Email Security Best Practices to Protect You From Phishing Attacks

What is a Phishing Attack?

IBM defines a phishing attack as fraudulent emails, text messages, phone calls, or websites that trick users into downloading malware, sharing personal data or sensitive information, or taking other actions that expose themselves to cybercrime. The perpetrator does this by masquerading as a legitimate business or trusted individual.

According to the Federal Bureau of Investigation (FBI), phishing was the most highly reported cybercrime in 2022, with 300,497 victims declaring over $52 million in losses. But how does phishing work? And why do so many people fall for it?

Read More: How Many of Your Employees Would Actually Click That Link?

Spray-and-Pray Phishing

Phishing attacks can come in many different forms. One of the most common types is bulk email phishing, or the spray-and-pray technique, which involves using a fake domain to email generic requests to thousands of recipients.

These emails contain malicious links or files that, when clicked, could infect your computer, steal your data, or track your activities.

Because the phishing email click rate is low (2.9%), spray-and-pray phishing is a numbers game. It’s a throw-mud-on-the-wall-and-see-what-sticks kind of tactic, and it relies heavily on quantity over quality.

According to Avast, spray-and-pray phishing scams are relatively easy to spot. They often lack a personal greeting, may include typos and grammatical errors, and generally have an unprofessional appearance.

Spear Phishing

Like spray-and-pray phishing, spear phishing is designed to steal sensitive data or infect the targets’ devices with malware. However, spear phishing takes a more targeted approach.

Instead of casting a wide net, spear phishing often involves extensive research on the target to make the attack appear more legitimate and increase the chances of success. And studies show that they are effective.

Slashnext’s State of Phishing Report shows that about 76% of all phishing attempts in 2021 were targeted credential-harvesting attacks, making spear phishing emails the most popular targeted attack vector.

According to Crowdstrike, spear phishing scammers use personalized messages and topics of interest to trick the target into divulging credentials or clicking on malicious links. When the target completes the intended action, the attacker can steal the target’s credentials and enter a network undetected.

Read More: How to Protect Your Practice From Spear Phishing Attacks

Business Email Compromise (BEC)

A BEC attack is a type of email fraud in which an attacker targets a senior employee or business, impersonates someone within their organization, and persuades the target to send money or sensitive company data. 

Avast explains that targets fall victim to spear phishing attacks because of the structure of the email, the “lure” it contains, and the various emotional triggers it can set off. To make their emails even more convincing, attackers take the time to study emails so they can mimic the language and tone of a genuine email. 

Here are a few real-life examples of BEC scams that the FBI received reports on:



• A vendor the company regularly deals with sends an invoice with a new mailing address.
• A company CEO asks her assistant to purchase gift cards to send out as employee rewards. She asks for the serial numbers so she can email them immediately.
• A homebuyer receives a message from his title company with instructions on how to wire his down payment.

All the messages were fake, and thousands of dollars went to the BEC scammers.

Objectives of a Phishing Attack

While cybercriminals’ approach to executing a phishing scam may vary, their objectives are generally the same. Here are three of the most common phishing objectives:

• Data Theft. Scammers will use phishing attacks to steal valuable login credentials, personal data, and sensitive corporate information. These include client information, financial records, and, if you’re a healthcare facility, protected health information (PHI).
  
• Malware. Some phishing attacks aim to infect your device with malicious software, which can spread throughout your network. Malware can include spyware, which logs your keystrokes and tracks your online activities. It can also include ransomware, which encrypts your data, keeping it from you until you pay a ransom.
• Wire Transfer Fraud. BEC attacks, in particular, are most commonly used to pull off fraudulent wire transfers. Cybercriminals use deception and urgency to persuade the target to send money to an account controlled by the attacker.

How to Avoid Falling Victim to a Phishing Attack

According to Proofpoint’s State of the Phish Report, 83% of respondents said their organizations suffered a successful email-based phishing attack in 2021.

