How to Mitigate Phishing Attacks in Your Organization?

Phishing has been around for a long time now, and it would seem that the more people know about it the less its prevalence should become. On the contrary, phishing stats keep on rising. Now there is no way to directly confirm this because nobody has these kinds of stats. Not every phishing victim reports their experience, and even if they did there is no centralized body that keeps track of all these incidents. (Google data reveals a 350% surge in phishing websites during this Covid-19 pandemic)

Phishing is not always done only for the money. It is also carried out to gain unauthorized access to a victim’s account or device. Cyber-attacks have evolved a lot and phishing is being used in combination with other attacks to have more successful results.

Here are a few reasons why the phishing stats are going up:

1) Lack of Awareness: This is the most prevalent reason why attackers keep on succeeding over and over again. Lack of awareness may not always mean a lack of general awareness on the user’s part when it comes to technology. It could also be that a user who is new to an application might not be exactly aware of the security protocols the company(which has developed the app) has in place to prevent fraud. For example, banks frequently remind their users not to share their OTPs with anyone. But other organizations might not put in that effort and are more susceptible.

There is one more factor that goes unnoticed here. Usually, when companies issue security best practices to their users (usually sent to their mobile number as a message), the communication is done in English. The language also plays a key role. A lot of people (if you consider a country like India) may not be able to read and understand the content on these messages. This also has a contributing factor.

2) New to Technology: There has been an explosion in the usage in several parts of the world and a large number of people are using the internet for the first time, or have been using it only for a short amount of time. This makes them an easy target.

3) Oversharing of Information: People, in general, have gotten used to social media a lot. They share a lot of information about where they go, what they like etc. As soon as they find something interesting they are itching to share it with the world. They want to be the first ones to do it. As a result of this mad sharing, they do not realize how much sensitive information they give away which attackers can use.

For example, if you are interested in bikes, an attacker may send you a link which claims to contain the latest information about bikes in the market or leaks of a superbike or a special discount/sale of a bike. Once you navigate to that link the site may ask you to login using google so that you can unlock that deal. The site looks legit, it uses https and without realizing it your login and the attacker ends up gaining access to your Google credentials (strictly an example). The attacker knowing your interest in bikes has made it simple for him to exploit you.

4) Organizations Lacking Security: Now this is not strictly phishing, but this contributes towards successful phishing attacks (kind of facilitates phishing).

How do you think attackers gain access to your mobile number or email id?

Organizations gather all sorts of personal information about their users. They may or may not be completely responsible with the data that they have gathered or the services they have exposed over the internet. When attackers gain access to that data, it becomes very easy for them to impersonate an actual employee of an organization and then make you perform an unintended action.

It’s not just the data, but it can also be the services that these organizations use. There are several examples here:

• An organization might have a misconfigured mail server which an attacker can exploit and send emails to users.
• An application might have functionality for an admin to push notifications to all users. In case that action is not protected, (for example the authentication is broken and that action can be performed by an anonymous user over the internet), an attacker can exploit this to push notifications to all the users. Because the content is coming through a legit source, the users end up trusting it and hence it becomes very easy for an attacker to exploit several victims at once. (push notifications are all the rage right now).
• An organization might be using a third-party service to make calls or send messages to their users. If this service is misconfigured, an attacker might end up gaining the privilege to invoke a call or send a message and again makes the job of attackers easy.

Mitigation Measures:
Businesses usually look at security as some kind of an expense, because the money goes into it and nothing visible comes out of it unless they are hit and the security measures in place protect them. Organizations can do a few things to reduce phishing against their employees. This does not mean giving up flexibility. More often than not, users do not know what they are clicking on, so it’s easier if organizations control that aspect.

• Domain Risk Assessment: There are several tools available which contain feedback regarding how likely a registered domain to be associated with phishing, malware or any other scams. Organizations can deploy these kinds of tools to either completely refuse to access the sites with a bad rating within their networks or at the very least it can be used to monitor if any user has accessed a malicious site.
• Domain Controller: This is an age-old practice by now for several companies. But domain controllers are usually implemented for some kind of a compliance requirement which is more often than not done to keep the business running rather than vigilance. Also, companies that are scaling up usually end up with not so tight security controls. But properly utilizing the security features provided by a domain controller (like Active Directory) can go a long way in securing the users in the organization’s network.
• Enabling 2FA for Employee Accounts: This practice goes a long way in preventing the employees falling prey to phishing attacks because even if the employee unknowingly hands over his credentials to an attacker, having a 2FA mechanism in place will prevent the attacker from gaining access to the employee’s account.
• Conducting Training Activities: Conducting regular training activities against employees by mimicking the attackers helps employees understand how these kinds of attacks are carried out in real-time, making them better prepared to spot these attacks when they happen.