Due to Covid-19 pandemic, criminals are targeting people working from home and phishing attacks have risen dramatically.
Employees working from home are vulnerable to cyber attacks since they can’t reach IT Teams directly, and they lack some security tools at home. In this blog, I am going to discuss how can you protect your company against phishing attacks in 2020.
Phishing attacks are one of the most dangerous threats to companies. According to a security report, in China, 34.43 billion phishing emails had been received in 2019. %68.5 more than in 2018. According to statistics, in 3 years, companies in the US and other 177 countries have suffered over 25Billion dollars worth of losses.
1 – What risks do phishing attacks pose?
Spam phishing attacks are designed as mass mailing attacks, and they are non-targeted attacks. But there are other types of phishing which aim at selected targets, such as spear-phishing and whaling. In spear-phishing attacks, attackers research to find out information about the target, such as social media accounts, financial reports etc. They make more legitimate-looking emails with research results.
Whaling is another version of a spear-phishing attack. In whaling, attackers aim at “whales”, the bigger, more important targets, such as the CEO, CFO. Whaling could take longer to execute because of the target’s capacity. Not surprisingly, whaling causes more damage than simple phishing attacks.
a) Phishing Attacks Can Cause Serious Security Problems
Stealing of personal information – many phishing attacks include links or attachments. Attackers usually ask you to log in your credentials into the web page they sent. If you didn’t notice a phishing attack and logged your credentials, your login credentials might get captured by attackers.
Financial damages – Attackers might ask for money transfer with well-made phishing attacks. In another scenario, attackers might use sniffing attacks to take over all the victim’s email accounts to find out the authority structure of the company. After learning the authority structure, the attacker might use the email accounts to loot money from the company.
Reputational loss – If money isn’t all the attackers want. They can attack the company’s reputation. They might send junk mails and phishing emails to all contacts including clients, business partners etc. That creates confusion, embarrassment etc. Those types of attacks reduce confidence and also might lead to the loss of clients. It usually damages more than other security risks.
2 – How can you protect your company against phishing attacks?
Before the solutions to defend phishing attacks, there are several questions you should ask your employees. The answers of the questions are essential for finding out who is the most vulnerable to “take to bait”. Asking the question to staffs is the first step to prevent damages by phishing attacks.
- Do employees click on the links or open the attachments in these emails?
- How long does it take your IT team to know if an account has been compromised?
- Do you know which of your employees are more likely to open the types of emails?
a) Use IAM platform against phishing attacks
IAM is a framework that contains tools and policies to manage the access of employees to the company’s assets. The IAM mostly includes four main features:
- User Management
- Central User Repository
MFA is the core component of IAM and one of the most effective option to prevent phishing attacks.
To increase identity protection enable multi-factor authorization
MFA is based on three types of information for authentication;
- Passwords, PINs – Things you know
- Phone numbers to receive one-time code – Things you have
- Biometric information such as fingerprints, face, retina – Things you are
MFA blocks mostly everything somebody does something that you don’t allow.
Use AI flag to check suspicious log-on activity in your Ccmpany
AI-based user activity analysis of the IAM platform can protect your company against phishing attacks. For example, If AI catches something suspicious and AI immediately warns the IT security team. The feature makes it pretty useful to use in the company.
The IT team can check activity logs, review the details to identify unusual incidents. Such as the attacker trying to log in with the correct username and password. But the attacker couldn’t pass the MFA from a different location.
b) Organize security awareness training
Remember, employees of a company are the last line of defense against attacks. In the security awareness training, The company will be able to identify the most vulnerable staff and provide different training than a general level training program.
Try our free phishing awareness training.