How Cybersecurity Practices Can Prevent Phishing

By Rex Johnson

Phishing has evolved as one of the most notorious and highly effective cyber threat tactics in recent times. Phishing is the malicious practice of impersonating a reputable source in the form of email, SMS text messages, or even phone calls.


What is the major intention of phishing in cybersecurity?

Phishing is typically part of a larger attack plan to extract data like passwords, credentials, credit cards, bank account details, and other sensitive information. The purpose is to use the extracted information to gain access to other protected data, networks, or accounts. Phishing has become so pervasive that one security protocol alone would not be an effective form of protection.

Phishing in cybersecurity is an evolving threat that is highly dependent on market trends and consumer behavior and is often targeted at a specific recipient target base.


Some of the most common phishing tactics used by hackers include:


  • Sending the recipient an email with an infected link. If the link is selected, it will redirect the recipient to an unsecured website or network and compromise the cybersecurity measures.
  • Installing a trojan (a virus hidden within an attachment or advertisement) in a malicious email sent to a targeted group of people. This trojan allows the intruders to exploit loopholes within an enterprise and extract sensitive data.
  • Masquerading the sender address as a trustworthy source and tricking the recipient into opening an attachment or clicking a particular link.


Often, these phishing emails are sent to invoke a sense of urgency with the recipient. For example, one pretending to be from human resources stating that your new payroll deduction has been approved will get your attention. Or one from your boss on the results of your performance evaluation is designed to make you respond in haste. With the intent to get you to select the link in the email and release the malicious code.

How can we defend ourselves from phishing attacks? Let’s learn some easy-to-understand and easy-to-follow phishing prevention techniques.


Eight simple but effective ways to defend yourself and your company from phishing attacks:


  1. Educate Your Workforce

Educating your staff regarding phishing should be a priority. Hackers target less experienced employees through phishing, relying on the fact that they are not so well versed with cyber theft techniques and can easily be intimidated by an email from senior management. Still, even the most experienced employees can fall for phishing. For example, when people multi-task and click on email links while they are doing other things, they become victims. By educating your staff about phishing, its techniques, and how to recognize malicious emails, an organization can reduce the risk. Companies can also organize phishing awareness programs to keep employees updated, alert, and informed.


  1. Mandate Strong Passwords or Passphrases

One of the easiest, most economical, and effective techniques for evading cyber theft is to make passwords difficult to guess. This can be done by routinely updating credentials, generally every 90 days. The passwords should be unique and strong. Another approach is to mandate your workforce to use a passphrase instead of a password. Passphrases are easier to remember than a random grouping of letters, numbers, and symbols and have been proven to be harder to crack. It is also advised to not use same/similar password or paraphrases for multiple sites.


  1. Maintain Patches On Key Systems

The cyber crime industry is ever evolving, taking advantage of the latest industry trends, consumer behavior, and industry loopholes. Enterprises should understand that they must be one step ahead of hackers to minimize cyber theft. This requires periodic (recommended monthly) updates to security patches and continuous attention paid to new trending cyber attacks.


  1. Create Verification Policies For Employees Before They Share Any Data

Often, malicious actors try to get information through other means, like a phone call or email. Organizations should implement a mandatory verification-seeking policy that outlines the requirements and tasks employees must complete before sharing any data, information, funds transfer, file sharing, etc. Employees should be trained to resist responding right away and personally call or check with the department head or supervisor about any such request.


  1. Increase Email Security

Email is one of the most preferred attack vector for cyber criminals. Enterprises should continuously monitor and reinforce stringent information security protocols to restrict malware attacks. This can be in the form of installing virus/malware scanners for emails, links, downloads, etc. These programs actively block fraudulent emails/attachments, blacklisted email domains, and links to enter any inbox.


  1. Deploy SPAM Filters

This can be another useful way to proactively detect viruses, blank senders, malicious drafts/emails, or suspicious outbreaks. Phishing emails can be caught in the filters and effectively dealt with the right set of actions before they cascade further in various emails boxes within the organizations.


  1. Restrict Access To Sensitive Data

Offering all employees unlimited and unprotected access to sensitive data can cause serious issues especially if that access is not required to perform their job functions. Restrict access to only those who need it. An organization also can implement time-bound access (limiting access to certain time periods) and multifactor authentication to further safeguard against unauthorized access.


  1. Deploy Web Filters And Encryption

Deployment of web filters within the organization’s security network significantly enables filtration and blockage of malicious websites. Also, all sensitive data should be encrypted to apply a second layer of security in case the data is compromised. With remote-working being embraced by most of the IT organizations, it has become necessary to protect their digital assets in the same fashion as they were being protected earlier within the intranet of the office.


About Us:

CAI’s cybersecurity analysts work with you directly to map out security solutions that align with your most important criteria, including impact, timing, resource availability, deployment, and financial considerations. Click here to get a customized cybersecurity assessment according to your organization’s requirements.

How Cybersecurity Practices Can Prevent Phishing

Download PDF

About the Author...

Rex Johnson profile image

Rex Johnson is the CAI Cybersecurity Director & Practice Leader. He is a retired Lieutenant Colonel from the US Army and has over 30 years of senior-level experience holding CISSP, CISA, CIPT, PMP, and PCIP certifications.

Fill out the form below to get a customized cybersecurity assessment according to your organization’s requirements.

Related Resources

digital background with words "hacker attempt failed" highlighted

How Local Governments Can Get Ahead of Their Threat Opponents

Since COVID's onset, there's been a 300%* increase in cyberattacks (Cobalt). With organizations moving to remote work environments and new technologies, security vulnerabilities and gaps are surfacing due to outdated strategies. This month, the government and its industry partners evaluate cybersecurity measures ensuring data is protected and secure for all Americans. Read the Center for Digital Government's interview with CAI's Rex Johnson, to understand how to implement a strong cybersecurity strategy for the future.

Read the article
woman, sitting at desk, is in shock after she has accidentally opened a malicious email

Distracted by Phishing: 5 Steps Employees Can Take to Reduce Cyber Risk

According to global cyber education company Cybrint, 95% of cybersecurity breaches occur due to human error. Even with security awareness training becoming more commonplace, mistakes still happen. In this article, CAI's Rex Johnson provides tips to help encourage more security-minded habits across the workplace – from the C-suite on down.

Read the article
digital background of blue neon locks with one red lock that has been tampered with

The Three Components of Cybersecurity Strategy

Recent events have brought the risk of the cyber threats to the forefront for both businesses and the U.S. government. A 2020 study from the Ponemon Institute explains that it takes 207 days on average to identify a breach and another 73 days to contain it. Read the full article to learn tactics that will help improve your organization’s ability to address and mitigate risks as well as increase its cyber-resilience.

Get the full story