Phishing Attack Prevention: Identifying and Avoiding Scams

In this article, experts discuss how to phishing attack prevention and the most common phishing attacks.

Hackers use phishing attacks to steal information. They will often do this via email, social media and phone calls. 

---

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

---

POPULAR PHISHING ISSUES AGAINST BUSINESSES

• One of the most common types of phishing is when attackers impersonate a company. They typically do this with an email that looks like it’s from your brand, but isn’t (e.g., “firstname@amazon-support”). It’s difficult for companies to spot because you won’t know until someone falls for it or alerts you.
• Spear phishing is when an attacker uses details about the target to create a fake company name and email address. This type of scheme can be especially dangerous.
• If a phishing scammer gets the email login credentials of high-profile leadership, they are likely to target anyone that can be reached using that very same login. Potential targets would include colleagues, team members and even customers (if any information has already been obtained via hacking).
• Scammers will impersonate companies over the phone and use voice-over internet protocol (VoIP) technology to get people’s personal information. This includes using details about targets and pretending they’re high up in a company, such as someone from HR or even the CEO.

To help businesses better understand how they can work to avoid falling victim to phishing attacks, we asked a number of security experts about the most common ways companies are subjected to phishing and what you can do in order prevent them. Below is an excerpt from their responses:

“How do companies fall victim to phishing attacks and how can they prevent them?”

Meet the Panel Experts on Data Security:

• Tiffany Tucker
• Arthur Zilberman
• Mike Meikle
• Steve Spearman
• Dave Jevans
• Greg Scott
• Jared Schemanski
• Luis Chapetti
• Felix Odigie
• Abhish Saha
• Jayson Street
• Patrick Peterson
• Daniel DiGriz
• Greg Kelley
• David Ting
• Tom Clare
• Luke Zheng
• Derek Dwilson
• Amit Ashbel
• Ashley Schwartau
• Peter Moeller
• Nick Santora
• Anne P. Mitchell
• Tom Kemp
• Jacob Ackerman
• Aidan Simister
• Mike Baker
• Jackie Rednour Bruckman
• Idan Udi Edry
• Chris Gonzales
• Michael Brengs
• Marc Enzor
• Aaron Birnbaum

Tiffany Tucker

@ChelseaTech

She is an engineer with Chelsea Technologies who has a Bachelor’s in Computer Science and Master’s in IT Administration & Security. She also worked for 10 years before joining the company.

One of the mistakes companies make is…

Not having all the tools in place and not training employees on their specific roles.

An intruder can get sensitive information from employees by using phishing. Phishers try to establish trust with their victims, and they are more successful in the digital age.

There are various ways that attackers can try to get your information, one being phishing.

• Sending an employee a link in their email that takes them to a website with sensitive information and not encrypting the data.
• Installing a Trojan via downloading an attachment from email or clicking on something in the ad that will give them access to sensitive information.
• In order to send an email that appears as a reputable source, one can spoof the sender address.
• Pretending to be an IT department or vendor when they are not.

how to combat phishing :

• Have a training session with your employees and provide them with phishing scenarios.
• Deploy a SPAM filter so that people can’t send viruses, etc.
• It’s important to keep all the computers up-to-date with security patches and updates.
• Make sure that all devices have an antivirus software, update the virus signature regularly and monitor its status.
• Make sure to include password expiration and complexity in your security policy.
• Install a web filter to block dangerous websites.
• Encrypt all of your company’s sensitive information.
• Sometimes, it can be a good idea to convert HTML email messages into plain text or turn off the ability of sending HTML emails.
• We need to make sure employees are using encryption when they’re telecommuting.

Companies need to know the current phishing strategies and confirm that their security policies and solutions can eliminate threats as they evolve. They also have to make sure their employees understand what types of attacks they may face, how much risk there is in those threats, and how to address them.

Arthur Zilberman

@laptopmd

Arthur Zilberman grew up in Brooklyn, where he got his degree from New York Institute of Technology. He then went on to work as an IT manager and later a computer services provider.

Companies that fall victim to phishing attacks always have one thing in common: they don’t know how to spot a fake email.

Careless internet browsing.

Companies are more likely to fall prey to phishing attacks because of careless and naive internet browsing. A policy that prohibits certain sites from being accessed will greatly reduce a company’s chance of security compromise.

It’s important to educate your employees about the tricks of phishers. Security awareness should be a part of their orientation and they need to know not to open any e-mails from people they don’t know with attachments, or give out passwords over email. Make sure that anyone who wants them knows which browsers are secure – only use ones that have https: at the start.

Mike Meikle

@mike_meikle

Mike Meikle is a security specialist who has worked in the information technology and cyber security fields for over fifteen years. He speaks nationally on topics such as risk management, governance, and how to minimize data breaches.

Companies need to be on the lookout for phishing attacks, especially when it comes to human and technological factors.

Target, Sony and other companies were the targets of phishing scams. The Target breach was a result of an email being compromised which allowed malicious actors to eventually access their network.

One of the most common ways people are tricked into giving up their information is through phishing emails. They look like they come from a trustworthy source, and if someone clicks on it, there’s hidden code that will do something bad to your computer.

Employees need to be aware of the risks when opening email attachments or clicking on links from unknown sources. This is best covered in an effective security education program.

Training for phishing is usually either given yearly or during orientation. If it’s done online, employees quickly click through the content and ignore most of the information as they surf other websites at lunchtime. In-person training can be a PowerPoint presentation with an uninterested speaker who drones on for an hour.

There are several products that help to fight phishing attacks. One is a program which sends test emails from an outside source and measures the efficacy of anti-phishing training programs.

One way to reduce the chance of getting scammed is by using an automated heuristic product. These products filter out many obvious scams, but leave more cleverly designed emails intact.

Steve Spearman

@HipaaSolutions

Steve Spearman is the Founder and Chief Security Consultant for Health Security Solutions. Recently, he’s been doing HIPPA risk analysis with clients.

Companies need to remember that phishing attacks are very common.

The best way to protect against phishing is by implementing a layered security approach.

• Have employees watch out for phishing attacks. If the domain of the link to which you are being directed doesn’t match that of the purported company, then it is a fake.
• Spam filters are a great way to stop emails from dubious sources before they reach the inbox of employees.
• It might be a good idea to have two factor authentication so that hackers who’ve compromised credentials can’t reach the data.
• You can use browser add-ons and extensions to avoid clicking on malicious links.

Phishing is the act of sending fake emails to people in order to steal their sensitive information. It’s hard because hackers can send phishing emails by compromising your email address book, so it looks like they’re coming from someone you know and trust.

Spear-phishing is a more targeted form of phishing, one that targets specific people or companies. It’s nearly impossible to protect against this kind of attack because the hacker will research their target and include details in an email to make it seem credible.

Dave Jevans

@davejevans

Dave Jevans is the CEO, chairman and CTO of Marble Security. He also serves as chairman for Anti-Phishing Working Group. This group has 1,500+ financial services companies in it who are all dedicated to fighting crimeware email fraud or online identity theft through annual symposiums that take place in Barcelona.

It is important to have a device that employees can use and be educated on how they should interact with it.

With Bring Your Own Device, there is a new problem that has been introduced. For instance, an employee’s phone could send contacts to the internet and then attackers can use this information for targeted spear phishing. One way businesses are tackling this issue is by installing mobile security software on user devices which scans apps in order to prevent users from accessing corporate networks if they have privacy leaking apps.

To protect your mobile device, you should connect through VPNs to services that provide secure DNS and blacklisting so they can’t access phishing sites.

Enterprise companies should have a system where users can report phishing attacks quickly and easily, which will be filtered by IT.

Greg Scott

@DGregScott

Greg Scott is a consultant for Infrasupport Corporation. He wrote Bullseye Breach, which was about the large retailer that lost 40 million credit card numbers to some Russian criminals.

Remember that phishing attacks are usually just a way to get you to give up your personal information.

One of the things I learned from my first few hires is that it only takes one employee to take a bait.

It is important to make sure employees are attentive and that they know what can happen if they fall prey. It’s too easy for someone to be careless with their online security, which could put the company at risk.

