Cisco India Blog

Teach a man to Phish…

November 27, 2019

Perhaps the most famous personality to be involved in a phishing attack is John Podesta. In March 2016, the personal Gmail account of the former White House Chief of Staff and Chair of Hillary Clinton’s 2016 US Presidential campaign was compromised via a spear-phishing attack and many of his work-related emails were hacked. The compromised emails were then published on the Internet. The timing of the breach and the subsequent leaks caused a scandal during the 2016 US Presidential campaign. And the rest, as they say, is history.

In my previous blog, we covered the different kinds of attacks being launched through email. Needless to say, successful cybercrime using email can lead to calamitous outcomes for businesses. Having an effective strategy to protect against them is critical for every organization. But how do you secure something that’s both a necessity and a risk at the same time? In many organizations, the move to cloud email has been viewed as a solution – but it is far from so. The security issues don’t go away, they simply move to a different location.

Educate Users

At an organizational level, there is no substitute for raising awareness about phishing and its consequences. Users have to be alert and look for warning signs before clicking that URL or opening that attachment – like the email address of the sender, spelling and grammatical mistakes, request for personal information and a sense of urgency.

In general:

Slow Down: The average person spends 8-10 seconds in scanning an email. Slow down and look for tell-tale signs that could indicate a phishing attempt.

Be careful with Login requests: Or any requests that ask you to enter/change your credentials or personal information. Hackers go to great lengths to make their pages look legitimate.

If it sounds too good to be true, it probably is! Is the sender offering you millions of dollars? Or threatening to harm or embarrass you? If it doesn’t sound plausible, it usually isn’t.

Pay close attention to warnings: a lot of times, phishing/malware emails will ask for some extensions or macros to be enabled. These should ring your alarm bells.

Running regular phishing “drills” can be an effective way to impart education about what to look for in an email to be safe. Simulated phishing exercises are a critical tool to evaluate how your workforce reacts to phishing attacks.

Strengthen Your Defenses

No single cybersecurity technology can prevent phishing attacks. Instead, organizations must take a layered approach to reduce the number of attacks and lessen their impact when they do occur. Network security technologies that should be implemented include email and web security, malware protection, user behavior monitoring, and access control.

1. Multi-factor authentication (MFA) provides an effective way to protect against stolen credentials

2. Spam defense at email security gateways to keep out unwanted email

3. Malware and URL-filtering capabilities are, similarly, critical to protect against known attacks

4. Basic DNS-level protection can provide a way to guard against redirection to malicious domains by blocking them

5. Integrated sandboxing for all new files arriving in email, to quickly analyze whether they are malicious

6. DMARC domain protection to prevent attackers from using a legitimate corporate domain

7. Email security integration with the broader security portfolio

8. And lastly, keep all software up-to-date – this will help protect against known (and fixed) exploits

E-mail is an important business tool – and the one most commonly used for cyber-attacks. As with everything else in cyber-security, there is no substitute for preparation.

Leave a comment