How do you stop employees from clicking on phishing emails?

February 27, 2020, MOQdigital

3-minute read

Cyber Security

MOQDIGITAL phising emails

Phishing is one of the most pernicious forms of attack that there is – and it always will be. Although phishing often involves advanced malware and sophisticated hacking techniques, phishing truly requires no code at its core.

In fact, the most effective new form of phishing – an attack known as Business Email Compromise (BEC) – requires no coding at all. With one-third of successful data breaches caused by phishing, educating your employees is more important than ever. Here’s what they should look out for. 

Credential theft phishing attacks 

One of the most common forms of phishing attack involves stealing a user’s credentials – this form of attack grew 70 percent in 2018. This kind of phishing usually involves something known as a “man in the middle” attack. It works like this: 

  • The target gets an email purporting to be from a service they’re subscribed to 
  • It asks them to perform an administrative task that requires their password 
  • They click a link and are taken to a fake login page 

In the most sophisticated form of this attack, the fake login page transmits the user’s real credentials to a real login page, then redirects them to their account. This means that the user has no idea that their credentials have been stolen. 

Malware-dropping phishing attacks 

This is a more classical – yet still prevalent – form of phishing. Instead of sending an email with a link to a login form, attackers send an email that looks like it’s from a colleague, a vendor, or a friend. The email has a file, usually a word document or an Excel file. When opened, malware embedded in the file executes, deploying ransomware, a banking trojan, or another form of malware designed to spy on your endpoint. 

Business Email Compromise Redirects Payments 

BEC is a pure form of social engineering attack. Instead of using malware or phishing sites, the attacker poses as your boss, your CEO, or a vendor, and asks you to pay an invoice by wiring company funds to a designated account. Since your boss’s email looks legitimate and contains a properly formatted invoice, you have no problem doing this – but you’ve just sent money to a criminal. BEC is a dangerous form of attack because it is very easy to be fooled. Businesses lost over $1.9 billion AUD to BEC in 2018. 

To defeat phishing attacks, knowing is half the battle 

Simply by knowing that these attacks exist and what they look like can help your employees resist the temptation to click on a bad link or attachment. In addition, there are a number of key signifiers: 

  • The email domain and the link URL will resemble that of a legitimate sender, but the attacker won’t be able to duplicate it exactly 
  • Branding or images may be off or out of date 
  • The wording may not be exactly what your boss or colleague would use – and they react uncharacteristically if you ask questions 

Frequent training with fake phishing email campaigns can reduce the likeliness of a successful phishing attack by up to 50 percent over time, but this isn’t the only step you can take. Admins need to implement robust email filters, then reverse-engineer any email that gets through the filters in order to continually reinforce their defenses. 

Resist phishing attacks with MOQ 

If you’re curious about how to build strong email defenses and train your employees, the time to act is now – before a phishing attack can strike. Talk to MOQdigital today and learn how we can help.