The question is not how to prevent phishing attacks. The question should be, “How can a company limit the damage any successful attack will cause?” Some low cost tactics that offer a high reward are isolating POS terminals from the network and sharing information on security practices with each other. Sharing details of defenses against an attack is counter-intuitive but it’s actually more effective in defending against them.

In cryptography, the algorithms are public. That’s why we have strong cryptography today – all of them have been peer and publicly reviewed before being approved for use.

There are many bad guys already working on ways to hack into security systems. They have a whole supply chain dedicated to improving their ability, and they discuss it in forums with specialists in all sorts of dark deeds. The good people can’t beat them alone, so the smart ones should join forces out in the open for everyone’s safety.

Jared Schemanski

@nuspirenetworks

Jared Schemanski is a Security Analytics Team Leader at Nuspire Networks.

It is difficult to stop phishing because it can be done so easily and quickly.

The goal of spear phishing is to contact someone high up in an organization who can access more sensitive information, and then use it for malicious purposes.

A lot of people get phished because they’re not sure if the email is real or fake. The best thing to do in order to reduce this risk is teach employees how to read emails, so that when one comes through with a link it will seem suspicious and they won’t click on it.

The following are a few other tips for email users:

If the email comes from someone you know and trust, like a friend or colleague, send them an email with whatever information they requested directly. Do not simply hit reply to their request in your own message.

If you get an email from someone and it seems suspicious, call them to confirm the authenticity of their message.

You can tell if an email is legitimate by clicking on it and dragging your mouse over the sender’s name.

Luis Chapetti

@CudaSecurity

Luis A. Chapetti is a Software Engineer and Data Scientist at Barracuda who handles IP reputation systems, Spydef databases, etc.

One of the most common mistakes companies make is…

Today, phishing is just as mainstream as spam was back in 2004. One new way that spammers are using to get around anti-spam tools is by embedding an Excel spreadsheet into the email. When viewed on a phone or tablet, it looks like there’s nothing wrong with the email because most people delete HTML attachments without looking at them.

Here are some tips to help you avoid these attacks from the bad guys:

• Don’t let anyone else know your email password because it’s a goldmine for spammers.
• Use a short phrase for your password (longer is better, and it can be simpler) instead of just having few characters. Change the password regularly.
• Never share passwords to email accounts unless you are logging in to your account on the provider’s website.
• Never click on links in an email – always type the address into your browser’s adress bar.
• Keep your antivirus, spam filters and other security measures up to date.

Felix Odigie

@InspiredeLearn

Felix Odigie is the founder and CEO of Inspired eLearning.

To avoid phishing scams, the most important thing to remember is…

Education is the key.

People who receive phishing emails often don’t know what sets them apart from real communications. To improve people’s awareness of this, companies should regularly test their employees with fake phishing emails and they’ll be able to tell the difference between a legitimate email and one that is trying to steal information.

Even if a company’s security is perfect, the company only stays secure as long as its users are safe. And compromised credentials represent 90% of hacks and phishing emails make up over half of those breaches.

Abhish Saha

Abhish Saha has been in the industry for 20 years and gained a lot of experience. He’s consulted with many businesses, including large Australian and global ones.

It’s difficult to keep up with the ever evolving threat of phishing emails, and businesses need to always be on their guard.

Phishing has become more sophisticated by targeting specific individuals instead of random ones.

Here are three common phishing techniques that attackers use to steal people’s information.

• DNS-based phishing is when someone takes control of your host files or domain names and sends people to a false webpage that looks like the real one.
• Content-injection phishing is when criminal content, such as code or images, are added to your website. The goal of the criminals is usually capturing personal information from you and your customers.
• Criminals can trick customers by creating a fake website that looks like the company’s, and then they monitor all of their information.

Four things companies can do to protect themselves from phishing attacks are:

• SSL Certificates help protect your website from outside eavesdroppers. When you use one, all traffic to and from the site is encrypted.
• You need to stay up-to-date with the latest patches and updates. This includes website hosting, shopping cart software, blogs or content management software.
• Make sure your staff is aware of phishing scams, malware and social engineering threats by providing regular security training.
• My company offers a payment page that is hosted securely, so my customers are safe from risk. I use an up-to-date PCI DSS and ISO 27001 certified provider to ensure the safety of their card data.

Jayson Street

@PwnieExpress

Jayson is an information security speaker who has spoken at DEFCON, DerbyCon and UCON. He also teaches people about cyber-security for Pwnie Express.

Companies are vulnerable to both technical and educational phishing attacks.

Companies are not preparing employees for the future, and need to educate them about evolving attack methods. They have traditionally done a good job of educating their workforce on standard phishing emails that often poorly worded, but advances in spear-phishing has made attacks more targeted and personalized with social media.

No matter what you do, it’s not enough to just watch out for crudely worded emails. With so many people using email nowadays and the prevalence of fraudsters, there are a lot more things that need to be considered when receiving an email.

Organizations need to monitor not only what is coming into the network but also out of it. They should have strong policies dictating how networks can be used, and they need tools that will help them do this.

Patrick Peterson

@AgariInc

Patrick is a visionary leader who has been in the email business for nearly 20 years. He joined IronPort Systems in 2000 and defined their security appliances. Patrick invented SenderBase, which tracks spam emails to help stop them before they are delivered.

To avoid being phished, one thing to remember is…

Phishing attacks happen all the time, and it’s important not to give in when someone on the street says they have a package for you. When people get emails from FedEx saying there is a package waiting for them, they should be careful because if it comes from an email account that looks legitimate but isn’t actually legit then clicking or opening could lead to identity theft.

Passwords are more vulnerable than ever, and if you happen to forget your password, you can answer personal questions in order to get it reset. However, many of these questions (such as birthdate) can be found on social media accounts like Facebook or Twitter.

Recently, there have been many security breaches that show the importance of email authentication. DMARC is a type of protocol that helps stop spoofed emails from reaching consumers and maintain company reputation.

Daniel DiGriz

@MadPipe

Daniel DiGriz is a digital strategist and CEO of MadPipe. He has master’s degrees in Instructional Technology, as well as decades of experience working for Fortune 500 companies.

The most common mistake companies make is…

When employees are used to taking instructions from superiors without question, they’re more likely to be fooled by phishing scams. This is especially true in companies where it’s frowned upon for people to ask for help or there’s a sense of mutual distrust among staff.

One problem with IT help is that people can get frustrated and click on a link, which could lead to them getting phished. The chance of someone being vulnerable goes up when there are pockets of employees who lack basic technical literacy. Announcements about phishing may only cover one or two examples but it’s endlessly adaptable. The best way to mitigate this risk is cultural change in the organization and mandating all employees have at least some knowledge about technology.

Greg Kelley

Greg Kelley is the Chief Technology Officer for Vestige, Ltd. They perform computer forensic services and data breach response.

Companies that fall victim to phishing attacks often make the mistake of not giving their employees enough training on what they should do when faced with a potential scam.

A lot of people are careless when it comes to their computer security, and they don’t take the necessary precautions. They might think that anti-virus will catch anything bad in an attachment or link, but this is not always true.

Recently, the bad guys have been getting better at social engineering. They do research on companies to figure out who works there and what their email address is.

Companies can’t prevent these attacks, but they can mitigate them. Employees should be trained on email use and phishing detection before being hired. More training is necessary for new hires as well as periodic refreshers to keep employees up-to-date with the latest cyber threats.

David Ting

@imprivata

David Ting is the Chief Technology Officer at Imprivata.

Companies that fall victim to phishing attacks usually do so because they don’t have a plan in place for security.

Employees are the weakest link in most security systems, so it’s easy for attackers to trick them.

Strong authentication can help make sure your employees are secure. For example, if someone asks for credentials and they have SSO in place, then it’s likely a phishing attack.

Tom Clare

@AWNetworks

Tom Clare is a security marketing manager and he has led product marketing for Websense and Blue Coat. He now works at Arctic Wolf.