With phishing attacks increasing in number and sophistication, every organization is vulnerable, including yours. Here are four ways you and your team can reduce the likelihood of falling victim to these scams:

Use the SLAM Method

The SLAM method is a simple way individuals can identify phishing emails. SLAM is an acronym for:

• Sender. Carefully check the sender of the email to make sure they’re legitimate. Before opening the email, hover your mouse over the sender’s name to reveal the email address. Is it in your contact list? Does it contain spelling errors, extra characters, or a generic domain?
• Links. Be cautious about clicking links in emails, regardless of who sent them. Hover your mouse over every link to check its legitimacy. Is the URL leading you to the page it says it will? Does it lead you to a trusted page? Does the link address contain spelling errors?
• Attachments. Never open unsolicited email attachments, whether you know the sender or not. If you do receive them, verify their validity by contacting the sender directly (not via email) and asking them to confirm the attachments’ legitimacy.
• Message. With cybercriminals using generative AI technology like ChatGPT and Jasper to write more sophisticated phishing emails, you must carefully read the emails you receive. Watch for odd wording, spelling errors, and poor grammar in the message.
  

Read More: How to Use the SLAM Method to Combat Email Phishing Attacks

Conduct Regular Cybersecurity Awareness Training

Verizon’s 2022 Data Breach Investigations Report states that the human element impacted 82% of breaches. The biggest threat to your organization’s email security is its people.

A phishing attack’s success relies heavily on human error—someone falling for the scam—which is why you must create a culture of security and awareness within your organization.

Every employee should know what to look for in a potential phishing attack. And, if an incident does occur, they should know what to do, who to inform, and what immediate action to take.

Implement regular cybersecurity awareness training in your workplace. If you don’t have the team or resources for it, partnering with a trusted cybersecurity services provider is a smart move. ER Tech Pros, for example, offers interactive training, knowledge assessment, and simulated phishing campaigns.

Read More: The Ultimate Secret to Keeping Your Clinic Data Safe

Implement a Strong Password Management Strategy

Having a well-thought-out and unique password lessens the likelihood of you falling victim to cyber-attacks.

As a trusted managed IT and cybersecurity service provider, ER Tech Pros recommends that your email account passwords (or passphrases) be at least 11 characters long, random, and a mix of letters, numbers, and symbols. You should also avoid using the same password for multiple accounts.

If that sounds too much for your team to handle, technology can help you. A password manager, like Password Boss, can help you easily and securely access email accounts and local applications. It can generate, store, and track passwords for you.

You should also consider using multi-factor authentication (MFA). As a second layer of security, MFA requires you to present another verification factor in addition to your password. The additional factor could be a PIN code, security token, fingerprint, ID badge, retinal scan, etc.

Read More: What is MFA and How Can It Protect Your Practice?

Deploy Email Security Tools

Strengthening the human layer of your email security strategy is an excellent way to keep your organization secure. However, it’s not enough to keep all the malicious campaigns out.

You also need to have technical measures in place to minimize the chances of a phishing attack and to mitigate the impact if it does happen. By partnering with an established IT and cybersecurity company, you can leverage technology to protect your organization from email-based cyber attacks.

Here are a few email security tools in the market that you should consider:

• Gateway. This serves as your network’s entry and exit point through which all data must pass. A gateway blocks or quarantines suspicious emails and scans incoming and outgoing emails for potentially harmful content. 
  
• End-to-End Encryption. This stops any user from reading the content of an email unless they have the correct encryption key. End-to-end encryption ensures that your email only goes to the intended recipient, and other users won’t be able to tamper with it.
• DKIM. This protects you against email spoofing and phishing. It also prevents your messages from being marked as spam. DKIM is an authentication method that adds a digital signature to outgoing messages. When DKIM signs your message, receiving mail servers can verify that the email came from you, not someone impersonating you.

ER Tech Pros Helps You Fortify Your Company’s Email Security

Not only is email-based phishing among the biggest cybersecurity threats to businesses all over the world, but it’s also the costliest. 

According to IBM’s Cost of a Data Breach 2022, phishing attacks cost businesses an average of $4.91 million. Email security is a serious matter you can’t afford to put off and ignore.

If you need expert support from reliable IT and cybersecurity engineers or are worried that making these changes could disrupt your business operations, contact ER Tech Pros.

Whether you need cybersecurity awareness training for your employees, a solid password management strategy, or cutting-edge email security tools, ER Tech Pros has the team and technology to ensure your company’s network is protected 24/7.