Last updated on March 8, 2021
As Phishing continues to be an ongoing threat to businesses and non-businesses alike, I wanted to discuss some recommended steps that when applied can assist with mitigating these threats. While no single solution will completely negate such threats, by following the recommended steps below you will be able to increase the likely hood of detecting and avoiding becoming victim to a Phishing attack.
Phishing Attack Prevention
Even if a phishing email reaches your inbox, it still requires you to take specific action (clicking a link, opening an attachment, etc) to make it a success. This is why it’s important to know what to look out for, and what to do when you see something suspicious. Knowing what to look for can be the difference of becoming victim to a Phishing attack.
Below are some steps to assist with reducing the chances of falling victim to a Phishing attack. While many of these will be more of more value for an organization, they still can be applied to to our daily lives when using personal email:
Review security practices: If phishing tests are being done on a regular basis then make sure to collect as much data as possible. This includes the number interactions each message receives (was it opened, deleted, sent to spam, etc), if the link or attachment were opened, device used (mobile or pc), etc. This data can allow for a bigger picture to be painted allowing you to analyze employee security awareness when dealing with Phishing. Once you have an idea of where your users are at, then you can work on devising a solution to train and prepare them to avoid falling victim to such attacks.
Educate users through exposure: If regular exposure to Phishing via a method of training isn’t already being done (such as phishing emails, newsletters, etc), then start doing so. By exposing users to phishing tests, you can provide them with the opportunity to safely interact with a realistic Phishing attack while negating the risk. As with any training environment, this allows for people to make mistakes and learn from them.
Encourage change: If not already there, then work with leadership to create a culture of awareness within the company. Encourage employees to participate in training and have no punishments for failing such training. Create a welcoming environment where they can try and fail if necessary to allow them to learn from the lesson and offer a route for reporting suspicious emails. Recognition and reward can go along way for people. Find creative ways to encourage participation and reward for success!
Clear instructions: Make sure that everyone company wide knows how report potent phishing emails. This also should have a reasonable response time to the reported emails so users can know if what they reported was legitimate or not. but also that they receive a timely response when they do. Phishing attacks rarely target just one user in an organization. There is a good chance that others have received Phishing emails as well. Be proactive not reactive when possible!
Targeted training: While focusing training on all departments is of important value, it’s also important to recognize that certain departments are of high risk. High risk departments can include users with elevated access to systems (IT / IS), access to customer data, Finance, HR, etc. These departments may require customized training efforts to help reduce the additional risk of one of these users falling victim to an attack.
It’s important to remember that the goal of Phishing training is to make people more aware of the threats involved with. Create a friendly and welcoming environment that encourages people to report suspicious emails and to participate in training.
Be supportive and understanding when dealing with users whom are partaking in any Phishing related activities. If they get Phished (test or no test), don’t make them feel bad and make it clear you are not trying to get people in trouble and only are there to assist them from falling victim to a Phishing attack.