Although email phishing scams have been around practically since the inception of the Internet, today’s scams are both more prevalent and more sophisticated. The rising prevalence of email phishing attacks is due in large part to the fact that they’re so successful. In fact, according to numbers published by the Canadian government, the success rates are alarming:
156 million phishing emails are sent every day
16 million make it through filters for a 10.2% delivery success rate
8 million are opened (50% success rate)
800,000 are clicked (10% success rate)
Not that long ago, phishing attempts were quite primitive and often riddled with typos and grammatical errors, so it was easier for consumers to identify when something was amiss. But those days are largely gone. Today’s phishing attempts are increasingly sophisticated, often almost exactly mimicking legitimate emails both in content and source.
Not only is spear phishing increasingly evolved, attacks are also proving to be incredibly costly. According to a report by the Ponemon Institute, the average 10,000-employee company spends $3.7 million a year dealing with phishing attacks.
There are many security measures that organizations can put in place to reduce the effectiveness of malicious phishing emails, including technology designed to identify and block identity deception, the enhanced security of two-factor authentication and keeping employees educated on email best practices.
Here are eight best practices for enhanced email security:
Move up the kill chain. Phishing emails need to achieve several milestones in order to be successful. First, they have to be delivered. Second, they need to successfully deceive the user and get them to unwittingly act. Lastly, they must get the user to surrender personal information or download an attachment that contains malware. Many security solutions aim to stop criminals later in the chain, such as at the Click, Surrender, and Extract stages. But the earlier in the kill chain that controls can be inserted, the better the chance that organizations have of preventing their customers from being phished. Implementing a proactive DMARC (Domain-based Message Authentication, Reporting & Conformance) policy can break the chain at Delivery, preventing the message from ever landing in the user’s inbox.
Enable two-factor authentication on all accounts. Two-factor authentication (also known as two-step authentication) enhances the security of a user’s login process by requiring the entry of a secure code, which is either delivered by text message to the user’s phone or via a code-generating app such as Google Authenticator. When two-factor authentication is enabled, it is not enough for a hacker to obtain a user’s login name and password; they would also have to be in possession of the user’s mobile device.
Keep informed. New phishing scams are developed every day. By staying on top of these new phishing techniques, users are much less likely to fall prey to one. IT administrators should conduct ongoing security awareness training and periodically simulate phishing scams in order to keep security top of mind throughout the organization. Employees who receive suspicious emails should immediately share the technique with co-workers.
Think before you click. Before clicking on any link or attachment in an email it should be a routine practice to pause and evaluate whether that link or attachment appears to be legitimate. A phishing email may appear to be from a legitimate company and the hyperlinks they contain might link to what looks like a legitimate website, but users should always question whether the motivation behind the requested action seems valid. Never click on links in emails that ask you to change your password or otherwise log in to your account. Go directly to the website instead.
Be a helicopter. In other words, don’t be afraid to hover. Hovering your cursor over the sender’s name in an email will bring up the sender’s complete email address, including the domain the message is sent from. If the domain seems fishy, chances are the email is fishy.
Don't be shy—pick up the phone. Personal information should never be given in an email and most organizations won’t ask for it. If you receive an email requesting personal or financial information that appears to be legitimate, don’t be afraid to call the sender and confirm that the request is authentic.
Don't get attacked by attachments. Always be wary of emails that contain attachments and think twice before clicking on them. Legitimate companies, institutions, and brands rarely send emails with attachments, so attachments should always be a red flag. If the attachment seems authentic and the sender seems legitimate, it still might be a good idea to pick up the phone and confirm that the attachment is safe.
Don't reuse passwords. Nobody likes to have unique passwords for every online account they have, but using the same password for multiple accounts can be dangerous. If you get phished or an online account is hacked, having unique passwords can limit the damage.
The complexity of today's phishing emails makes it progressively more difficult for email users to distinguish between fraudulent and genuine correspondence highlighting the need for both preventative measures and end-user education. If malicious emails are prevented from reaching an organization's servers in the first place then the threat is neutralized. But those that get through can also be rendered ineffective by users that know what to look for and think before they click.
If your organization is serious about preventing phishing attacks and protecting your customers as well as your brand reputation, you should be taking a two-pronged approach that includes both prevention and education.
John Wilson is the field chief technology officer at Agari, responsible for researching and utilizing the company’s advanced data security insights to drive continuous technology innovation. Prior to Agari, John served as the chief technology officer of Brandmail Solutions, where he developed the world's first authentication-based anti-phishing solution. An esteemed security expert, John is often called upon to assist major organizations in fighting cybercrime.