Phishing, the practice of sending malicious emails to encourage users to perform actions that benefit an attacker, is a key security concern for modern businesses due to its prevalence and impact. Today, businesses are working hard to protect against phishing and have clear strategies around escalating suspicious emails to technical personnel and a wealth of phishing awareness training.
Due to these factors and the increasing effectiveness of automated systems blocking phishing emails, sending large numbers of generic phishing messages hoping that a user may click on them has become less effective. Even simple changes like blocking email from domains that have only recently been registered filters out many phishing messages before they even reach users inboxes.
This has forced attackers to evolve their phishing approaches. In contrast to the past, modern phishing is more organized, sophisticated, and dangerous than ever before. High-value targets are now specifically targeted, and these attacks are backed by research into your company and employees.
This reveals a scary truth about phishing emails: With enough effort on the attacker's part, no matter how well-trained or technically capable users are, phishing emails can be created that are sufficiently convincing that users will click on them.
To make matters worse, legitimate companies make emails that look like phishing. All the big names in computing have at least one unofficial-looking plain-text email that looks like phishing. This teaches users to ignore the warning signs. Please make sure you don't do this if you send emails to clients.
So, what can be done against modern phishing attacks? This is where the real secrets in defending against not just phishing but a wide variety of threats come in:
Reducing and securing access
If the targeted user doesn't have access to critical or vulnerable systems, the effectiveness of phishing is severely limited. Even when a user's access to a system is compromised, if the actions a user can undertake are tightly restricted to just what is required to perform their role, the attacker will generally be limited to carrying out only those same actions.
This is why executives make good targets. They often have a high level of access to systems, and no one feels comfortable telling their boss that they shouldn't have access to any system, especially the critical ones.
If two-factor authentication is enforced on important systems, this can provide an additional layer of protection that limits attackers.
Patching vulnerable applications
If you can't remove access, ensure that applications are security tested and patched to avoid common vulnerabilities exploited by phishing. If an attacker can see that you're running old software with a publicly known vulnerability, their job is made notably easier. Sometimes all these vulnerabilities require to be triggered is that a logged-in user clicks on a link in an email, and then the attacker gains access.
Have a blameless reporting culture
Anyone can click on a phishing link, and while training helps, no amount of training will make users impervious.
Have a clear line of reporting to IT, with a quick follow up to take measures to reduce the risk of compromise. For example, if someone entered their credentials into a site that wasn't reputable, you can change those credentials immediately.
Have tested, functioning backups
At the end of the day, even if every effort has been made, there is still a risk that users will be victims of a severe phishing attack. In this case, having backups that have been tested to restore correctly containing all the information required to get the business back on its feet after a severe compromise is key.
In the end, the best defence against phishing is a strong security posture with sensible actions carried out ahead of time.