A common mistake that leads to phishing attacks is

The old idea of using preventative defenses, such as firewalls and antivirus software to protect your company from cybersecurity threats is outdated. You need a balance between preventive and detective measures in order to detect unknown risks.

Cyber attackers are always trying to get past our defenses, but we can take preventive measures. We should monitor for abnormal activity and have a baseline of what is normal so that we know when something abnormal happens.

Machine analysis is effective in some cases, but it’s not enough for APTs. Security analysts need the ability to search and pivot through data with an analytical mindset.

If you think people will click on phishing links, then look at your network data and see if there are any infections or nefarious activity. Think about the ratio of preventative to detective defenses: is it worth investing in more preventive measures? If so, consider installing a program that tracks where employees go online.

Luke Zheng

@luke_zheng

Luke is currently the engineering lead at Stanza and has worked for companies like Microsoft, Tesla, and Carnegie Mellon. He graduated from CS.

One of the most common mistakes companies make that leads to phishing attacks is…

If you are a company with many people, it is more likely that multiple individuals will click on the same phishing email. This increases your chances of getting hacked.

For startups, phishing is a big issue because they often have their founders as the main point of contact. It’s also easy to get past spam filters when you’re using one founder email for many websites. The best way to prevent this from happening is by not associating any one address with multiple sites and having founders use different emails.

Derek Dwilson

Derek Dwilson is a lawyer and security expert. He has been passionate about technology his entire life, which led him to get a law degree from the University of Texas. Derek currently consults with businesses on how to improve their security.

Phishing attacks are really common, especially when people answer an email from a company they don’t recognize. The best way to prevent these is by remembering that if something seems too good or convenient, it probably isn’t true.

Phishing is a problem for two reasons. First, the hacker may gain access to one account through their phishing attempt. Second, if an employee uses the same password on multiple accounts of your company’s data then they will have gained access to more than just that one account.

On the first front, there are many warning signs to look for. Gmail will sometimes give you a message near the subject line if it looks like someone is trying to send you phishing emails.

On the second front, one can secure their company by using tools such as LastPass and Yubikey. This way employees only have to remember one password instead of having a unique password for each account login. If you use just 1 single password per account, then hackers will be limited in what they’re able to do because when accounts get hacked companies usually let people know.

YubiKey is a second factor in two-factor authentication. It can be used to add an extra layer of protection for your LastPass account.

Amit Ashbel

@Checkmarx

Amit Ashbel is a product marketing manager for Checkmarx in Israel.

One mistake I see companies making is when they…

Targeted attack tactics are more popular now than spamming or phishing.

It works like this:

• What do you want to gain from this? Money, Information, Personal information or Credit card numbers.
• The next step is to find your target. You need to know who you want to speak with in order for the call or meeting go well.
• Plays golf, has a wife and two kids. He also recently liked Flower.com on Facebook.
• Send an email with a link to flowers.com for the anniversary gift, and send it from there.

Spear phishing is when someone looks for a vulnerability and then they exploit that to get the data that they want. A typical example would be getting an email from your bank with a link in it, but instead of just going to their website, there’s malware behind it.

Spear phishing attacks require more preparation, but they’re also generally more successful.

I would like to protect the company from lawsuits and other legal issues, so I will have a lawyer look over all agreements before they are signed.

• If you’re not sure who it’s from, be hesitant; if you don’t know the sender at all, either contact your IT department or delete the email.
• Teach employees how to use the internet safely. This can be done by teaching them about phishing emails, making sure they are using updated software and that their passwords are strong.
• Invest in some security controls to prevent mistakes.
• Make sure your internal applications are secure and not easily exploited.

Ashley Schwartau

@SecAwareCo

Ashley Schwartau has been with the Security Awareness Company for over a decade, and she is experienced in every part of the creative process. She helps companies make their awareness training effective by working on any project that comes in her door: short videos or custom e-learning modules, global campaigns.

To prevent phishing attacks, I think companies should…

EDUCATE your users.

Keep reminding them about it on a regular basis. It’s not just for one day or week, it needs to be reinforced many times over.

TEST your users.

Companies like PhishMe and PhishLine offer these kinds of services that allow you to create phishing campaigns against your employees. This way, the company can see who clicked on links in order to provide more remediation or training.

Companies fall for phishing attacks because they don’t train their employees and assume that people know more than they do. A lot of people leave common sense at home or just have too much on their minds when working, so click fast instead of thinking about the risks associated with clicking a link in an email. If companies educate users about what to look out for (both company-wise as well as personally) then those clicks will go down.

Peter Moeller

@S_H_Law

Peter Moeller is the director of marketing for a law firm that has an extensive cyber security and data protection practice. He’s in charge of implementing web 2.0 lead generation platforms, as well as managing vendors and technology to increase business growth.

The biggest mistake companies make is…

Phishing attacks come in many forms, but most of them will be an email. If a company doesn’t educate their employees and have the right system to flag malicious messages, they’re more likely to fall victim.

It’s easy to prevent phishing attacks, but you have to take education and plans into account. First of all, it is important that your staff are educated about best internetemail practices. Educating them will allow them to question communications that don’t seem right or follow the appropriate steps when they get a suspicious email. You should also make sure someone who knows what heshe is doing in terms of phishing activities can help employees screen questionable emails for anything out-of-the ordinary (links etc). Also teach everyone not just once but constantly remind people never click on links or open any .exe files – always use separate tabs and research before acting.

Nick Santora

@Curricula

Nick Santora, the CEO of Curricula, is a cybersecurity expert who used to work for NERC. He helped make sure that North America’s power grid was secure and reliable.

To stay protected against phishing attacks, the one thing I would do is…

We are often reminded of the need to be careful, but sometimes we forget that cybersecurity is a constant threat.

Anne P. Mitchell

@annepmitchell

Anne Mitchell is an expert in internet law and policy, as well as security for the web. She heads up ISIPP.

Phishing attacks are usually easy to spot, but not all companies do anything about it.

Phishing scams are becoming more sophisticated, so companies should limit the use of contact photos and names in their email clients.

Tom Kemp

@Centrify

Tom is the co-founder and CEO of Centrify, a company that helps companies by providing them with cloud-ready Zero Trust Privilege to help keep their data secure.

I’ve noticed an increase in cyber-attacks on CEOs, wherein criminals use social engineering and spear phishing to get executives to wire funds.

In 2015, someone from Centrify would get an email from Tom Kemp asking for help with a wire transfer on a monthly basis. The frequency has increased to weekly or twice-weekly now.

It’s not just HR managers, payroll clerks and finance directors that scammers are targeting these days. Recently there have been a lot of breaches in companies who aggregate information about employees at other businesses.

What to do?

• Make sure your employees understand the dangers of CEO fraud.
• Always make sure you call to confirm an out-of-band request, even if it seems like the CEO may be mad.
• Implement additional security measures to protect vital business applications.

Newer technologies are being offered by anti-spam and email security vendors that allow warnings to be issued when an impersonating email comes in.

Centrify uses an email security system that flags emails with the same Display Name as their internal employees.

Jacob Ackerman

@SkylinkDC

As the CTO of Skylink Data Centers in Naples, Florida, Jacob Ackerman is responsible for developing and implementing new technologies.

The biggest cybersecurity threat for businesses is the people who work there.

People are the biggest security risk. People can be manipulated and become targets for hackers.

More and more companies are focused on diversity, especially during the hiring process.

Make sure you have a secure area for your IT people to lock up their uniform when they’re not using it. Otherwise, anyone can walk through the office and see any passwords that are just lying around on desks.

You should keep your passwords to yourself and not store them under the keyboard or in a drawer. You should also inspect what can be seen through windows, because people may have sensitive information on their screens.

Business owners should be aware of all the security threats that they face and not just focus on fancy computer scripts, phishing emails, ransomware or malware. It’s important to make sure password policies are enforced in order to protect a business.

Aidan Simister

@LepideSW

@aidansimister

Aidan is an IT veteran with 22 years of experience. Aidan has helped contribute to Lepide’s US and European security markets by building global teams from a standing start.

