Protect Your Company and People from Evolving Phishing Attacks
Dylan Minton | Hiring Advice, Leadership, News | October 2, 2024
Phishing attacks are on the rise, and unfortunately, scammers are becoming more sophisticated in their methods by the day. Organizations are acutely aware that these threats exist, but how many companies are doing everything possible – today – to protect their businesses and employees?
Companies are targeted for access to their networks and sensitive data. Employees are targeted to aid penetration into company systems and networks, allowing scammers to steal not only employee login credentials but also their personal data and financial resources. Scammers use every available means of targeting people and companies, including through email, spoofing phone calls, text messages through mobile phones and free messaging apps, and in posts and private messaging on social media sites.
Consider this: In 2023, nearly nine million phishing attacks were detected worldwide, and in the first quarter of 2024, there were almost one million unique phishing sites worldwide. Phishing sites, which can appear to belong to legitimate companies, are fake websites that trick people into revealing personal information like passwords, bank information, or credit card numbers. Companies can take steps to prevent this.
New technologies and methods are available to counter increasingly aggressive phishing attempts, and current guidance is available through highly skilled cybersecurity consultants and specialists. This article provides insights and actions companies and employees can take to protect themselves.
What is a phishing scam and what are the most common types of phishing attacks?
- The most widespread type of phishing scam in 2023 was ‘bulk phishing,’ in which scammers send spam emails to as many people as possible in hopes that a fraction of targets fall for the attack. Approximately 86% of companies worldwide experienced this in 2023.
- Cyberattacks that deliver phishing scams via text messages are called ‘smishing.’ In 2023, around three in four organizations worldwide reported having experienced this type of attack.
- Also in 2023, business e-mail compromise (BEC) scams targeted nearly 21,500 victims in the United States alone. These scams, primarily delivered in the form of luring, aim to gain access to a business email account and imitate the owner’s identity to defraud the company and its employees, customers, or partners.
- In 2023, the U.S. Federal Trade Commission (FTC) received more than 330,000 reports of business impersonation scams (phishing sites).
- In voice phishing or ‘vishing’ attacks, a type of social engineering attack, bad actors use phones to acquire confidential information from victims. Seven in 10 organizations reported experiencing vishing scams in the most recently measured period.
How to prevent phishing scams from impacting your team and company
There are solid actions your company can take to protect your organization and employees from phishing and other cybersecurity threats, from data protection to employee training, deploying advanced cybersecurity technologies, and developing policies and procedures for the current times. Below are highly recommended ways to create a comprehensive defense against phishing scams.
From the Federal Trade Commission: The FTC advises companies to take the following five steps to protect themselves and their employees from phishing attempts:
1. Back up your data: Regularly back up your data and make sure those backups are not connected to your network. That way, if a phishing attack happens and hackers get to your network, you can restore your data. Make data backups part of your routine business operations.
2. Keep all security up to date: Always install the latest patches and updates to operating systems and applications. Look for additional means of protection, such as email authentication and intrusion prevention software, and set them to update automatically on your company’s computers. On mobile devices, you may have to do this manually.
3. Alert your staff: Share information about phishing attempts and attacks with employees. Keep in mind that phishing scammers often change their tactics, so make sure you include tips for spotting the latest phishing schemes in your regular training.
4. Deploy a safety net: Use email authentication technology to help prevent phishing emails from reaching your company’s inboxes in the first place.
5. Report it: If your company or employees experience phishing attempts via email, forward these emails to reportphishing@apwg.org – an email address used by the Anti-Phishing Working Group, which includes internet service providers (ISP), security vendors, financial institutions, and law enforcement agencies. And report it to the FTC at: FTC.gov/Complaint
More in-depth actions your company can take
Given the explosive growth in phishing and other cybersecurity attacks, companies are urged to pursue more comprehensive steps to further protect themselves and their teams from scammers.
1. Conduct penetration testing
- Penetration testing is a simulated cyberattack that’s used to identify vulnerabilities in company networks and applications. Early detection of flaws through these simulations enables security teams to rectify any gaps, prevent data breaches, assess compliance, build employee awareness of security protocols, evaluate the effectiveness of incident response plans, and ensure business continuity.
2. Establish or increase employee awareness and protection training
- Conduct regular training sessions to educate employees on identifying phishing attempts, including how to recognize red flags, suspicious links, unexpected attachments, and emails requesting sensitive information.
