Phishing attacks wreak havoc on modern companies. In fact, 73% cybercriminals choose phishing emails as their preferred means to trick targets, steal data, and maximize profit. Companies either combat this threat and defend themselves, or they risk becoming another cybercrime statistic. Fortunately, digital experts develop effective anti-phishing strategies, as we’ll discuss below.
DEFINING PHISHING
Cybercriminals use phishing to deceive personnel and/or customers of companies online. The goal is to extract confidential or sensitive information, as well as banking data, from their targets. The fishing metaphor highlights the tactic’s trap, where hooks trick targets into taking the bait, before reeling them in.
HOW CYBERCRIMINALS PHISH YOUR DATA
Cybercriminals use increasingly sophisticated and innovative techniques to trick their victims, but here are the most common tactics:
- Requests to confirm or update personal information: These include usernames, passwords, or banking details requested by a supposedly trusted public or commercial organization. Phishers often threaten sanctions to get their way.
- Payment failure or billing issue: A fake email informs you that a product cannot be shipped due to a billing problem or that you need to settle an outstanding payment. In companies, this often involves fraud by a fake supplier. Hackers pretend to be a regular supplier, informing the accounting department of a change in their bank account. The fraud goes unnoticed until the day the real supplier demands payment for the amounts due…
- Fake client fraud: Cybercriminals divert goods by posing as a prospect or client. The supposed client uses distributor details and convincing documents (such as K-Bis extracts) to gain the seller’s trust. Next, they place an order, receive goods, and never pay the invoice.
- Fake CEO fraud: Attackers convince an employee to comply with a supposed order from their executive, such as making a transfer or paying an advance on an ongoing contract or any other similar order. The fraudulent email, sent from a fake email address, appears to come from the company’s management.
- « Whaling » (also known as spear phishing): Using the same technique but with highly personalized messages, scammers target a company’s « big fish, » such as CEOs, CFOs, security managers. Sometimes, they support their attacks with phone calls imitating the voice of the targeted authority figure.
- Requests for information regarding a refund, order cancellation, delivery, etc: With this scam, phishes trick individual waiting for packages, and the companies that send them.
- Requests for payment to avoid the loss of a domain name, closure of an account, or alleged GDPR compliance.
WHEN PHISHING ATTACKS MOBILIZE
Emerging techniques also demand attention, including attacks via smartphone. They include:
- Smishing: A combination of the words ‘SMS’ and ‘phishing’ – which takes the form of an SMS message containing a link that can redirect smartphone owners to a deceptive website,
- Vishing: A form of phishing in which a voice message – via an Internet Telephony Service (Voice over Internet Protocol, or VOIP) – or a simple phone call attempts to convince the target to disclose sensitive information…
WHAT ARE THE BEST ANTI-PHISHING STRATEGIES?
Here’s 11 top tips on how to protect your company from phishing attacks:
- Evaluate the assets at risk for the company: Domain names used for websites, email addresses, applications, and connected devices all face barrages of phishing emails.
- Develop a variation strategy for each identified domain: This tactic involves generating all possible typographic variations on your domain by imagining the combinations that fraudsters could use to deceive would-be customers. Each combination should be considered a potential vulnerability, and this variation strategy helps you anticipate attacks.
- Register the most at-risk and obvious defensive domains: Businesses typically prefer to spend 500, 1,000, or 2,000 euros on defensive registrations. In the alternative scenario, phishing attack recovery costs spiral into the millions.
- Regularly monitor domain name registrations: Monitoring each domain that iterates upon your assets helps you anticipate phishing attacks, as scam emails often rely on fraudulent website servers.
- Automate your anti-phishing security process: Streamlined businesses integrate their domain monitoring service with their internal infrastructure through an API (Application Programming Interface). Automatically banning suspicious domains protects your colleagues, saving your IT and cybersecurity teams from arduous admin hours.
- Implement a secure password policy changing codes every three months with complex combinations and reuse.
