How to Detect Phishing Attacks on Your Company’s IT Network

The IT network is the communications backbone of any organization. It’s difficult to imagine any competitive, modern-day business not concerned about the increasing number and severity levels of cyber threats. Security Awareness Training is now a priority for many decision-makers and understandably so.

As per Verizon’s annual Data Breach Investigations Report (DBIR), 2019, phishing is the fifth most common primary cause of security incidents, however, when it comes explicitly to data breaches, phishing is the number one cause.

• Phishing is the most significant cyberthreat to organizations across the world; it is prevalent in the early, middle stages of attacks and less common in later stages. It is the first step in nearly 20% of security incidents, plays a part in the middle in further 20% and the last step in 10% incidents.
• Such attacks are some of the more common security challenges faced by individuals and companies. They include getting access to credit card information, passwords, other sensitive information using emails, social media, phone calls to steal valuable data.
• It had the highest success rate out of all threat vectors and was the primary weapon in 32% of all data breaches. Other attack vectors such as malware and stolen credentials go hand-in-hand; therefore, many more breaches involved a phishing component.

Phishing susceptibility is down by 22% in six years amongst organizations that in all likelihood had anti-phishing programs in place. There is an improvement, but a lot has to be done. That’s why 76% of companies are now taking their entire workforce through Security Awareness Training for IT companies. 

Let’s have a quick look at common phishing techniques, how you can detect these attacks, also find out what steps can be taken to protect yourself and your employees. 

Common Phishing Techniques

1. A link embedded in an email redirecting your employee to an unsecured website requesting sensitive information.
2. Trojan getting installed by a malicious email attachment or advertisement, allowing the intruder to exploit loopholes and get access to sensitive information.
3. The sender address in an email spoofed to make it appear as a reputable source and requesting sensitive information.
4. Attempting to extract company information over the phone by impersonating a known individual/vendor or technology department.

How to Detect Phishing Attacks?

Identify Fake Email Addresses: These addresses try to trick end users into a sense of legitimacy, comfort, and security. The domain from which you’re receiving the email must make sense. Check if it is consistent with the company’s domain. 

Legitimate, the original email domain will always match the organization’s website URL. If the domain is different than what one would type in a web browser to access the website, it could likely be a fake email address.

Identify Fake Websites: Pay attention to the web browser address bar. Check if your connection is secure by looking to the left side of your address bar. Chrome and Firefox users should notice a padlock icon that indicates the safety of your connection. 

Internet Explorer users should delete all cookies, search history, and install Firefox or Chrome. Also, check if the URL makes sense. URLs may be purposefully masked by incorporating special characters or letters that resemble the actual website. Use the same techniques to identify fake websites that you would, to detect fake email addresses. 

Do not click the link that you have received in an email. Verification is necessary even if an address book contact is emailing you. Email or call the contact before clicking. If emailing, always open a new email to ask if the last email was a legitimate one.

Necessary Steps for Protection Against Phishing

• Enroll yourself, and your employees in Security Awareness Training Courses from established IT training solutions providers, preferably CompTIA Authorized Partners.
• Educate them and conduct sessions with mock phishing scenarios.
• Deploy a SPAM filter to detect viruses and blank senders.
• Keep your systems updated with the latest security patches.
• Install antivirus solutions and monitor the status of all equipment.
• Develop a security policy including but not limited to password expiration and complexity.
• Deploy a filter for blocking malicious websites.
• Encrypt all sensitive information.
• Convert HTML email to text-only email messages/disable HTML email messages.

Informed employees make smart data protection decisions and reduce security risks. Effective data protection practices depend on their actions and behavior. 

The Security Awareness Training Course from NetCom Learning builds awareness of critical security policies, procedures, behaviors by using a creative and stimulating approach to engage and challenge the learner. This training course will act as the foundation of your organization’s robust security structure.

Sources: Verizon’s annual Data Breach Investigations Report (DBIR) and CompTIA.