Employees have fallen for phishing links because they don’t know how to spot a fraud.

The more data breaches that happen, the more personal the phishing emails become. The cyber criminals are able to tailor their attack to what they know about you.

The first thing to do is train all employees, managers, and third parties on how to spot phishing emails. If your staff knows what they are looking for in a potential attack email, they will be less likely to fall for it. One of the best ways with ensuring that everyone is vigilant about spotting these types of attacks is by carrying out simulations where you send an illegitimate e-mail asking people click on a link and then monitor who goes through with it.

You should be careful to limit the privileges of your employees, which will reduce their impact in case they fall victim to a phishing attack.

Mike Baker

@Mosaic451

Mike Baker is the founder and managing partner of Mosaic451, a managed cyber security service provider. This company has built up years of experience in monitoring and operating some highly secure networks.

Many phishers will do their research before launching an attack.

Hackers research the company’s website, social media networks and employees to learn about them. They use this information for their fake phishing emails in order to make it look more genuine.

Phishing has become a great sport for cyber criminals because it is really easy to fall prey, and the most vulnerable people are those who want to please their bosses. Employees should be encouraged to ask questions about any requests that seem “off” even if they come from an executive.

Because phishers spy on company websites and social media networks for personal information, businesses need to be careful about what they post publicly. Likewise, organizations should educate their employees on the dangers of posting too much information online.

What can companies do to protect themselves from phishing scams?

Email spam filters are not enough to stop phishing. It is too easy for hackers because they send just a few emails, and these do not contain the words that email filters pick up on.

If an email is written in a foreign language, it may have funny spelling errors. Look closely at the reply address and domain name to see if they are legitimate or not.

Create a protocol for wire transfers, payments and the release of sensitive information. Implement a payment system that requires an order to be approved by both managers and finance officers; require multi-person approval process on transactions exceeding certain dollar amount; telephone verification of all fund transfer requests and any changes with vendor payment information. Likewise, W-2 data should not be released without permission from multiple people or if it is not needed.

Conduct regular penetration testing. Organizations should have their security staff or a managed service provider test them for social engineering techniques such as phishing and other vulnerabilities.

If you want to create a culture of healthy skepticism, make sure employees know what your authentication protocol is. It won’t work all the time though, so organizations need end-point protection in addition to content monitoringfiltering.

Jackie Rednour Bruckman

@myworkdrive

Jackie Rednour Bruckman is the Chief Marketing Officer at MyWorkDrive.

Companies and organizations are often targeted by phishing attacks, especially during the hiring process.

People often get phishing emails and they make headlines when a person gets them and falls for it. A recent example was the Clinton campaign manager, John Podesta who fell for one of these emails during the presidential election in 2016.

The company should have had a strict policy of checking for spam and deleting it after forwarding to the ITSecurity department. If there was any question, they could check with their employees first.

One of the best ways to avoid a situation like this is by not using public cloud platforms for high risk emails, high profile accounts and secure communications. Setting up an Exchange server behind firewalls would have helped during our scenario. Every company needs a strict computer usage policy that includes some simple rules such as no clicking on links or attachments from anyone who isn’t familiar with you.

Security is important for the network and all of its data. The networks should be secure to prevent any malware from getting in, as well as protecting against data loss or leaks.

Idan Udi Edry

@iuedry

Idan Udi Edry is a trusted leader in information technology and data security. He served as an Israeli Air Force officer for more than eight years, reaching the rank of captain and leading hundreds of professionally trained military personnel. His work with email encryption includes patented postmarked systems that encrypt emails.

Cybercriminals are becoming more and more savvy in their attacks, with a major increase in email breaches this year…

To avoid someone hacking into your email account, it is extremely important to pay attention to where emails are coming from. Cyber attackers often send out phishing attacks with similar subject lines or body content in hope that you won’t notice.

There’s another phishing method that cyber attackers implement to access your information, and that is through Wi-Phish. Hackers often use this technique to try and trick you into logging on the wrong network in order for them to get ahold of your personal data. When using public Wi-Fi networks always check which one seems most legitimate beforehand by looking at reviews or seeing if it’s password protected. If possible, pick a secure hotspot with some sort of login requirement – whether they require passwords or not will depend on what type of device you’re using (most laptops have their own built in ability). You can also do this when accessing any kind of public network as long as they offer an option like “secure” internet connection

Chris Gonzales

@MyIT1

Chris Gonzales has been in the IT industry for decades and is now an executive at My IT.

Companies fall victim to phishing attacks because they rely on one or two security mechanisms, such as a firewall and spam filter. They think that this is enough protection.

With so many different types of cybersecurity, it can be hard to know what type will work for your company. So we recommend multiple layers like firewalls, email and web filtering security-operations-center threat sweeping user training.

One of the most effective ways to avoid phishing attacks is user training. They are easy to miss because they often contain no links or attachments.

The approval process for sending money and confidential data is broken. Accounting should never send any information without verifying it with someone else or just not doing it.

Michael Brengs

@Optimal_IdM

Michael Brengs, a recognized expert in ID management and industry speaker is currently the Managing Partner at Optimal IdM. He attended University of South Florida where he earned his degree in Management Information Systems and became a Microsoft Certified Professional.

The first thing phishing emails do is make them look legitimate, like they are from Bank of America with a display name for the sender in the email…

But if you look at the detail of what the real email account is, it will be something different. Some tell-tale signs to identify phishing emails are:

• When you see a hyperlink, make sure to hover over it first before clicking. The text of the link might look legitimate but what happens after is not.
• Look for errors in the spelling or grammar. Often, people who are not native English speakers make mistakes when they write.
• If you get an email that doesn’t seem right, don’t give up any personal information. If something’s fishy, it probably is phishy.
• If you get an attachment from someone, don’t open it. If this is your corporate email account, notify IT staff.

If you receive an e-mail claiming to be from your bank, delete it. Do not click on any hyperlinks or respond back to the email. Empty your trash folder and alert corporate IT that they were being phished.

Marc Enzor

@geeks_2_you

Marc Enzor is a cybersecurity expert with over 20 years of experience. He worked as an IT consultant for small to medium size businesses.

Every day, phishing attacks are becoming more of a threat to companies. They aren’t slowing down.

Attackers have started to use a new type of attack called Spear Phishing, which is highly targeted. I’ve seen fake emails that looked like they came from the CEO of an organization and were sent directly to Accounts Payable departments asking for wire transfers.

The main answer to this question is that IT departments need to simulate attacks and train the victims. There are a lot of phishing testing services, which will allow ITCybersecurity teams to craft fake phishing attacks. They’ll then send it out to all employees in an organization and report on who fell for it by clicking or providing their password. The next step would be subjecting those victims (those who clicked) to special training so they know what’s going on, how not fall prey again.

Other efforts can be made to improve email firewalls and, if possible, add in specialty filtering for common phishing attacks. When it comes down to specialized spear-phishing emails, they will always be difficult to stop. The more research the attacker puts into their attack strategy – the better chance of success there is.

Aaron Birnbaum

@SeronSecurity

Aaron S. Birnbaum is the Chief Security Officer at Seron Security and has over 30 years of experience with commercial sales, partnerships, and marketing. He’s worked for Fortune 500 companies as well as startups in a variety of industries such that he can work effectively with many diverse types of people.

Some phishing attacks are targeted at businesses based on what they do, others might be targeting a specific person.

Security awareness training, policies and social media usage are three of the most popular ways to reduce risk for a company.

There is a technique called ‘spear phishing’ where someone targets an individual after gathering data on social media websites, and then there’s cloning which happens when the user clicks on a legitimate-looking email that contains an attachment or bad link. Another type of attack is CEO fraud, as well as whaling – both targeted at senior people in companies who may be persuaded to give away private information verbally or in writing.

The most popular approach to this is by sending an email attachment with a common name (e.g., ‘spreadsheet.xlw’, or ‘file.pdf’), and convincing the user to click on it, which will compromise their network.

Security awareness training is the best way to prevent phishing emails, so teach users good habits and send fake emails to test them. Watch out for typos or spelling mistakes in email addresses.

