Best Practices To Combat The Phish Threats

Sunil Sharma, Managing Director ­ Sales, Sophos India & SAARCWith over 25 years of experience in IT and telecom industry, Sunil has worked with companies like Sophos, McAfee, Iris Computers and Cyberoam

The market is reaching an email fatigue where individuals consider most emails as spam as a result of the rampant phishing attacks in India. It is estimated that perpetrators have tricked unsuspecting businesses of around $5 billion using cleverly crafted messages and a range of exploits to bypass traditional email security measures. Indian businesses are struggling to keep ahead of organized cybercrime and preventing users from succumbing to phishing threats.

As per statistics shared by Reserve Bank of India in November 2017, complaints received regarding phishing attacks involved 1,020 bank accounts in 351 bank branches of public and private sector banks. Every phishing attack reported by an end user is evidence of at least two things. First, it proves that a well-crafted phishing attack can sneak past almost any security checkpoint or email filter. Secondly, it shows that some users are savvy enough to spot an attack and know how & where to report it. That being said, cyber criminals are willing to go to considerable lengths to perpetrate their crime. They study organisation's processes and systems, collect email samples, and even monitor company events for an upcoming business trip that might present an opportunity. Over half of the respondents that participated in a survey on phishing
attacks confirmed that senior managers in their organisations have been impersonated in spear-phishing attacks. The results also show that well-protected and well-prepared organisations also receive phishing reports from end users; so every business and institution is a potential target.

Training staff to spot phishing threats and testing them periodically is likely to have a positive effect on business security. Organisations can reduce risk and enhance security by following best practices:

Training staff to spot phishing threats and testing them periodically is likely to have a positive effect on business security

1. Commit to educating, training, and testing employees. Good security habits take time to establish, so simulation and periodic testing should be part of your regime.

2. Advise employees to be wary of emails appearing to originate from C-suite executives, especially if the message compels urgency and requests immediate payment, funds transfer, or the sending of commercially sensitive information. Make sure payment policies and procedures are followed.

3. Consider the use of digital signatures for executives using email, and the use of two-factor authentication protocols and procedures (such as a phone call or text message) when immediacy is required. Staff need to know that when something smells a bit `phishy', they should pick-up the phone and speak directly with the person requesting the transaction or information.

4. Evaluate modern email protection services such as anti-phishing, URL protection or detonation, spoofing protection, and user activity profiles for unusual or out-of-policy activities.

5. Produce a playbook that details what to do when a spear-phishing attack penetrates your organisation, and if you suspect that you've been targeted by a phishing email, report the incident immediately to the relevant authorities.

We're just starting to see deep learning and artificial intelligence being employed to counter phishing threats. But it will take a while for these technologies to enter the main-stream. It's impossible to mitigate every risk using technology, no matter how much money and expertise is thrown at it. A combined approach is required: one that is layered, multifaceted, and adaptive.