There may be dozens of messaging and voice chat apps available today, but email is still king of business communications. It’s user-friendly, fast, reliable, and gives employees the flexibility to work anywhere on any device. However, email is also a common delivery system for cyberattacks
These email-based attacks, or phishing, can circumvent the toughest security frameworks because they don’t attack system vulnerabilities, but rather exploit employee negligence. Phishing uses deceptive messages to trick recipients into downloading malware-ridden files or clicking links. Considering that your company’s security hinges on your staff’s ability to avoid fraudulent emails, you need to develop a proactive security awareness campaign. This includes five important steps.
1. Minimise incoming phishing emails
The first step is to pre-screen incoming emails for harmful elements using technical controls. By default, email services like Gmail and Outlook provide basic email filtering, but it’s worth implementing multilayered defences like Barracuda Essentials for Email Security. Whatever solution you decide, make sure it comes with:
- Advanced threat protection (ATP) – uses machine learning to inspect inbound emails for signs of a phishing attack, such as suspicious wording, unusual subject lines, poor sender reputation, and unlisted email addresses
- Sandboxing technology – determines the safety of file attachments by analysing their behaviour in isolated environments
- Link protection – prevents users from accidentally clicking through to suspicious and spoofed URLs
- Spam filtering – blocks unsolicited and unwanted messages from reaching the user’s inbox
- Threat intelligence – keeps a comprehensive database of known email-borne malware, spoofed emails, and the latest scams in real time
2. Train employees
Security training will minimise your company’s exposure to phishing, but it must be done right. Instead of doling out lengthy explanations of email risks, break up training into short, engaging sessions that use a combination of videos, practical examples, posters, and monthly newsletters. The content must also focus on the latest phishing techniques and email security best practices.
Here’s a simple checklist to help your staff defend against fraudulent emails:
- Never open file attachments you’re not expecting.
- Don’t provide sensitive information over email even if they appear to be from your bank or coworkers.
- Avoid messages with suspicious links. You can hover your mouse over the link to determine its true destination.
- Look closely at email headers and web addresses. Scammers often create bogus variations of legitimate sites to appear authentic. (e.g., “goggle.com” instead of “google.com”)
- Watch out for spelling and grammatical mistakes, as well as strange characters. Emails from legitimate companies are rarely riddled with errors.
- Beware of messages that instill a sense of urgency (e.g., your account will expire unless you “verify” your information). If you’re unsure, contact the company directly to confirm the authenticity of the message.
3. Run simulated attacks
Phishing simulations are a great way to supplement your training sessions. For one, it trains users to understand real-world attacks and recognise subtle phishing clues. It also lets you measure the effectiveness of your training and identify staff members who are most susceptible to online scams.
To run simulated campaigns, consider tools such as Barracuda PhishLine. These provide dozens of customisable phishing templates and generate periodic reports on how many people clicked links, opened attachments, and submitted data. For optimal results, keep the campaign a secret and ramp up the difficulty by using more sophisticated phishing techniques over several months.
4. Archive your data
Despite the quality of security training, employees might fall victim to phishing attacks on their off days. In such cases, data backups are your best form of defence. Cloud-based archiving services store emails and files in secure off-site data centres. What’s more, since it’s in the cloud, users can retrieve archived messages and data from anywhere with an internet connection. This way, you can recover quickly (with your data intact) after a phishing incident.
5. Develop a recovery plan
Beyond archiving your data, it’s important to craft and test an incident response plan in preparation for a successful phishing attack. Employees must adhere to the following recovery protocols:
- Reset passwords and log out of secondary devices.
- Check the sent mail folder for any suspicious activity and warn everyone (especially managers, financial institutions, and the police) of the hacked account.
- Update anti-malware software and scan systems for malware.
- Delete corrupted files and restore clean copies of data.
Ultimately, preparation is key when it comes to email security. If you need cutting-edge security software and robust training programs, Empower IT Solutions is your best option. We’re one of the few IT services companies in Australia that can customise an email risk mitigation strategy to your business. Call us today.