Phishing prevention is a hot topic at the moment in cybersecurity due to the increasing number of attacks on businesses and the high cost of dealing with these attacks. The 2022 Verizon Data Breach Investigations Report suggests that 60% of all data breaches in 2021 started with phishing – a report from Cisco suggests 90%. Business email compromise scams are the leading cause of financial losses to cybercrime, and attacks have increased. Verizon’s data indicates that 41% of those attacks started with a phishing email to obtain the credentials to email accounts to enable the scams to be conducted.
Ransomware attacks increased by 13% in 2021, and many of those attacks saw initial access to networks gained through phishing, often by first installing a banking Trojan cum malware dropper that delivers the ransomware payload. According to Cybersecurity Ventures, the cost of cybercrime is expected to rise by 15% to an astonishing $10.5 trillion by 2025 and reports of phishing attacks are increasing year over year, and the losses to those attacks are getting bigger. It is clear that the threat of phishing is not going to reduce any time soon, so businesses need to take steps to improve their defenses.
Why Are Phishing Attacks So Common?
There are two main reasons why phishing is used in so many cyberattacks. First, as explained by Verizon explained in the DBIR, “If you wonder why criminals phish, it is because email is where their targets are reachable.” Second, is because these scams are effective. They use social engineering techniques to trick people into taking an action that they would not normally do and many people click links in phishing emails or open attachments, with those actions resulting in credential theft or the installation of malware.
There is No Silver Bullet When It Comes to Phishing Prevention
When it comes to phishing prevention, there is unfortunately no silver bullet. Phishing prevention requires a defense-in-depth approach involving multiple layers of protection, as there is no cybersecurity solution or other measure that will be effective at blocking all phishing threats. Even if you were to abandon email entirely, phishing attacks could still occur over the Internet, SMS and instant messaging, and over the phone.
The solution is to tackle phishing from multiple angles. That means using an email security solution that will improve phishing detection rates to stop phishing emails from reaching inboxes. You should use a web filtering solution to block access to the websites where credentials are stolen and stop malware from being downloaded from the Internet. You should be training the workforce on how to identify and avoid phishing threats and to report any suspicious emails to the IT security team (or your MSP). These three phishing prevention measures combined will prevent virtually all phishing attempts, but you should not stop there.
You should also take steps to reduce the impact of a phishing attack, should it succeed. Many attacks are conducted to steal credentials, but it is possible to stop those credentials from being used to access accounts by using multifactor authentication, especially for email accounts. You should apply the principle of least privilege to accounts, and not provide access to resources that employees do not need. If credentials are stolen, the damage caused will be greatly reduced. You should also ensure that your data is backed up using the 3-2-1 approach – Make 3 backups, on two different media, and store 1 copy offline and offsite.
Why Security Awareness Training is So Important for Phishing Prevention
Imagine a phisher targets a company with 1,000 employees and manages to land a phishing email in every single inbox. What percentage of employees would respond to the message? If you think around 1%, that will mean 10 sets of credentials could be stolen or 10 devices would be infected with malware. That would be a decent return for the attacker. A recent benchmarking study to test the importance of security awareness training conducted by KnowBe4 found that on average, prior to providing any training, 32.4% of individuals failed a phishing test. The test was run again 90 days after training and the percentage had dropped to 17.6% of employees failing the phishing test, and 5% after a year of commencing a training program.
You will not be able to train everyone to the level of security awareness where they could identify every phishing attempt, but a reduction in responses to phishing emails from 32.4% to 5% in a year shows just how important security awareness training is. As Verizon explained in the DBIR, phishing simulation data shows that the number of people responding to phishing emails largely remains the same at around the 5-6% level after training. While it is generally not possible to lower the click rate further, it is possible to significantly increase the reporting rate. When employees report phishing emails to their security team, prompt action can be taken to remove all copies of that email from the email system, which will mean fewer employees will encounter the threat.
Those reductions in click rates can be achieved through ongoing security awareness training – with an emphasis on phishing prevention – coupled with regular internal phishing simulations. Training platforms usually also include a phishing simulator for conducting dummy phishing attacks on employees. When an employee fails a test, it triggers a training module as intervention training, to show the employee they have made a mistake and how they can avoid further mistakes in the future. The next time they get a phishing email in their inbox, they will stand a much better chance of identifying it as such.
Phishing Prevention Solutions from TitanHQ
TitanHQ offers three classes of award-winning products for phishing prevention that work seamlessly together to block phishing and other cyberattacks.
- SpamTitan Email Security
- WebTitan DNS Filter
- SafeTitan Security Awareness Training and Phishing Simulation Platform
SpamTitan blocks phishing emails and prevents them from arriving in inboxes, and scans outbound messages to identify compromised mailboxes that are used to internally phish employees and conduct attacks on customers and suppliers. The WebTitan DNS filter is used to control access to the Internet and block access to known malicious websites and malware downloads. SafeTitan is a comprehensive training solution for teaching employees how to recognize phishing attempts and for eliminating risky behaviors. The platform also incorporates a phishing simulator to conduct internal phishing tests on employees to identify individuals who need further training.
For more information on these solutions, and to improve phishing prevention in your organization, give TitanHQ a call today.