Experts from security firm Solutionary have made an interesting advisory on how individuals and organizations can protect themselves against phishing attacks.
Phishing is usually launched by cybercriminals with the purpose of obtaining sensitive information from the targets. Although in many cases such operations are cleverly designed, there are some anti-phishing techniques that can be deployed in order to mitigate these attacks or at least reduce their impact.
For individuals it’s fairly simple to ensure that the organizations they work for doesn’t fall victim to cybercriminals.
They must never open attachments or click on links received in unsolicited emails, and they must never respond to suspicious notifications. Furthermore, they should not access emails from the same devices on which they perform critical transactions.
Experts advise users to be suspicious of all emails containing links. If it sounds important, manually visit the referenced location, without ever clicking on the link, in order to check out the message’s legitimacy.
Finally, always let management know about suspicious emails. They might be part of a targeted attack and the information could be highly useful for the IT department or the company that handles security.
As far as organizations are concerned, it’s a bit more complicated to fend off phishing attacks, but it’s not impossible.
“Consider using dedicated systems for payment requests and approval processes. Consider disabling email access on any system involved with payment processing,” Jon Heimerl, director of strategic security of Solutionary, explained
“If an attacker cannot compromise the systems in payment processing, he will have a harder time obtaining payment usernames and passwords, and a harder time actually requesting/approving a transfer,” he added.
Since payment processing systems are often the most valuable targets for a hacker, companies should ensure that they’re properly secured. For this, the use of strong authentication mechanism is highly recommended.
Payment processing systems should not be connected to the Internet, and since many breach attempts occur after work hours, enforcing time-of-day login mechanisms is also recommended.
Employees should not be allowed to access critical systems from their mobile devices or from their personal home computers. These devices often represent an easily-penetrable gateway.
Employee training is also important. Staffers must undergo security awareness sessions and they – along with partners and clients – should be told that the organization will never solicit account information via email.
In many cases, email clients such as Outlook or Thunderbird can also help in identifying phishing attempts. They not only make sending and receiving emails easier, but they also offer an extra layer of security
Finally, experts recommend the deployment of proper anti-virus and anti-malware solutions.
“Most of the malware used as part of a phishing attack is not detected by standard anti-virus software, but some of it is. Some malware indicators may not be changed before an anti-virus update is available, and sometimes older versions of malware are distributed. Additionally, anti-virus software can help identify secondary infections that may be related to an attack,” Heimerl wrote.
If these products and techniques are combined with the use of reputation-based websites, IP and URL filtering, and white-list access systems, it will be a very difficult task for a cybercriminal to gain access to your company’s assets.