- Set up a process for employees to report suspected phishing emails to your IT department.
3. Protect company email addresses and your network
- Make it a policy that employees cannot use company email addresses on websites and other online platforms that are not required to perform company business. In other words, company email addresses should not be used for online platforms to shop, join social media platforms, or engage in any type of activity or transaction that is not related to company business or the employee’s job responsibilities. Any exceptions to this policy, such as creating online accounts with industry associations, business partners, or company vendors, should be stipulated in your policy.
- Deploy robust email spam filtering tools that block phishing emails before they reach employees.
- Implement the following protocols to verify the legitimacy of incoming emails and prevent spoofing: Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting & Conformance (DMARC)
- Require multi-factor authentication (MFA) for accessing company systems and sensitive data. This way, even if employee credentials are stolen, attackers can’t gain access without the second factor.
- Encrypt email communications to protect sensitive information from being intercepted or tampered with.
4. Establish protocols for remote access to your network and applications
- Require that employees who work remotely (full-time, part-time, or while on the road) have secure virtual private networks (VPN) and effective antivirus and data security software installed on their desktops, laptops, and mobile devices.
- Ensure that your network administrator establishes data security protocols for these employees in accessing your network and systems outside of company walls.
“The exponential growth of mobile devices, including mobile phones and tablets that have access to critical business applications and data, has empowered and enabled workers and enterprises across the world. However, evidence shows that security controls and policies have not kept pace with the evolving threat that this may pose. More than half of organizations (54%) in a recent study experienced a data breach due to employees’ inappropriate access to sensitive and confidential information on their mobile devices. It seems that cybercriminals and other bad actors have recognized the opportunity that lies within this new mobile-focused environment.” – Zimperium’s 2024 Global Mobile Threat Report
5. More security measures
- Perform regular software, application, and system updates. Keep all software, especially email clients and browsers, up to date with the latest security patches to reduce vulnerabilities.
- Limit privileges and access to ensure employees have access only to the information and systems they need to perform their jobs. This limits the damage if an account is compromised.
- Segment critical company systems to isolate and protect sensitive data from unauthorized access.
- Implement a firewall, an intrusion detection system (IDS), and an intrusion prevention system (IPS) to detect and block phishing attempts at the network level.
- Have a clear incident response plan in place so that employees know to immediately inform your security team if they suspect or fall victim to a phishing attempt or if their credentials are compromised.
- Monitor the web for lookalike websites that could be used by attackers to mimic your company’s online presence and initiate phishing attacks. Consider registering similar domains to prevent their misuse.
Recap on how to report phishing attempts
- Forward phishing emails to the Anti-Phishing Working Group at: reportphishing@apwg.org
- Forward phishing text messages to: SPAM (7726)
- Report phishing attempts to the FTC at: ReportFraud.ftc.gov
Get the right cybersecurity and IT specialists on your team
No matter what industry your company is in, the reality is that your organization – and every organization – is in the business of information technology. To keep operations humming and protect information, today’s companies need talented individuals who are knowledgeable and skilled in areas such as data science, cybersecurity, artificial intelligence (AI), cloud computing, machine learning (ML), and so much more.
Let Goodwin Recruiting help you find and onboard the right IT specialists for your team. We are a top information technology recruiting firm with IT recruiters located across the United States. Our experts can assist you in hiring for a wide range of positions.
Here are some of the areas we focus on when recruiting top talent for key tech positions:
- Executive Leadership and Management
- Compliance / Governance / Cybersecurity
- Software Development / Applications / Artificial Intelligence
- Business Analysis / Project Management
- Business Intelligence / Data Warehousing / Database Administration
- Networking / Technical Services
- Systems Integration and Implementation
- Infrastructure Management
- Quality Assurance
Below are some of the roles we have filled for our clients:
- CIOs and CTOs
- Directors of Technology
- Information Security Analysts
- Cybersecurity Specialists
- Software Engineers
- Systems Analysts
- Database Administrators and Data Analysts
- Web Developers and UX Designers
- App Developers
- DevOps Engineers
- Network Administrators and Engineers
- Applications Architects and Engineers
- Training and Support Specialists
- Cloud Engineers / Cloud Computing Specialists
- Business Intelligence Analysts
Share This Article