---

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

In this article, experts discuss how to prevent the most common phishing attacks.

Hackers use phishing attacks to steal information. They will often do this via email, social media and phone calls. 

---

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

---

POPULAR PHISHING ISSUES AGAINST BUSINESSES

• One of the most common types of phishing is when attackers impersonate a company. They typically do this with an email that looks like it’s from your brand, but isn’t (e.g., “firstname@amazon-support”). It’s difficult for companies to spot because you won’t know until someone falls for it or alerts you.
• Spear phishing is when an attacker uses details about the target to create a fake company name and email address. This type of scheme can be especially dangerous.
• If a phishing scammer gets the email login credentials of high-profile leadership, they are likely to target anyone that can be reached using that very same login. Potential targets would include colleagues, team members and even customers (if any information has already been obtained via hacking).
• Scammers will impersonate companies over the phone and use voice-over internet protocol (VoIP) technology to get people’s personal information. This includes using details about targets and pretending they’re high up in a company, such as someone from HR or even the CEO.

To help businesses better understand how they can work to avoid falling victim to phishing attacks, we asked a number of security experts about the most common ways companies are subjected to phishing and what you can do in order prevent them. Below is an excerpt from their responses:

“How do companies fall victim to phishing attacks and how can they prevent them?”

Meet the Experts on Data Security on Our Panel:

• Tiffany Tucker
• Arthur Zilberman
• Mike Meikle
• Steve Spearman
• Dave Jevans
• Greg Scott
• Jared Schemanski
• Luis Chapetti
• Felix Odigie
• Abhish Saha
• Jayson Street
• Patrick Peterson
• Daniel DiGriz
• Greg Kelley
• David Ting
• Tom Clare
• Luke Zheng
• Derek Dwilson
• Amit Ashbel
• Ashley Schwartau
• Peter Moeller
• Nick Santora
• Anne P. Mitchell
• Tom Kemp
• Jacob Ackerman
• Aidan Simister
• Mike Baker
• Jackie Rednour Bruckman
• Idan Udi Edry
• Chris Gonzales
• Michael Brengs
• Marc Enzor
• Aaron Birnbaum

Tiffany Tucker

@ChelseaTech

She is an engineer with Chelsea Technologies who has a Bachelor’s in Computer Science and Master’s in IT Administration & Security. She also worked for 10 years before joining the company.

One of the mistakes companies make is…

Not having all the tools in place and not training employees on their specific roles.

An intruder can get sensitive information from employees by using phishing. Phishers try to establish trust with their victims, and they are more successful in the digital age.

There are various ways that attackers can try to get your information, one being phishing.

• Sending an employee a link in their email that takes them to a website with sensitive information and not encrypting the data.
• Installing a Trojan via downloading an attachment from email or clicking on something in the ad that will give them access to sensitive information.
• In order to send an email that appears as a reputable source, one can spoof the sender address.
• Pretending to be an IT department or vendor when they are not.

how to combat phishing :

• Have a training session with your employees and provide them with phishing scenarios.
• Deploy a SPAM filter so that people can’t send viruses, etc.
• It’s important to keep all the computers up-to-date with security patches and updates.
• Make sure that all devices have an antivirus software, update the virus signature regularly and monitor its status.
• Make sure to include password expiration and complexity in your security policy.
• Install a web filter to block dangerous websites.
• Encrypt all of your company’s sensitive information.
• Sometimes, it can be a good idea to convert HTML email messages into plain text or turn off the ability of sending HTML emails.
• We need to make sure employees are using encryption when they’re telecommuting.

Companies need to know the current phishing strategies and confirm that their security policies and solutions can eliminate threats as they evolve. They also have to make sure their employees understand what types of attacks they may face, how much risk there is in those threats, and how to address them.

Arthur Zilberman

@laptopmd

Arthur Zilberman grew up in Brooklyn, where he got his degree from New York Institute of Technology. He then went on to work as an IT manager and later a computer services provider.

Companies that fall victim to phishing attacks always have one thing in common: they don’t know how to spot a fake email.

Careless internet browsing.

Companies are more likely to fall prey to phishing attacks because of careless and naive internet browsing. A policy that prohibits certain sites from being accessed will greatly reduce a company’s chance of security compromise.

It’s important to educate your employees about the tricks of phishers. Security awareness should be a part of their orientation and they need to know not to open any e-mails from people they don’t know with attachments, or give out passwords over email. Make sure that anyone who wants them knows which browsers are secure – only use ones that have https: at the start.

Mike Meikle

@mike_meikle

Mike Meikle is a security specialist who has worked in the information technology and cyber security fields for over fifteen years. He speaks nationally on topics such as risk management, governance, and how to minimize data breaches.

Companies need to be on the lookout for phishing attacks, especially when it comes to human and technological factors.

Target, Sony and other companies were the targets of phishing scams. The Target breach was a result of an email being compromised which allowed malicious actors to eventually access their network.

One of the most common ways people are tricked into giving up their information is through phishing emails. They look like they come from a trustworthy source, and if someone clicks on it, there’s hidden code that will do something bad to your computer.

Employees need to be aware of the risks when opening email attachments or clicking on links from unknown sources. This is best covered in an effective security education program.

Training for phishing is usually either given yearly or during orientation. If it’s done online, employees quickly click through the content and ignore most of the information as they surf other websites at lunchtime. In-person training can be a PowerPoint presentation with an uninterested speaker who drones on for an hour.

There are several products that help to fight phishing attacks. One is a program which sends test emails from an outside source and measures the efficacy of anti-phishing training programs.

One way to reduce the chance of getting scammed is by using an automated heuristic product. These products filter out many obvious scams, but leave more cleverly designed emails intact.

Steve Spearman

@HipaaSolutions

Steve Spearman is the Founder and Chief Security Consultant for Health Security Solutions. Recently, he’s been doing HIPPA risk analysis with clients.

Companies need to remember that phishing attacks are very common.

The best way to protect against phishing is by implementing a layered security approach.

• Have employees watch out for phishing attacks. If the domain of the link to which you are being directed doesn’t match that of the purported company, then it is a fake.
• Spam filters are a great way to stop emails from dubious sources before they reach the inbox of employees.
• It might be a good idea to have two factor authentication so that hackers who’ve compromised credentials can’t reach the data.
• You can use browser add-ons and extensions to avoid clicking on malicious links.

Phishing is the act of sending fake emails to people in order to steal their sensitive information. It’s hard because hackers can send phishing emails by compromising your email address book, so it looks like they’re coming from someone you know and trust.

Spear-phishing is a more targeted form of phishing, one that targets specific people or companies. It’s nearly impossible to protect against this kind of attack because the hacker will research their target and include details in an email to make it seem credible.

Dave Jevans

@davejevans

Dave Jevans is the CEO, chairman and CTO of Marble Security. He also serves as chairman for Anti-Phishing Working Group. This group has 1,500+ financial services companies in it who are all dedicated to fighting crimeware email fraud or online identity theft through annual symposiums that take place in Barcelona.

It is important to have a device that employees can use and be educated on how they should interact with it.

With Bring Your Own Device, there is a new problem that has been introduced. For instance, an employee’s phone could send contacts to the internet and then attackers can use this information for targeted spear phishing. One way businesses are tackling this issue is by installing mobile security software on user devices which scans apps in order to prevent users from accessing corporate networks if they have privacy leaking apps.

To protect your mobile device, you should connect through VPNs to services that provide secure DNS and blacklisting so they can’t access phishing sites.

Enterprise companies should have a system where users can report phishing attacks quickly and easily, which will be filtered by IT.

Greg Scott

@DGregScott

Greg Scott is a consultant for Infrasupport Corporation. He wrote Bullseye Breach, which was about the large retailer that lost 40 million credit card numbers to some Russian criminals.

Remember that phishing attacks are usually just a way to get you to give up your personal information.

One of the things I learned from my first few hires is that it only takes one employee to take a bait.

It is important to make sure employees are attentive and that they know what can happen if they fall prey. It’s too easy for someone to be careless with their online security, which could put the company at risk.

