3 Ways to Minimize the Risk From Phishing Attacks
Phishing was already a problem before we all moved to remote work, and it’s only increasing in impact and frequency now that workers are all at home. Many common ways that people could defend against phishing attempts aren’t as easy any more - you can’t just walk down the hall to ask Mary in Accounting if she actually sent you a spreadsheet you didn’t ask for. Now that we’re all behind screens at home, people also can feel a little reluctant to email or send a chat message to ask about something strange. Often, we don’t want to interrupt our coworkers, or feel like it’s silly to even ask when it’s not as fast as leaning over a cubicle wall.
Accepting a little awkwardness or taking some extra time to check things is worth it, though, when you consider how devastating the impact of a successful phish can be. Individuals lost more than $57.8 million in 2019, and organizations have been losing much more - the Target retail data breach, for example, cost the company $162 million dollars. Phishing is one way hackers deploy malware, gain access to systems they shouldn’t, and otherwise get in and do far more damage than you’d expect from something as simple as compromising your login credentials.
Fortunately, you can take steps to drastically reduce how likely your workforce is to fall for a phishing attack, as well as guard your organization if a phishing attack does succeed.
1: Have Clear Communication Throughout the Organization
This is more than just “the CEO lets you know what’s happening in your monthly all-hands meeting”, this is about ensuring everyone is aware of who they should talk to about what. Communication from various departments should be consistent, predictable, and hold no surprises.
When you make it clear that messages from the accounting team always follow a certain format or have a small group CC’d, you cut down on the chances that someone will accept a one-off message from a spoofed email address. It also means a phone call bypassing how things are handled normally would come across as weird, and trigger the recipient to ask questions.
This is especially true for letting staff know how to expect communication from senior level executives, particularly the CEO. A common, low-effort tactic is to simply copy the CEO’s name in the “from” field of an email, and send out a short message asking an employee to "grab something really quick". If it’s drilled in to everyone at every level that the CEO always makes purchase requests a certain way, and it's never with gift cards...this type of phish will always fail, even if your firewall doesn’t block it.
Establishing this type of clear communication and ensuring everyone is aware of what the expected communication channels are requires the next method for minimizing phishing risks.
2: Train Your Workforce to Recognize Probable Phishing Attempts
You can’t expect anyone to know what to expect or how to handle a phishing attempt without telling them what the expectations are in the first place. Training and education are essential in setting up your entire workforce to recognize and know what to do if a phishing attempt is made.
Training or education doesn’t have to be a full day, bootcamp-style affair made up of drills and memorization. It can be as simple as reaffirming that the team manager is always who distributes XYZ, or that all access requests to new software go through the IT ticketing system. It should also be part of onboarding - letting your team know that all purchase requests are always handled the same way, and no senior executives would ever ask them to buy something directly.
As ongoing education, you can host 30 - 45 minute workshops that help people learn to recognize probable attempts. If the email address isn’t an organizational address, for example, or there’s misspellings, these can be red flags warning you to pay closer attention to the email.
You should also teach your employees that it’s okay to be inherently skeptical about communications that are unusual. Many of us default to being helpful and kind, and it can feel strange to respond to a seemingly innocuous request with a phone call to ask "did you really send me that?"
There’s also another way to make it easy to verify who people are when communicating internally, as well as make credential theft nearly impossible.
3: Make Phishing Next to Impossible with Biometric MFA
Spear phishing and more sophisticated phishing attacks are aiming to get more from a company than just a bundle of eBay gift cards - these attempts are trying to gain access to key systems. They’re trying to steal data, gain access to more credentials, install viruses or ransomware, and otherwise wreak havoc on your business’s operations.
The easy way to insure the entire organization against this is to simply replace passwords with a biometric authentication method. With a tool like GoVerifyID, you install an Active Directory plugin, and using the same methods you use to manage access across the organization already, you can require one or more biometric modalities to log in.
You end up with users who are accessing email, Slack, or other applications with a simple voice prompt, palm scan, or facial authentication rather than passwords. This has the dual effect of being faster than password management, and also making it nearly impossible to steal credentials. Someone who successfully phishes a password to an admin’s email account would still be unable to get in if the default access requires a facial scan or some other form of biometric authentication.
While yes, there are people who spend their days developing ways to crack biometric authentication methods, it’s a lot of effort and time to do so. Unless you’re Coca-Cola guarding your secret recipe, common spoofing methods such as deepfake videos or silicone masks are an unlikely risk scenario. Even then, you can opt for GoVerifyID to use Biointellic on all facial authentications, and the iBeta certified anti-spoofing technology means even a deepfake or silicone mask isn't going to fool the system.
Be Prepared Against Phishing
Remote or in person, making sure your entire organization is on guard against phishing attempts is in everyone’s best interest.
While education and training are ideal long term solutions, as they build a culture of cybersecurity awareness, you can protect even your least security-minded employee from phishing with GoVerifyID.
We have multiple resources available for your IT team to explore, including how to install it on your domain controller with a live demo, and a new webinar showing how to integrate GoVerifyID with your existing technology stack.
Or set up time for a personalized demo and consultation with our team by clicking here! We’re on hand to help your organization guard against phishing attacks and more.