Organisations today face increasing threats from targeted phishing attacks. To protect your business and users, you need to invest in technology to block attacks and training to help people act as a last line of defense
Technology
• Take advantage of artificial intelligence. Scammers are adapting email tactics to bypass gateways and spam filters, so, it is critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, impersonation, and extortion attacks. Deploy purpose-built technology that does not solely rely on looking for malicious links or attachments. Using machine learning to analyse normal communication patterns within your organization allows the solution to spot anomalies that may indicate an attack.
• Deploy account-takeover protection. Many spear-phishing attacks originate from compromised accounts; be sure scammers are not using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
• Implement DMARC authentication and reporting. Domain spoofing is one of the most common techniques used in impersonation attacks. DMARC authentication and enforcement can help stop domain spoofing and brand hijacking, while DMARC reporting and analysis helps organisations accurately set enforcement.
People
• Train staffers to recognize and report attacks. Educate users about spear-phishing attacks by making it a part of security-awareness training. Ensure staffers can recognize these attacks, understand their fraudulent nature, and know how to report them. Use phishing simulation for emails, voicemail, and SMS to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the users most vulnerable to attacks.
• Review internal policies. Help employees avoid making costly mistakes by creating guidelines that put procedures in place to confirm requests that come in by email, including making wire transfers and buying gift cards.
• Maximize data-loss prevention. Use the right combination of technologies and business policies to ensure emails with confidential, personally identifiable, and other sensitive information are blocked and never leave the company.