Attachments
Malicious attachments allow attackers to hide malware and execute code on the target machine. This can unleash spyware in the background that steals sensitive information, or ransomware that holds your files hostage until you pay the perpetrators.
Even innocent-looking Word file attachments can hold links that direct victims to a phishing page. This is a common tactic to bypass anti-phishing scans. It’s important to only click on attachments from senders you trust, and avoid attachments with suspicious file extensions (.exe, .scr, .vbs, etc.).
In business environments, administrators should implement email policies that automatically block these files types and remain vigilant for new rogue attachment trends.
Phishing Protection Strategies
Below are a few of the best phishing protection strategies organizations can use to protect employees, customers, suppliers, and other consumers and businesses.
Implement Multi-Factor Authentication
Multi-factor authentication helps prevent unauthorized users from accessing the account by requiring an additional form of authentication during login. This is typically a one-time code sent via text message or generated by an authenticator app.
MFA is one of the best forms of phishing protection you can implement because even if someone falls victim to a phishing scam, the attacker cannot access that account. Organizations often use a combination of artificial intelligence and MFA to prevent phishing and mitigate the damage if credentials are stolen.
Configure Strong Email Policies
Administrators should implement robust email authentication measures to help protect users from phishing messages. A few of the best phishing protections to put in place include the following:
- Enable external email tags to warn recipients to verify the authenticity of email
- Configure email records for authentication protocols like SPF, DKIM, DMARC & BIMI
- Implement brand abuse monitoring to detect domain spoofing of your own domains
- Block or flag common phishing top-level domains (.xyz, .biz, etc.)
- Block or flag emails originating from countries known for large volumes of phishing email
- Block emails with attachments known to be malicious
- Deploy AI-based tools that establish baseline email behaviors to recognize attacks
Use Robust Password Policies
Administrators should enforce strong passwords that change on a periodic basis. This prevents passwords from being reused and disrupts any access from an account that has been compromised. Robust password policies can also help prevent account takeover through brute-force attacks.
Educate Your Staff
Phishing training helps staff identify fraudulent messages before they reach their inbox. All levels of staff must take part in phishing training as some attacks target high-ranking staff members specifically.
Phishing education often involves watching training videos but can also include sending a campaign of test phishing emails to the company. The phishing campaign sends faked messages to staff and records whether they open the link. This can help gauge your company’s level of phishing awareness and track improvements over time.
Prevent Brand Impersonation With a Cyberattack Takedown Service
Organizations seeking to avoid being impersonated in attacks targeting their own employees, customers, suppliers, and others are advised to employ cyberattack monitoring and takedown services.
Using our own offering as an example, Outseer FraudAction prevents imposters from exploiting your brand by continuously monitoring social media, app stores, and over a million URLs each day.
Through data science and our global partner network, the experts in our Anti-Fraud Command Center continuously scour the threat landscape for signs of brand abuse and the phishing sites used to support these scams. Once detected, we take immediate steps to shut down these sites and neutralize phishing attacks before they ever reach your employees or anyone else.
By seeing what others can’t, we stop these and other forms of fraud before they can cause financial harm or cause reputational damage. To learn how you can protect your customers through the power of frictionless fraud prevention, request a free demo today.