- Use a Virtual Private Network (VPN).
- Secure your Wi-Fi connection.
- Ensure that your antivirus software stays active and up-to-date.
- Install encryption tools and use a multi-factor authentication solution, or MFA, requiring two login credentials to validate a user’s identity.
- Train your employees to work safely via email.
WHAT IF YOU DETECT SIGNALS OF A PHISHING ATTACK?
The following steps help businesses capitalize on their initiative, deploying anti-phishing measure to stop cybercrime at the source:
- Excluding the suspicious domain name from your information system, if you have not automated this process.
- Report the suspicious domain name to groups like ScamAdviser or APWG. These organizations dedicate themselves to eliminating online scams and spreading awareness about cybercrime. These groups collaborate with internet authorities to display warning signs when users visit suspicious pages.
- Activate a tracker on the fraudulent domain name to monitor any changes in activity (zone modification, etc.).
- Collaborate with internal and external legal professionals to enforce against the suspicious entity, sending formal notice letters to recover or delete the domain.
ARE THERE ANY ANTI-PHISHING PROTOCOLS TO USE AFTER AN ATTACK?
To successfully mitigate phishing attacks, businesses must act swiftly, but not hastily.
- First, staff must collaborate with IT and cybersecurity departments to change all passwords within the company.
- Businesses should also search for any unusual activity within the computer system and try to determine its origin. Whether they’re remote-control software, suspicious administrator accounts, new files, or anything else, threat intelligence helps reinforce your defences.
- Evaluating the extent of the intrusion also helps businesses detect any lost or compromised information.
Alongside these internal strategies, businesses should also report the attack to their relevant government authority.
Additionally, Jérôme Notin, CEO of Cybermalveillance, advises downloading the appropriate Signal Spam modules for whichever browser the company typically uses. Signal Spam then shares relevant threat intelligence to block fraudulent sites automatically.
CONCLUSIONS: CAN ANTI-PHISHING SOLUTIONS HELP YOUR BUSINESS?
Firstly, why implement an anti-phishing solution in your company?
Well, as we’ve established, response time means everything when it comes to phishing attacks. The earlier you detect attack signals, the better you can anticipate risks. That’s why hourly domain registration monitoring pays off. Anti-phishing services deliver the necessary flexibility to act or react quickly whenever threats arise.
X-RAY BY EBRAND, A COMPREHENSIVE SOLUTION
EBRAND addresses this objective with two major anti-phishing functions: X-RAY Radar and X-RAY Tracker. These two tools in the X-RAY platform focus on pre-attack signals, such as domain name creations and/or changes affecting them. Once integrated with your information system through a dedicated API, they automate your security to ban all suspicious domains registered by malicious third parties.
X-RAY Radar helps teams monitor domain names, SSL certificates, subdomains, logos, social networks, and the Dark Web, delivering real-time threat detection. The Radar detects:
- Any new domain name registration (or its expiration), subdomain creation, or new SSL certification used by cybercriminals for phishing operations.
- Existing domain names and subdomains that match, contain, or closely resemble your company, along with any products, keywords, email addresses, or online activity related to your brand.
- The use of your logo on websites, through reverse image search, to identify fraudulent sites.
- Messages posted on social networks that may lead to scams and fake accounts.
- Various sources on the dark web to identify circulating data (data theft, attack preparation, email account recovery) and inform you about breaches and the types of compromised data.
In addition, the X-RAY Tracker continuously detects changes related to domain name files, including new registrations in the DNS zone (e.g., email activation), information published in WHOIS (e.g., DNS server or registrant changes), and web page content.
When the X-RAY Radar identifies an unused yet suspicious domain, the X-RAY Tracker identifies any changes to evaluate the phishing risks. Adding both tools to your portfolio supports proactive risk protection and robust anti-phishing strategies, within your business and beyond.
EBRAND experts would love to give you a free risk assessment, so if you’re interested in learning more about your digital risks, get in touch.