Phishing attacks are a growing risk for companies of all sizes. Organizations from small mom-and-pops to the largest corporations regularly fall victim to phishing attacks. All it takes is for one employee to click on the wrong link or open an infected file, and attackers have an open door to the company’s network.
Last year, phishing attacks reached an all-time high, and we expect to see the number of phishing attacks grow even more quickly this year. Both random “spray-and-pray” attacks and targeted spear phishing attacks are popular with online criminals for a simple reason: they work.
Email is the key communication tool for most companies, and many employees spend the majority of their workday in their email inbox. Employees — and executives — are busy, and, being human, they’re prone to fall for the psychologically sophisticated temptations deployed by criminals.
To combat phishing, employee education is necessary, but not sufficient. Companies must also invest in filtering to stop phishing messages reaching their employees, and to stop their networks being used as a source of spam phishing emails.
Phishing targets an organization’s weak links: no matter how advanced a company’s firewalls and malware scanning tools, if a phishing email gets through and an inattentive employee is tricked, the attacker gains a victory. Employees need to be suspicious of email and know how to spot potential phishing attacks.
But anti-phishing policy that puts too much of a burden on employee vigilance is bound to fail. Even the best-trained employees can make a mistake when all their attention is focused on being productive. There is plenty of evidence that people who should know better — even technical experts who fully understand the risks — can suffer from lapses in judgement and attention.
Punishing employees who cause a security breach by falling for a phishing email isn’t much more effective. Even the most motivated employee can be tricked by a sophisticated and convincing attack.
The optimal approach is a defense-in-depth policy that educates employees, but tries to limit the number of phishing emails that reach their inboxes.
In addition to protecting their networks from incoming phishing attacks, companies have a responsibility to ensure they aren’t also being abused to send phishing emails. Spammers use compromised servers and hosting, email, and content management system accounts to send phishing spam. Compromised networks that send spam will almost certainly be blacklisted by email providers, decimating the company’s ability to send email.
Smart reactive filtering for both incoming and outgoing email can help mitigate the risk that phishing poses to a company’s private data and its ability to have email delivered.Before email crosses the border between the internet and your network, it should be scanned for the tell-tale signatures of spam or a phishing attack.