The question is not how to prevent phishing attacks. The question should be, “How can a company limit the damage any successful attack will cause?” Some low cost tactics that offer a high reward are isolating POS terminals from the network and sharing information on security practices with each other. Sharing details of defenses against an attack is counter-intuitive but it’s actually more effective in defending against them.

In cryptography, the algorithms are public. That’s why we have strong cryptography today – all of them have been peer and publicly reviewed before being approved for use.

There are many bad guys already working on ways to hack into security systems. They have a whole supply chain dedicated to improving their ability, and they discuss it in forums with specialists in all sorts of dark deeds. The good people can’t beat them alone, so the smart ones should join forces out in the open for everyone’s safety.

Jared Schemanski

@nuspirenetworks

Jared Schemanski is a Security Analytics Team Leader at Nuspire Networks.

It is difficult to stop phishing because it can be done so easily and quickly.

The goal of spear phishing is to contact someone high up in an organization who can access more sensitive information, and then use it for malicious purposes.

A lot of people get phished because they’re not sure if the email is real or fake. The best thing to do in order to reduce this risk is teach employees how to read emails, so that when one comes through with a link it will seem suspicious and they won’t click on it.

The following are a few other tips for email users:

If the email comes from someone you know and trust, like a friend or colleague, send them an email with whatever information they requested directly. Do not simply hit reply to their request in your own message.

If you get an email from someone and it seems suspicious, call them to confirm the authenticity of their message.

You can tell if an email is legitimate by clicking on it and dragging your mouse over the sender’s name.

Luis Chapetti

@CudaSecurity

Luis A. Chapetti is a Software Engineer and Data Scientist at Barracuda who handles IP reputation systems, Spydef databases, etc.

One of the most common mistakes companies make is…

Today, phishing is just as mainstream as spam was back in 2004. One new way that spammers are using to get around anti-spam tools is by embedding an Excel spreadsheet into the email. When viewed on a phone or tablet, it looks like there’s nothing wrong with the email because most people delete HTML attachments without looking at them.

Here are some tips to help you avoid these attacks from the bad guys:

• Don’t let anyone else know your email password because it’s a goldmine for spammers.
• Use a short phrase for your password (longer is better, and it can be simpler) instead of just having few characters. Change the password regularly.
• Never share passwords to email accounts unless you are logging in to your account on the provider’s website.
• Never click on links in an email – always type the address into your browser’s adress bar.
• Keep your antivirus, spam filters and other security measures up to date.

Felix Odigie

@InspiredeLearn

Felix Odigie is the founder and CEO of Inspired eLearning.

To avoid phishing scams, the most important thing to remember is…

Education is the key.

People who receive phishing emails often don’t know what sets them apart from real communications. To improve people’s awareness of this, companies should regularly test their employees with fake phishing emails and they’ll be able to tell the difference between a legitimate email and one that is trying to steal information.

Even if a company’s security is perfect, the company only stays secure as long as its users are safe. And compromised credentials represent 90% of hacks and phishing emails make up over half of those breaches.

Abhish Saha

Abhish Saha has been in the industry for 20 years and gained a lot of experience. He’s consulted with many businesses, including large Australian and global ones.

It’s difficult to keep up with the ever evolving threat of phishing emails, and businesses need to always be on their guard.

Phishing has become more sophisticated by targeting specific individuals instead of random ones.

Here are three common phishing techniques that attackers use to steal people’s information.

• DNS-based phishing is when someone takes control of your host files or domain names and sends people to a false webpage that looks like the real one.
• Content-injection phishing is when criminal content, such as code or images, are added to your website. The goal of the criminals is usually capturing personal information from you and your customers.
• Criminals can trick customers by creating a fake website that looks like the company’s, and then they monitor all of their information.

Four things companies can do to protect themselves from phishing attacks are:

• SSL Certificates help protect your website from outside eavesdroppers. When you use one, all traffic to and from the site is encrypted.
• You need to stay up-to-date with the latest patches and updates. This includes website hosting, shopping cart software, blogs or content management software.
• Make sure your staff is aware of phishing scams, malware and social engineering threats by providing regular security training.
• My company offers a payment page that is hosted securely, so my customers are safe from risk. I use an up-to-date PCI DSS and ISO 27001 certified provider to ensure the safety of their card data.

Jayson Street

@PwnieExpress

Jayson is an information security speaker who has spoken at DEFCON, DerbyCon and UCON. He also teaches people about cyber-security for Pwnie Express.

Companies are vulnerable to both technical and educational phishing attacks.

Companies are not preparing employees for the future, and need to educate them about evolving attack methods. They have traditionally done a good job of educating their workforce on standard phishing emails that often poorly worded, but advances in spear-phishing has made attacks more targeted and personalized with social media.

No matter what you do, it’s not enough to just watch out for crudely worded emails. With so many people using email nowadays and the prevalence of fraudsters, there are a lot more things that need to be considered when receiving an email.

Organizations need to monitor not only what is coming into the network but also out of it. They should have strong policies dictating how networks can be used, and they need tools that will help them do this.

Patrick Peterson

@AgariInc

Patrick is a visionary leader who has been in the email business for nearly 20 years. He joined IronPort Systems in 2000 and defined their security appliances. Patrick invented SenderBase, which tracks spam emails to help stop them before they are delivered.

To avoid being phished, one thing to remember is…

Phishing attacks happen all the time, and it’s important not to give in when someone on the street says they have a package for you. When people get emails from FedEx saying there is a package waiting for them, they should be careful because if it comes from an email account that looks legitimate but isn’t actually legit then clicking or opening could lead to identity theft.

Passwords are more vulnerable than ever, and if you happen to forget your password, you can answer personal questions in order to get it reset. However, many of these questions (such as birthdate) can be found on social media accounts like Facebook or Twitter.

Recently, there have been many security breaches that show the importance of email authentication. DMARC is a type of protocol that helps stop spoofed emails from reaching consumers and maintain company reputation.

Daniel DiGriz

@MadPipe

Daniel DiGriz is a digital strategist and CEO of MadPipe. He has master’s degrees in Instructional Technology, as well as decades of experience working for Fortune 500 companies.

The most common mistake companies make is…

When employees are used to taking instructions from superiors without question, they’re more likely to be fooled by phishing scams. This is especially true in companies where it’s frowned upon for people to ask for help or there’s a sense of mutual distrust among staff.

One problem with IT help is that people can get frustrated and click on a link, which could lead to them getting phished. The chance of someone being vulnerable goes up when there are pockets of employees who lack basic technical literacy. Announcements about phishing may only cover one or two examples but it’s endlessly adaptable. The best way to mitigate this risk is cultural change in the organization and mandating all employees have at least some knowledge about technology.

Greg Kelley

Greg Kelley is the Chief Technology Officer for Vestige, Ltd. They perform computer forensic services and data breach response.

Companies that fall victim to phishing attacks often make the mistake of not giving their employees enough training on what they should do when faced with a potential scam.

A lot of people are careless when it comes to their computer security, and they don’t take the necessary precautions. They might think that anti-virus will catch anything bad in an attachment or link, but this is not always true.

Recently, the bad guys have been getting better at social engineering. They do research on companies to figure out who works there and what their email address is.

Companies can’t prevent these attacks, but they can mitigate them. Employees should be trained on email use and phishing detection before being hired. More training is necessary for new hires as well as periodic refreshers to keep employees up-to-date with the latest cyber threats.

David Ting

@imprivata

David Ting is the Chief Technology Officer at Imprivata.

Companies that fall victim to phishing attacks usually do so because they don’t have a plan in place for security.

Employees are the weakest link in most security systems, so it’s easy for attackers to trick them.

Strong authentication can help make sure your employees are secure. For example, if someone asks for credentials and they have SSO in place, then it’s likely a phishing attack.

Tom Clare

@AWNetworks

Tom Clare is a security marketing manager and he has led product marketing for Websense and Blue Coat. He now works at Arctic Wolf.

