Cybersecurity

How cybersecurity practices can prevent phishing

Phishing has evolved as one of the most notorious and highly effective cyber threat tactics in recent times. Phishing is the malicious practice of impersonating a reputable source in the form of email, SMS text messages, or even phone calls.

Rex Johnson professional photo

Rex Johnson

Executive Director, Cybersecurity

banner image

What is the major intention of phishing in cybersecurity?

Phishing is typically part of a larger attack plan to extract data like passwords, credentials, credit cards, bank account details, and other sensitive information. The purpose is to use the extracted information to gain access to other protected data, networks, or accounts. Phishing has become so pervasive that one security protocol alone would not be an effective form of protection.

Phishing in cybersecurity is an evolving threat that is highly dependent on market trends and consumer behavior and is often targeted at a specific recipient target base.

Some of the most common phishing tactics used by hackers include:

  • Sending the recipient an email with an infected link. If the link is selected, it will redirect the recipient to an unsecured website or network and compromise the cybersecurity measures.
  • Installing a trojan (a virus hidden within an attachment or advertisement) in a malicious email sent to a targeted group of people. This trojan allows the intruders to exploit loopholes within an enterprise and extract sensitive data.
  • Masquerading the sender address as a trustworthy source and tricking the recipient into opening an attachment or clicking a particular link.

Often, these phishing emails are sent to invoke a sense of urgency with the recipient. For example, one pretending to be from human resources stating that your new payroll deduction has been approved will get your attention. Or one from your boss on the results of your performance evaluation is designed to make you respond in haste. With the intent to get you to select the link in the email and release the malicious code.

How can we defend ourselves from phishing attacks? Let’s learn some easy-to-understand and easy-to-follow phishing prevention techniques.

Eight effective ways to defend yourself and your company from phishing attacks:

  1. Educate your workforce

    Educating your staff regarding phishing should be a priority. Hackers target less experienced employees through phishing, relying on the fact that they are not so well versed with cyber theft techniques and can easily be intimidated by an email from senior management. Still, even the most experienced employees can fall for phishing. For example, when people multi-task and click on email links while they are doing other things, they become victims. By educating your staff about phishing, its techniques, and how to recognize malicious emails, an organization can reduce the risk. Companies can also organize phishing awareness programs to keep employees updated, alert, and informed.

  2. Mandate strong passwords or passphrases

    One of the easiest, most economical, and effective techniques for evading cyber theft is to make passwords difficult to guess. This can be done by routinely updating credentials, generally every 90 days. The passwords should be unique and strong. Another approach is to mandate your workforce to use a passphrase instead of a password. Passphrases are easier to remember than a random grouping of letters, numbers, and symbols and have been proven to be harder to crack. It is also advised to not use same/similar password or paraphrases for multiple sites.

  3. Maintain patches on key systems

    The cybercrime industry is ever evolving, taking advantage of the latest industry trends, consumer behavior, and industry loopholes. Enterprises should understand that they must be one step ahead of hackers to minimize cyber theft. This requires periodic (recommended monthly) updates to security patches and continuous attention paid to new trending cyber-attacks.

  4. Create verification policies for employees before they share any data

    Often, malicious actors try to get information through other means, like a phone call or email. Organizations should implement a mandatory verification-seeking policy that outlines the requirements and tasks employees must complete before sharing any data, information, funds transfer, file sharing, etc. Employees should be trained to resist responding right away and personally call or check with the department head or supervisor about any such request.

  5. Increase email security

    Email is one of the most preferred attack vector for cyber criminals. Enterprises should continuously monitor and reinforce stringent information security protocols to restrict malware attacks. This can be in the form of installing virus/malware scanners for emails, links, downloads, etc. These programs actively block fraudulent emails/attachments, blacklisted email domains, and links to enter any inbox.

  6. Deploy SPAM filters

    This can be another useful way to proactively detect viruses, blank senders, malicious drafts/emails, or suspicious outbreaks. Phishing emails can be caught in the filters and effectively dealt with the right set of actions before they cascade further in various emails boxes within the organizations.

  7. Restrict access to sensitive data

    Offering all employees unlimited and unprotected access to sensitive data can cause serious issues especially if that access is not required to perform their job functions. Restrict access to only those who need it. An organization also can implement time-bound access (limiting access to certain time periods) and multifactor authentication to further safeguard against unauthorized access.

  8. Deploy web filters and encryption

Deployment of web filters within the organization’s security network significantly enables filtration and blockage of malicious websites. Also, all sensitive data should be encrypted to apply a second layer of security in case the data is compromised. With remote working being embraced by most of the IT organizations, it has become necessary to protect their digital assets in the same fashion as they were being protected earlier within the intranet of the office.

About Us

CAI’s cybersecurity analysts work with you directly to map out security solutions that align with your most important criteria, including impact, timing, resource availability, deployment, and financial considerations. Get a customized cybersecurity assessment according to your organization’s requirements.

Related resources

Webinar On-Demand

New talent, proven procedures

Recorded LinkedIn Live event with CAI: Finding the right talent and implementing proven procedures are the first critical steps to improving your cybersecurity posture.

View this resource →
Thought Leadership

Prevailing cybersecurity threats on the U.S. water sector

The US government recently provided guidance to enhance cyber resilience in the water and wastewater (WWS) sector. This article will provide some insight into how to access your cybersecurity status and improve operations and incident response.

View this resource →
Article

How local governments can get ahead of their threat opponents

Read our expert opinion on cyberattacks and concerned cybersecurity measures in conversation with the Center for Digital Government.

View this resource →

Let's talk!

Interested in learning more? We'd love to connect and discuss the impact CAI could have on your organization.

All fields marked with * are required.
Please correct all errors below.
Please agree to our terms and conditions to continue.

For information about our collection and use of your personal information, our privacy and security practices and your data protection rights, please see our privacy policy and corresponding cookie policy.