The phishing landscape keeps expanding, and the attacks keep changing.
Cyber attackers’ current methods include spear phishing, whaling, vishing, smishing, watering hole attacks and more. The Council of Economic Advisers estimated the cost of malicious cyber activity to the U.S. economy was between $57 billion and $109 billion in 2016. While the Small Business Administration lists phishing as one of the four headliners of malicious activity (along with malware, viruses and ransomware) targeting SMBs.
Phishing prevention may not be the most glamorous service MSPs offer, but it is an important one. If you have been letting your antispam run on autopilot lately, you might want to review your strategy to ensure you are keeping up with the bad guys — or, better yet, getting ahead of them.
Three key methods of confronting phishing attempts are tools, policies, and training.
Tools for phishing prevention
Many phishing attempts come through email, so it’s important to protect email messages.
Antispam resources can help in this area, but you should be thinking in both directions: inbound and outbound. Inbound mail protection helps your client, while outbound mail protection helps everyone else directly and your client indirectly. If you can prevent your clients’ email service or account from being a launch point for spammers and phishers, not only are you doing a service for the larger technology ecosystem, but you are also helping to protect the reputation and brand of your client and possibly preventing them from ending up on a blocked list.
In that spirit, when you implement an antispam product, make sure you turn on outbound filtering, as well. This will help catch issues before they become a larger problem. Also, make sure you add a Sender Policy Framework (SPF) record to your clients’ DNS records. An SPF record will announce to DNS servers the authorized locations to send email for the sending domain. This helps to prevent bad actors from spoofing your clients’ email domains.
Establish authentication policies
It would be nice if we simply installed a few tools and all was right with the world. But it doesn’t work that way, unfortunately.
Malicious actors can be determined and clever. One of the attack vectors they use is to hack into an employee’s email account and then send instructions or requests to people either inside or outside the organization under the employee’s identity. For that to happen, the attacker needs to get access to the worker’s email password, so now is a good time to talk about password management.
If your clients’ email accounts are using Active Directory sync so that each person’s email password is the same as their domain password and changed whenever their domain password is changed, that’s great. The next step is to ensure the domain password policy is set so the password is forced to change every 90 days.
The 90-day password policy has recently been under review, and a new concept has emerged for users to not change their password every 90 days. Allow me to offer a humble counterpoint. According to IBM-sponsored research by Ponemon Institute, security breaches remain undiscovered for an average of 197 days. If every employee changed their passwords every 90 days, even though something might not be discovered, at least the attacker would lose access within 90 days or less.
Another thing you can do is implement multifactor authentication, or MFA, for both the email application (Outlook or equivalent) and email portal login. When MFA is enabled, a malicious actor can neither set up an account in an email app nor log into the email portal without the MFA key.
Anti-phishing training and awareness
Training should always be part of your phishing prevention arsenal.
Honestly, a malicious email can sometimes look like any ordinary email. Sometimes, the recipients don’t look close enough at an email or the message looks exactly like something the boss would send. In all of these cases, no filter can help. As a result, you have to rely on the end users’ intuition. Fortunately, that is something you can improve.
Many automated offerings will now do faux-phishing to educate and increase awareness among employees about phishing threats. Think of it like inoculations. After end users see enough faux-phishing attempts, they will be ready to recognize a real one when it comes along and deal with it appropriately. This is key in the effort to keep your clients safe.
When it comes to thwarting phishing attempts, like most other aspects of security, a multilayered approach is most effective.
About the author
Scott Ford is director of operations at Pronesis Technology Group, an IT firm based in Tampa, Fla., that specializes in managed services, voice over IP communications, business consulting and planning, network security, cloud migrations, and Microsoft 365. Ford is also a member of The ASCII Group, a North American IT community of more than 1,300 MSPs, solution providers and systems integrators.