A common mistake that leads to phishing attacks is

The old idea of using preventative defenses, such as firewalls and antivirus software to protect your company from cybersecurity threats is outdated. You need a balance between preventive and detective measures in order to detect unknown risks.

Cyber attackers are always trying to get past our defenses, but we can take preventive measures. We should monitor for abnormal activity and have a baseline of what is normal so that we know when something abnormal happens.

Machine analysis is effective in some cases, but it’s not enough for APTs. Security analysts need the ability to search and pivot through data with an analytical mindset.

If you think people will click on phishing links, then look at your network data and see if there are any infections or nefarious activity. Think about the ratio of preventative to detective defenses: is it worth investing in more preventive measures? If so, consider installing a program that tracks where employees go online.

Luke Zheng

@luke_zheng

Luke is currently the engineering lead at Stanza and has worked for companies like Microsoft, Tesla, and Carnegie Mellon. He graduated from CS.

One of the most common mistakes companies make that leads to phishing attacks is…

If you are a company with many people, it is more likely that multiple individuals will click on the same phishing email. This increases your chances of getting hacked.

For startups, phishing is a big issue because they often have their founders as the main point of contact. It’s also easy to get past spam filters when you’re using one founder email for many websites. The best way to prevent this from happening is by not associating any one address with multiple sites and having founders use different emails.

Derek Dwilson

Derek Dwilson is a lawyer and security expert. He has been passionate about technology his entire life, which led him to get a law degree from the University of Texas. Derek currently consults with businesses on how to improve their security.

Phishing attacks are really common, especially when people answer an email from a company they don’t recognize. The best way to prevent these is by remembering that if something seems too good or convenient, it probably isn’t true.

Phishing is a problem for two reasons. First, the hacker may gain access to one account through their phishing attempt. Second, if an employee uses the same password on multiple accounts of your company’s data then they will have gained access to more than just that one account.

On the first front, there are many warning signs to look for. Gmail will sometimes give you a message near the subject line if it looks like someone is trying to send you phishing emails.

On the second front, one can secure their company by using tools such as LastPass and Yubikey. This way employees only have to remember one password instead of having a unique password for each account login. If you use just 1 single password per account, then hackers will be limited in what they’re able to do because when accounts get hacked companies usually let people know.

YubiKey is a second factor in two-factor authentication. It can be used to add an extra layer of protection for your LastPass account.

Amit Ashbel

@Checkmarx

Amit Ashbel is a product marketing manager for Checkmarx in Israel.

One mistake I see companies making is when they…

Targeted attack tactics are more popular now than spamming or phishing.

It works like this:

• What do you want to gain from this? Money, Information, Personal information or Credit card numbers.
• The next step is to find your target. You need to know who you want to speak with in order for the call or meeting go well.
• Plays golf, has a wife and two kids. He also recently liked Flower.com on Facebook.
• Send an email with a link to flowers.com for the anniversary gift, and send it from there.

Spear phishing is when someone looks for a vulnerability and then they exploit that to get the data that they want. A typical example would be getting an email from your bank with a link in it, but instead of just going to their website, there’s malware behind it.

Spear phishing attacks require more preparation, but they’re also generally more successful.

I would like to protect the company from lawsuits and other legal issues, so I will have a lawyer look over all agreements before they are signed.

• If you’re not sure who it’s from, be hesitant; if you don’t know the sender at all, either contact your IT department or delete the email.
• Teach employees how to use the internet safely. This can be done by teaching them about phishing emails, making sure they are using updated software and that their passwords are strong.
• Invest in some security controls to prevent mistakes.
• Make sure your internal applications are secure and not easily exploited.

Ashley Schwartau

@SecAwareCo

Ashley Schwartau has been with the Security Awareness Company for over a decade, and she is experienced in every part of the creative process. She helps companies make their awareness training effective by working on any project that comes in her door: short videos or custom e-learning modules, global campaigns.

To prevent phishing attacks, I think companies should…

EDUCATE your users.

Keep reminding them about it on a regular basis. It’s not just for one day or week, it needs to be reinforced many times over.

TEST your users.

Companies like PhishMe and PhishLine offer these kinds of services that allow you to create phishing campaigns against your employees. This way, the company can see who clicked on links in order to provide more remediation or training.

Companies fall for phishing attacks because they don’t train their employees and assume that people know more than they do. A lot of people leave common sense at home or just have too much on their minds when working, so click fast instead of thinking about the risks associated with clicking a link in an email. If companies educate users about what to look out for (both company-wise as well as personally) then those clicks will go down.

Peter Moeller

@S_H_Law

Peter Moeller is the director of marketing for a law firm that has an extensive cyber security and data protection practice. He’s in charge of implementing web 2.0 lead generation platforms, as well as managing vendors and technology to increase business growth.

The biggest mistake companies make is…

Phishing attacks come in many forms, but most of them will be an email. If a company doesn’t educate their employees and have the right system to flag malicious messages, they’re more likely to fall victim.

It’s easy to prevent phishing attacks, but you have to take education and plans into account. First of all, it is important that your staff are educated about best internetemail practices. Educating them will allow them to question communications that don’t seem right or follow the appropriate steps when they get a suspicious email. You should also make sure someone who knows what heshe is doing in terms of phishing activities can help employees screen questionable emails for anything out-of-the ordinary (links etc). Also teach everyone not just once but constantly remind people never click on links or open any .exe files – always use separate tabs and research before acting.

Nick Santora

@Curricula

Nick Santora, the CEO of Curricula, is a cybersecurity expert who used to work for NERC. He helped make sure that North America’s power grid was secure and reliable.

To stay protected against phishing attacks, the one thing I would do is…

We are often reminded of the need to be careful, but sometimes we forget that cybersecurity is a constant threat.

Anne P. Mitchell

@annepmitchell

Anne Mitchell is an expert in internet law and policy, as well as security for the web. She heads up ISIPP.

Phishing attacks are usually easy to spot, but not all companies do anything about it.

Phishing scams are becoming more sophisticated, so companies should limit the use of contact photos and names in their email clients.

Tom Kemp

@Centrify

Tom is the co-founder and CEO of Centrify, a company that helps companies by providing them with cloud-ready Zero Trust Privilege to help keep their data secure.

I’ve noticed an increase in cyber-attacks on CEOs, wherein criminals use social engineering and spear phishing to get executives to wire funds.

In 2015, someone from Centrify would get an email from Tom Kemp asking for help with a wire transfer on a monthly basis. The frequency has increased to weekly or twice-weekly now.

It’s not just HR managers, payroll clerks and finance directors that scammers are targeting these days. Recently there have been a lot of breaches in companies who aggregate information about employees at other businesses.

What to do?

• Make sure your employees understand the dangers of CEO fraud.
• Always make sure you call to confirm an out-of-band request, even if it seems like the CEO may be mad.
• Implement additional security measures to protect vital business applications.

Newer technologies are being offered by anti-spam and email security vendors that allow warnings to be issued when an impersonating email comes in.

Centrify uses an email security system that flags emails with the same Display Name as their internal employees.

Jacob Ackerman

@SkylinkDC

As the CTO of Skylink Data Centers in Naples, Florida, Jacob Ackerman is responsible for developing and implementing new technologies.

The biggest cybersecurity threat for businesses is the people who work there.

People are the biggest security risk. People can be manipulated and become targets for hackers.

More and more companies are focused on diversity, especially during the hiring process.

Make sure you have a secure area for your IT people to lock up their uniform when they’re not using it. Otherwise, anyone can walk through the office and see any passwords that are just lying around on desks.

You should keep your passwords to yourself and not store them under the keyboard or in a drawer. You should also inspect what can be seen through windows, because people may have sensitive information on their screens.

Business owners should be aware of all the security threats that they face and not just focus on fancy computer scripts, phishing emails, ransomware or malware. It’s important to make sure password policies are enforced in order to protect a business.

Aidan Simister

@LepideSW

@aidansimister

Aidan is an IT veteran with 22 years of experience. Aidan has helped contribute to Lepide’s US and European security markets by building global teams from a standing start.

Employees have fallen for phishing links because they don’t know how to spot a fraud.

