They’ve been a focus of attention for IT security teams for years, yet the threats posed by phishing campaigns are showing no sign of easing.

Phishing remains a popular tactic for cybercriminals for one simple reason: it works. If a staff member can be tricked into clicking on a link or opening an email attachment containing malicious code, the result can be open access to their organisation’s entire IT infrastructure.

As well as making their phishing emails look ever more authentic, attackers are also upping their game by making use of automation tools. These can significantly increase the number of emails being sent and, unfortunately, the number that are being opened.

Phishing attacks have also become much more personalised. While standard phishing email campaigns involve an attacker sending emails that appear to have come from a legitimate source, more targeted ‘spear phishing’ attacks are personalised for a particular recipient.

As well as being much more difficult to spot, spear phishing emails are also much more likely to be opened by the recipient. This is because they may appear to have come from a friend or colleague or have a subject line that appears legitimate.

Recognising an attack

There are a number of ways an organisation’s staff members can improve their chances of avoiding becoming a victim of a phishing attack. One is to keep an eye out for requests from managers or co-workers that seem out of the ordinary.

It’s also useful to watch for misspellings and poor grammar as this is often an indication that an email is from a bogus source. Users should also check the full email address of the sender to ensure it has actually come from them.

There are eight ways in which an organisation’s staff can reduce the chances they will fall victim to a phishing or spear phishing attack. They are:

1. Avoid clicking on suspect links or attachments:
   If there is any chance that a received email might be a phishing attack, don’t open any links or attachments associated with it. Instead, hover your mouse over the link to see if the address actually matches the link that was included in the message.
2. Use effective email security tools:
   It’s important for an organisation to have in place email security tools that filter emails from malicious senders. Such tools evaluate whether a received email is suspicious and puts the message in the spam folder or blocks it altogether.
3. Keep web browsers updated:
   IT security teams should ensure that all web browsers being used across their organisation have been updated to the latest version. This will ensure that any known vulnerabilities are fixed as quickly as possible which is important as browsers are the first line of defence against phishing attacks.
4. Constantly review password security:
   Despite knowing the risks of doing so, too many people use the same password to access multiple accounts or online resources. Organisations should stress the security risks of doing this and encourage the use of password managers that make the use of unique and strong passwords much easier for staff.
5. Hesitate before giving out personal information:
   Staff should be encouraged to limit the amount of personal data they share online as such details can be used to craft personalised spear phishing emails.
6. Always be wary of pop-ups:
   Another phishing tactic used by cybercriminals is to incorporate a ‘cancel’ button within a malicious pop-up on a website. Clicking on this button will actually direct the user to a malicious site through which personal details could be harvested. It’s important to always close pop-ups using the X sign in one of the corners.
7. Make multi-factor authentication standard:
   To provide additional protection against phishing attacks, organisations should make multi-factor authentication (MFA) standard for all users. This will mean that, even if an attacker succeeds in capturing login details and passwords, they still won’t be able to gain access to IT resources.
8. Send suspicious emails to the IT department for examination:
   Finally, if a suspicious message is received, send it to the IT department. They will be able to carefully examine it and determine what threat it might pose.

The threat of phishing attacks is likely to continue to increase in both number and sophistication in the months and years ahead. By taking these steps, organisations can be confident the defences they have in place will provide the best level of protection possible.