Phishing attacks are nothing new. They’ve certainly increased in sophistication over the past 20 years, but attackers have consistently used them to gain access to systems and information over the years for one good reason: They work. Technical attacks are very likely to trigger endpoint and network security controls that block them before they gain access. Phishing attacks are able to bypass these technical controls and directly target the weakest element of any security program: the susceptibility of end users to trickery and deceit.
Most organizations have fallen victim to a phishing attack at one time or another. Whether it’s a fake UPS delivery notification or a forged notice to download a legal document, attackers vary their techniques enough to trick new batches of users every day. After all, we all know now that any email we receive from a Nigerian prince is a scam. But we might be more likely to believe that an unexpected UPS delivery could contain a surprise gift from a friend or relative. Once a user clicks that link, it’s game over, as malware silently compromises the system and provides an attacker with a foothold on our network. It takes only a single user mistake to jeopardize an entire organization.
3 Tools to Mitigate the Threat of Phishing
Let’s look at three security controls that organizations can put in place today to reduce their risk of falling victim to a phishing attack.
Email gateways serve as the first line of defense. These solutions sit in front of an organization’s email traffic flow and watch for messages with suspicious content. This might be a malicious attachment or a questionable link. Messages that fail security tests are discarded or placed into a quarantine for further analysis.
DNS filtering tools play an important role as a backstop to email gateways. They use blacklists of known malicious sites and intercept user requests to access those URLs. Users who click a phishing link that made it through the email gateway are redirected to an internal site warning them that the link they clicked contains known malicious content and should be avoided.
Email gateways and DNS filters are technical controls, but we know that phishing is primarily a human problem. That leads to the third element of our anti-phishing toolkit: user education. We need our users to understand the risk posed by phishing attacks and to recognize and avoid suspicious links. The most effective way to do this is with simulated phishing attacks. Vendors now offer phishing education platforms that generate customized and targeted phishing messages, send them to users, track their success and direct victims to training that helps them improve their cybersecurity awareness.
These controls work. I know because we use them at CDW, and our experience is typical of those that I see at organizations every day. The first time we sent out a simulated phishing attack to CDW employees, more than 20 percent of our coworkers fell for the fake attack. A few weeks later, we did a second round of testing, and fewer than 5 percent of employees clicked the link. Today, phishing simulations rarely gain more than a handful of clicks.
These controls work. Isn’t it time that your organization adopted them?