83% of organizations say they experienced phishing attacks last year, and the amount that experienced them but weren’t aware pushes this number even higher. An estimated 97% of people cannot identify a phishing scam. Relying on your employees to identify and recognize phishing scams isn’t a solid enough approach to protection. So how can you as an organization prevent phishing? How can you avoid relying on your employees to prevent a breach?
3 Types of Email Phishing
To protect yourself and your company against phishing, you first need to understand the three types of email phishing you’re likely to run into. Each relies on the same methods to fool you and your employees. The solution to protecting yourself is different for each type.
This is the most common type of phishing. And hackers cast a pretty wide net when going this route. Phishing from an external account is when you get an email from someone pretending to be someone else from an email address you don’t recognize. Say your boss or company CEO uses the email email@example.com. A phishing email from an external account might come from firstname.lastname@example.org or email@example.com.
The solution to stopping this method in its tracks is relatively easy. Organizations can configure their email system to flag external senders when they show up in their inboxes. For Gmail, this might show a big yellow banner as you open the email, warning you that this email came from an external source. Microsoft usually flags the email’s subject line, marking it as “[EXTERNAL] subject line.” No matter the look, the purpose is the same; giving your employees a red flag when an external email hits their inbox.
A bit more sophisticated, phishing from a spoofed account still originates from an external mail server, but it modifies the email header and signature to emulate an internal mailing address. These are a bit more difficult to spot at first glance, but thankfully we have a few solutions to block these emails from hitting your inbox.
SPF, DKIM, and DMARC are a triad of standards every email system should have configured. These three tools allow an email system to verify if the email is sent from that system or a trusted sender. Depending on your setup, you can have the phishing emails sent to your spam folder or blocked from your system entirely.
A quick rundown on each of these:
SPF(Sender Policy Framework) – SPF specifies the servers and domains authorized to send an email on behalf of your organization.
DKIM(DomainKeys Identified Mail) – DKIM adds a digital signature to every outgoing message, letting receiving servers verify the message came from your organization.
DMARC(Domain-based Message Authentication Reporting and Conformance) – This lets you tell receiving servers what to do with outgoing messages from your organization that don’t pass SPF or DKIM.
While every organization can and should set up this, it’s often best left to the pros. More on this later in the article!
The final type of email phishing is by far the hardest to identify. This type is when an email is sent to you from a compromised account in your email system. This isn’t someone trying to fool you into believing their email address is valid; this hacker has gained access to your account or your company’s email system. There’s no way to flag these emails as an external sender or utilize SPF, DKIM, or DMARC to block these. The hacker is often using a VPN to show their location as being right in your country or state.
The only way to stop these attacks is by awareness training. In these situations, your employees and their awareness are your last and only line of defense. Teaching your employees to recognize the common tells of a phishing email like misspelled words, poor grammar, and urgent requests will go a long way to stopping this method from penetrating your defenses. This is an essential part of preventing phishing; we’ve written an entire article on how to spot a phishing attempt.
Side Note: To prevent your account from being compromised in the first place, we can’t stress enough the importance of MFA (multi-factor authentication). By providing an extra barrier and layer of security for a hacker to work through, you can block over 99% of account compromise attacks.
How an MSP Can Help
While all organizations can and should configure their emails to prevent external and spoofed accounts from getting through, bringing in professionals can ensure you’ve set up your emails correctly. A good MSP (managed services provider) configures your email settings when they bring you on as a client and ensure your email system stays current with the continuously changing best practices surrounding cyber attacks.
Even if you have an internal IT team managing your defenses, investing in a cybersecurity audit every year from an external source is a good idea. Part of our cybersecurity audits at TSP is configuring and testing your email system to ensure it’s protected against cyber threats. Even in companies with strong internal IT teams, we often find settings that can be tweaked or defenses that can be further hardened.
Beyond just optimizing your settings and hardening your defenses, a good MSP will also regularly engage with your employees to train them on how to identify phishing scams and other cybersecurity best practices. At TSP, we’ve partnered with INFIMA to deliver cybersecurity training right to our client’s inboxes. This gives them monthly training sessions that are easy to complete and help keep them aware of current threats.
An organization’s defenses are only as strong as its weakest employee. You can get every protection optimized and every tool enabled. But part of your cybersecurity gameplan must include trust in your employees. Trust in them to recognize and act on cyber threats. If you’re unsure how well-prepared your employees and organization will be when faced with a cyber attack, get in touch with us! We’re here to help you succeed.