You hear a knock at the door and go to answer it. As you open the door the person on the other side barges past you, into your property and attempts to steal your most valuable possessions. You’re a victim of a faultless crime.

Do you look through your window before opening the door? Would you recognise a criminal if you did?

What is phishing?

Phishing is a type of online fraud that involves tricking people into providing sensitive information, such as passwords or credit card numbers. Phishing can be done through emails, social media messages or malicious websites that look like they are from a legitimate company or website. Phishing messages will usually contain a malicious link initiating a harmful download or with the objective of the capturing user credentials.

Is your business guilty of phishing ‘blame and fear’?

It’s important for employees to have an awareness of phishing tells but we all need to open links in emails in our day-to-day work and often malicious and safe links cannot be distinguished. In a similar way your door knock always sounds similar and the criminal on the other side is disguised.

Blame and fear culture relating to employees clicking on phishing links can be unhelpful. If victims of phishing feel that they will be ostracised for a click they may delay reporting the subsequent breach or not report it at all and the crucial incident response is delayed.

User awareness training should be one of many locks on doors. The assumption should be that users will click and open the door to a criminal. However, in a similar way to locking your jewellery box or putting your most treasured possessions in a safe, we can put locks on other doors to help prevent criminals stealing anything once in.

How can we mitigate against the most common phishing crimes?

1.      Credential theft

Credential theft can be largely mitigated with the implementation of a number of tools, including, device-based password-less authentication, multi-factor authentication (MFA), single sign-on (SSO), password managers, autocompletion of passwords in browsers and making sure that only your organisation's devices can access resources.

2.      Malicious downloads

By implementing enterprise-level actions, it's possible to greatly reduce the chance of successful attacks on your network: preventing delivery of phishing emails, preventing execution of initial code, allow-listing, DNS filtering and endpoint detection.

Build a strong reporting culture

If users can spot suspicious emails and have the mechanisms to report them, it can be a useful source of intelligence highlighting compromise attempts that otherwise might be missed.  Reporting suspicious emails can be made easy for users by using email reporting add-ins widely.

If a user isn't embarrassed to report when they've clicked on a malicious link, so they do so promptly, the Absolute Security Team can work quickly to understand the resulting exposure. We don't have to choose between usability and security.

Absolute Networks’ Security Consultants can enable your organisation to achieve the right level of security whilst also allowing people to get on with their jobs without blaming them when things go wrong.

Contact Absolute Networks Ltd today to discuss how we can help your business mitigate phishing attacks.