The more data breaches that happen, the more personal the phishing emails become. The cyber criminals are able to tailor their attack to what they know about you.

The first thing to do is train all employees, managers, and third parties on how to spot phishing emails. If your staff knows what they are looking for in a potential attack email, they will be less likely to fall for it. One of the best ways with ensuring that everyone is vigilant about spotting these types of attacks is by carrying out simulations where you send an illegitimate e-mail asking people click on a link and then monitor who goes through with it.

You should be careful to limit the privileges of your employees, which will reduce their impact in case they fall victim to a phishing attack.

Mike Baker

@Mosaic451

Mike Baker is the founder and managing partner of Mosaic451, a managed cyber security service provider. This company has built up years of experience in monitoring and operating some highly secure networks.

Many phishers will do their research before launching an attack.

Hackers research the company’s website, social media networks and employees to learn about them. They use this information for their fake phishing emails in order to make it look more genuine.

Phishing has become a great sport for cyber criminals because it is really easy to fall prey, and the most vulnerable people are those who want to please their bosses. Employees should be encouraged to ask questions about any requests that seem “off” even if they come from an executive.

Because phishers spy on company websites and social media networks for personal information, businesses need to be careful about what they post publicly. Likewise, organizations should educate their employees on the dangers of posting too much information online.

What can companies do to protect themselves from phishing scams?

Email spam filters are not enough to stop phishing. It is too easy for hackers because they send just a few emails, and these do not contain the words that email filters pick up on.

If an email is written in a foreign language, it may have funny spelling errors. Look closely at the reply address and domain name to see if they are legitimate or not.

Create a protocol for wire transfers, payments and the release of sensitive information. Implement a payment system that requires an order to be approved by both managers and finance officers; require multi-person approval process on transactions exceeding certain dollar amount; telephone verification of all fund transfer requests and any changes with vendor payment information. Likewise, W-2 data should not be released without permission from multiple people or if it is not needed.

Conduct regular penetration testing. Organizations should have their security staff or a managed service provider test them for social engineering techniques such as phishing and other vulnerabilities.

If you want to create a culture of healthy skepticism, make sure employees know what your authentication protocol is. It won’t work all the time though, so organizations need end-point protection in addition to content monitoringfiltering.

Jackie Rednour Bruckman

@myworkdrive

Jackie Rednour Bruckman is the Chief Marketing Officer at MyWorkDrive.

Companies and organizations are often targeted by phishing attacks, especially during the hiring process.

People often get phishing emails and they make headlines when a person gets them and falls for it. A recent example was the Clinton campaign manager, John Podesta who fell for one of these emails during the presidential election in 2016.

The company should have had a strict policy of checking for spam and deleting it after forwarding to the ITSecurity department. If there was any question, they could check with their employees first.

One of the best ways to avoid a situation like this is by not using public cloud platforms for high risk emails, high profile accounts and secure communications. Setting up an Exchange server behind firewalls would have helped during our scenario. Every company needs a strict computer usage policy that includes some simple rules such as no clicking on links or attachments from anyone who isn’t familiar with you.

Security is important for the network and all of its data. The networks should be secure to prevent any malware from getting in, as well as protecting against data loss or leaks.

Idan Udi Edry

@iuedry

Idan Udi Edry is a trusted leader in information technology and data security. He served as an Israeli Air Force officer for more than eight years, reaching the rank of captain and leading hundreds of professionally trained military personnel. His work with email encryption includes patented postmarked systems that encrypt emails.

Cybercriminals are becoming more and more savvy in their attacks, with a major increase in email breaches this year…

To avoid someone hacking into your email account, it is extremely important to pay attention to where emails are coming from. Cyber attackers often send out phishing attacks with similar subject lines or body content in hope that you won’t notice.

There’s another phishing method that cyber attackers implement to access your information, and that is through Wi-Phish. Hackers often use this technique to try and trick you into logging on the wrong network in order for them to get ahold of your personal data. When using public Wi-Fi networks always check which one seems most legitimate beforehand by looking at reviews or seeing if it’s password protected. If possible, pick a secure hotspot with some sort of login requirement – whether they require passwords or not will depend on what type of device you’re using (most laptops have their own built in ability). You can also do this when accessing any kind of public network as long as they offer an option like “secure” internet connection

Chris Gonzales

@MyIT1

Chris Gonzales has been in the IT industry for decades and is now an executive at My IT.

Companies fall victim to phishing attacks because they rely on one or two security mechanisms, such as a firewall and spam filter. They think that this is enough protection.

With so many different types of cybersecurity, it can be hard to know what type will work for your company. So we recommend multiple layers like firewalls, email and web filtering security-operations-center threat sweeping user training.

One of the most effective ways to avoid phishing attacks is user training. They are easy to miss because they often contain no links or attachments.

The approval process for sending money and confidential data is broken. Accounting should never send any information without verifying it with someone else or just not doing it.

Michael Brengs

@Optimal_IdM

Michael Brengs, a recognized expert in ID management and industry speaker is currently the Managing Partner at Optimal IdM. He attended University of South Florida where he earned his degree in Management Information Systems and became a Microsoft Certified Professional.

The first thing phishing emails do is make them look legitimate, like they are from Bank of America with a display name for the sender in the email…

But if you look at the detail of what the real email account is, it will be something different. Some tell-tale signs to identify phishing emails are:

• When you see a hyperlink, make sure to hover over it first before clicking. The text of the link might look legitimate but what happens after is not.
• Look for errors in the spelling or grammar. Often, people who are not native English speakers make mistakes when they write.
• If you get an email that doesn’t seem right, don’t give up any personal information. If something’s fishy, it probably is phishy.
• If you get an attachment from someone, don’t open it. If this is your corporate email account, notify IT staff.

If you receive an e-mail claiming to be from your bank, delete it. Do not click on any hyperlinks or respond back to the email. Empty your trash folder and alert corporate IT that they were being phished.

Marc Enzor

@geeks_2_you

Marc Enzor is a cybersecurity expert with over 20 years of experience. He worked as an IT consultant for small to medium size businesses.

Every day, phishing attacks are becoming more of a threat to companies. They aren’t slowing down.

Attackers have started to use a new type of attack called Spear Phishing, which is highly targeted. I’ve seen fake emails that looked like they came from the CEO of an organization and were sent directly to Accounts Payable departments asking for wire transfers.

The main answer to this question is that IT departments need to simulate attacks and train the victims. There are a lot of phishing testing services, which will allow ITCybersecurity teams to craft fake phishing attacks. They’ll then send it out to all employees in an organization and report on who fell for it by clicking or providing their password. The next step would be subjecting those victims (those who clicked) to special training so they know what’s going on, how not fall prey again.

Other efforts can be made to improve email firewalls and, if possible, add in specialty filtering for common phishing attacks. When it comes down to specialized spear-phishing emails, they will always be difficult to stop. The more research the attacker puts into their attack strategy – the better chance of success there is.

Aaron Birnbaum

@SeronSecurity

Aaron S. Birnbaum is the Chief Security Officer at Seron Security and has over 30 years of experience with commercial sales, partnerships, and marketing. He’s worked for Fortune 500 companies as well as startups in a variety of industries such that he can work effectively with many diverse types of people.

Some phishing attacks are targeted at businesses based on what they do, others might be targeting a specific person.

Security awareness training, policies and social media usage are three of the most popular ways to reduce risk for a company.

There is a technique called ‘spear phishing’ where someone targets an individual after gathering data on social media websites, and then there’s cloning which happens when the user clicks on a legitimate-looking email that contains an attachment or bad link. Another type of attack is CEO fraud, as well as whaling – both targeted at senior people in companies who may be persuaded to give away private information verbally or in writing.

The most popular approach to this is by sending an email attachment with a common name (e.g., ‘spreadsheet.xlw’, or ‘file.pdf’), and convincing the user to click on it, which will compromise their network.

Security awareness training is the best way to prevent phishing emails, so teach users good habits and send fake emails to test them. Watch out for typos or spelling mistakes in email addresses.

---

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

---