Phishing is on the increase. Here cyber security specialist Malwarebytes Labs gives advice to businesses on their anti-phishing policies. The company says if you don’t already have one, now is the time to implement an anti-phishing plan.
What should you do?
While it’s nearly impossible to predict every threat model, or what an attacker may want with your company’s data, you can thwart phishing attacks by putting in place a clear anti-phishing plan. There’s never been a better time to start beefing up your cybersecurity policy for employees, as well as update your website with solid anti-phishing tips for your customers.
Anti-phishing tips for your employees
- Malware is not always contained in attachments. Often phishers will send perfectly clean files as an additional confidence trick. “Please fill this in and send it back,” they’ll say. Having said that, many phish campaigns will happily try to backdoor a network with a rogue file alongside a phish attempt. When in doubt, do not open the file. Instead, try to contact someone you know from the organisation listed in the e-mail to confirm.
- Mobile devices are particularly at risk from lengthy scam URLs, as the visible portion may be tailored to appear legitimate, but the rest of it - which would give the game away - is hidden off-screen. Employees checking e-mail on their phones or browsing the Internet should always review the whole URL before clicking. If it looks suspicious, or uses numbers or peculiar letters in place of what you’d expect to be there, it’s best to leave immediately.
- Dubious apps are also a potential problem, so it’s best to review apps you plan to install on your work mobile device or desktop with a hawk eye. Are the logos the same? Does the user experience match what you’d expect?
- Promoted content on social media can lead to phishing, and it’s worth advising all employees and customers to be wary of this; especially as ads tend to be targeted to your interests. While you may not want to prohibit use of social media at work entirely (especially as it’s part of the job for many folks in marketing), recommending that users do not engage on social media from work devices, or limiting their engagements to work-specific tasks, could help thwart phishing attempts.
- Bit of a niche one, but you may wish to advise employees not to try and waste the spammer’s/phisher’s time during work hours. Using personal accounts is all fun and games, but replying with anything work-related could go terribly wrong. The bad guys know your work mail exists for one thing, and they’ll either spam it hard, send you more junk, or go after your business even more than they were already.
Anti-phishing tips for your customers
Look at some anti-phish pages from the biggest brands. You’ll notice that they all mention the most obvious forms of attack. If you’re eBay, you’re going to see customers sent fake auction missives, or “problem with your auction” attacks. For Apple, it’ll be issues with pending refunds for items they don’t remember purchasing. This is how you should lead the charge.
- Point out that the presence of a padlock isn’t a guarantee the site they’re on is real. Certificates for websites are easily obtained for free these days, and scammers are taking full advantage of it. It may have been useful to tell people “Avoid sites with no padlock because it isn’t real” years ago, but the game has changed and so must your messaging.
- Warn them about bad spelling, errors in formatting, and e-mail addresses in the “From” field which look suspicious. Also mention that many phishers spoof mails in the “From” field so this isn’t a guarantee of safety either. Perhaps the formatting and design are different from what you usually receive from an organisation? Maybe the logo looks pixelated or the buttons are different colours? The possibilities are endless.
- Desperation is a sure-fire sign that something may be wrong. It’s panic buying, but not as we know it. E-mails claiming a tight time limit to login and perform an action, alongside the threat of losing X or Y forever, is a good sign of bad things afoot.
- Warn customers off e-mails asking for additional personal information (and if your organisation sends such e-mails, try to wean yourself off this practice too). Links to sites asking for logins is bad practice. Train your customers and employees out of this habit. If they don’t click links asking for information, the battle is halfway won.
My business uses Office365, what else can I do?
Microsoft has a handy list of security suggestions for you to deploy on your network.
And finally …
Google has come up with a short, fun, and difficult anti-phishing test. It’s a fantastic way to experience some common phishing techniques safely. There aren’t many ways to experience real phishing examples in a safe environment, so it’s well worth having a go. You’ll likely find that there’s a few tactics in there you haven’t seen before, and it’s always a good idea to test your employees on some left-field phishing techniques. However you choose to go about putting together an anti-phishing plan for your organisation, we wish you many years of safe e-mailing ahead.
Read Malwarebyes' blog here.