What phishing is and what its purpose is
Phishing is based on social engineering. Its purpose is to persuade the victim to disclose login credentials (e.g. passwords) or to take actions that result in the involuntary installation of malware, which will compromise the security of the company’s IT system.
In October 2023, U.S. federal authorities: the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) developed a joint guide containing advice on how to prepare for a phishing attack. Implementing these recommendations may reduce the impact of an attack on your company.
Phishing as a carefully prepared trap
Employees are aware that login credentials, such as usernames and passwords, are confidential. For this reason, cybercriminals in a carefully planned phishing attack exploit the psychological factor of trust – in supervisors, close co-workers, or IT personnel. The targeted employee is supposed to believe that the request for login credentials comes from a credible source. Criminals use many tricks designed to impersonate a trusted sender. These may include fake emails or text messages on platforms such as MS Teams, WhatsApp, or Facebook Messenger. VoIP technology may also be used so that the attacker can spoof a trusted caller ID.
Implementing multi-factor authentication (MFA) reduces the risk of a phishing attack, but does not eliminate it. Criminals may deceive your employee by sending them an email with a link to a malicious website that mimics a genuine login screen. In this way, they will try to persuade the employee to enter on the fake site the real MFA code that was sent to their mobile device by the official, legitimate server. An equally effective, though less subtle, attack method may be to „flood” the employee’s device with a huge number of login approval requests. Criminals do this because they hope the victim will approve the request by mistake or out of sheer frustration.
Attacks aimed at installing malware on company assets rely on exploiting similar psychological factors. The attacker uses trust to persuade the employee to click on a link or attachment that has been sent. The intended effect is to launch the malware.
Seemingly harmless or concealed links and attachments may be prepared by attackers themselves or using free, publicly available tools (such as GoPhish or Zphisher). Deceiving an employee is easier in the case of online platforms that conceal the actual internet address (URL) to which the received link leads.
How to protect login credentials
To effectively protect login credentials, the human factor should be addressed first. CISA, NSA, FBI and MS-ISAC clearly indicate the need to implement employee training in social engineering and phishing attacks. Regular education will make it easier to recognise suspicious messages and links. Employees should be instructed to report every instance of contact with potential traps.
At the technology level, it will be helpful to implement systems that verify the servers from which received messages were sent. Such systems include, for example, DMARC (Domain-based Message Authentication, Reporting and Conformance), SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). These tools make it possible to block suspicious messages and notify IT staff of the incident. As a result, they reduce the risk that an employee will be misled by a fake email pretending to come from a trusted domain, e.g. from the employee’s own company. An additional function of such systems is the ability to notify the legitimate domain owner that someone has attempted to impersonate it.
It is worth considering the implementation of a system for monitoring email and messenger traffic, which will alert the organisation to increased communication volume compared with the established baseline level.
It is recommended to use free security tools, such as OpenDNS Home, which reduce the risk of employees being redirected to malicious websites.
MFA can increase the security of login credentials, provided it is implemented appropriately. The Americans recommend implementing MFA based on FIDO (Fast Identity Online) mechanisms or on public key infrastructure (PKI), which are resistant to typical phishing attacks. This applies in particular to administrator and privileged user accounts. If the organisation cannot implement these mechanisms, it should use number matching to minimise the risk of a successful attack.
An additional safeguard is the use of centralized logging systems as part of a single sign-on (SSO) program. This mechanism both enhances security and provides IT staff with access to information about the history of events. Such information will facilitate the taking of appropriate action in the event of suspected security breaches.
The organisation should continuously monitor login attempts. A policy of account blocking should be implemented in the event of unusual activity or repeated malicious login attempts. Prioritising security may mean temporary inconvenience for users, but it will protect the company from a serious security incident.
It is necessary to introduce rules for reporting any phishing incidents and to implement a documented incident response plan for such events.
What to do to reduce the risk of malware installation
The execution of malicious code within an organisation's IT system is particularly dangerous, so appropriate technical safeguards should be implemented.
The Americans recommend enabling a denylist on the email gateway and configuring firewall rules. This measure can block known malicious domains, URLs and IP addresses, as well as file extensions such as .scr, .exe, .pif and .cpl, and mislabelled files (e.g. an .exe file labelled as a .doc file).
The principle of least privilege should be implemented, which means, among other things, allowing only designated administrator accounts to be used for administrative purposes. This also involves restricting the administrative privileges of MacOS and Windows users on standard workstations.
It is recommended to introduce an allowlist of applications that employees may use. The use of macros should, as a rule, be blocked. An additional level of security can be achieved by building an internal "app store". This will make it possible to install only software that has been previously approved.
Migrations, cloud, systems.
GDPR in IT.
A system-level solution is the proper configuration of a protective DNS server, which will prevent attackers from redirecting users to malicious websites. Access services for protective DNS servers are available in both free and paid versions, such as OpenDNS Home or Cloudflare Zero Trust Services.
What smaller companies can do
Implementing some of the solutions described is costly, but a limited budget does not justify neglecting security. The American report also contains guidance for smaller companies that must account for every dollar spent.
The most important factor is people. A standard annual anti-phishing training programme is essential, and it should always conclude with verification that the employee has absorbed the information provided. Without attention to employee awareness, technical measures are likely to fail.
On the technical side, the implementation of strong MFA is crucial; U.S. federal organisations consider it the best way to protect small companies from phishing. Some of the recommended solutions, such as firewall denylist rules, can be implemented without incurring significant costs. The basics must not be forgotten – the deployment of antivirus software and automatic software updates. It is also worth configuring a virtual private network (VPN) that uses MFA.
Maintaining an in-house e-mail server is risky for a small business owner. In such a case, migration to cloud-based e-mail services is recommended. Trusted cloud service providers maintain a consistent level of system security through oversight by qualified personnel, regular vulnerability patching and software updates. This means that, in the case of cloud services, the ongoing responsibility for the security of e-mail servers is economically outsourced to professional providers.
At relatively low cost, security can be enhanced through appropriate internal policies and procedures. It is recommended to implement a strong password policy that clearly sets out the minimum password length and requires the use of numbers, special characters, and letters of varying case. Employees should comply with the prohibition on reusing previously used passwords. It is also worth introducing a policy for secure use of websites. This will prevent employees from visiting sites that may pose a threat.
How to respond in the event of a phishing attack
A ready-made action plan will prove indispensable in the event of an incident. The first step is to cut off the attacker’s access. Regardless of whether login credentials have been disclosed or malware has been installed, you should begin by resetting the accounts of the affected employees. This will enable them to continue working without unnecessary downtime.
Next, the compromised account should be thoroughly checked to ensure that the unauthorized access has been stopped.
It is worth isolating the workstation that was attacked from the network. The purpose of this step is to prevent further spread of malware within the company network.
The detected malware should be analyzed, which requires specialist expertise. It is possible to outsource professional services in the field of malicious software.
Finally, the malware must be removed and the systems restored to normal operation. Once these steps have been completed, the workstation may be reconnected to the network.
Summary
Data and know-how are key assets in the modern economy. Cybercriminals know this, which is why they prepare further phishing attacks. The threat is real and does not allow for passivity. Many businesses have already taken steps to implement appropriate safeguards.
If nothing has been done so far in your organization to protect against phishing attacks, make use of the guidelines presented above. They contain many tips that will help you ensure a secure future for your company.
