Insights

We share our top five tips to help organisations better protect themselves against the top cyber-attack threat – phishing.

Phishing is the most common cyber-attack in the UK with the UK Government Cyber Security Breaches Survey 2021 stating that “among the 39% identifying any breaches or attacks, 83% had phishing attacks, 27% were impersonated and 13% had malware (including ransomware).”

As the most common attack, it is important for organisations to protect themselves effectively against phishing attacks. In this article, we break down what a phishing attack is, what harm it can cause and provide our top five recommendations to prevent phishing attacks.

What is phishing?

Phishing is a form of social engineering attack, in which attackers trick users to share or steal confidential information – such as passwords, personal information or financial information. This is typically done by one of two methods:

• Tricking you into sharing confidential information – by pretending to be a reputable body and asking you to share your details. Examples include: an email from your supposed IT department or Microsoft (e.g. asking you to confirm your login credentials), someone pretending to be your CEO (e.g. asking for a payment to be urgently made to a bank account), or a supplier (e.g. asking you to share your bank details under the guise of there being a problem with your account).
• Tricking you into installing malware – by clicking on a malicious link or opening an unknown attachment, which contains malware. Examples include: an email with an urgent sale or quote attached, or an email with a link to an unknown website etc.

Most phishing attacks are sent out en masse to lots of recipients, in the hope that a percentage of recipients will fall for the scam. However, there are also heavily targeted and personalised phishing attacks – which is known as spear-phishing. Spear phishing uses more sophisticated methods, such as using your organisation’s branding, or giving the appearance of being sent from someone you know. Again, the aim is to trick users into sharing confidential information, such as username and passwords or financial information.

What harm can it cause?

If successful, phishing attacks can cause widespread harm for individuals and businesses. The impact from an attack can include financial loss, reputational damage, loss of company value and regulatory fines.

Tips to prevent successful phishing attacks

Most phishing prevention focuses heavily on user awareness. Whilst an important part of the picture, it is only a small part and worth being aware that this can be expensive and comes with its own challenges. Staff attrition requires regular ongoing training so that new team members get the same level of awareness as more established colleagues, whilst the ongoing evolution of threats and techniques means that training can become outdated quickly.

We advocate getting the security basics right first, so that you have the right technology and protection in place to give you a robust foundation to build on. By reducing the threat of phishing attacks greatly, you remove a lot of the burden and responsibility of phishing prevention from staff, who can better focus on their work. With the basics in place, you can then move onto user awareness activities – prioritising departments that are viewed as high value targets and pose the greatest risk (e.g. Finance, IT, HR and Directors). You can make user awareness activities more manageable with regular attack simulations that require little time from staff, but provide more practical training—whilst also highlighting the individuals that may need further training.

We’ve put our top five prioritised tips for phishing prevention below.

1. Prevent phishing attacks reaching users

Through anti-phishing and email protection software, organisations can greatly reduce the number of phishing emails that staff receive – removing the threat before it even hits an inbox. No software will be able to remove 100% of threats, however by reducing the number of emails that make it through you can greatly reduce your risk and reduce the likelihood of a successful attack.

With more organisations using Microsoft 365 or Exchange/Outlook, we recommend using the anti-phishing protection within Exchange Online Protection, or even better, within Microsoft Defender for Office 365, which includes more advanced tools. You can find out more about Microsoft’s anti-phishing capabilities here.

2. Deploy Multi-Factor Authentication (MFA)

Because one of the key aims of phishing is to gain credentials for unauthorised access to company data, implementing Multi-Factor Authentication (MFA) is a great method of reducing this threat. In fact, according to Microsoft MFA can block over 99.9 percent of account compromise attacks.

With MFA enabled, if credentials are successfully stolen then they cannot be used as the attacker would still need the second authentication method to gain access. MFA is widely recognised as the simple most important security step any organisation can make to reduce cyber risk and it is a very simple and effective method—so we recommend this not only to reduce phishing attacks, but also for wider security improvement. Once MFA is enabled, you can go on to implement even more secure identity and access management controls, such as Conditional Access and Single Sign-On (SSO).

3. Make it easy for users to report suspicious emails

Having a process in place and a method for staff to report suspicious emails will make it mush easier for people to flag anything that they don’t trust and helps provide reassurance. For many, when a suspicious email arrives, deleting it doesn’t feel enough and there can be confusion whether it needs to be raised with IT or Security. Rather than calling your helpdesk, and for the sake of efficiency, we recommend using the ‘Report Message’ or ‘Report Phishing’ add-in within Outlook. This can automate investigation internally but also is shared with Microsoft to help continually improve the effectiveness of email protection.

This gives a simple add-in within Outlook that users can use to report an email as Phishing (or as Junk or Not Junk, if using the Report Message add-in) and then blocks and removes the email from your inbox. You can find out more about this and how to enable it here.

4. Carry out phishing attack simulations to better prepare staff

The most effective way to prepare staff for phishing attacks is through simulations. Watching videos, reading articles or listening to a trainer is only so effective – the best way is through practical experience. Phishing attack simulations can be setup by your organisation or IT partner, using your branding and a set of templates to run simulated attacks periodically. As Microsoft partners, we recommend Microsoft Defender for Office 365 as this includes phishing attack simulation. By carrying out these exercises once every few months, you can keep people alert and identify anyone that needs further training – ensuring more cost-effective use of training budgets.

5. User awareness and training

With all the basic security controls in place and regular ongoing attack simulations, you can then better prioritise user awareness and training. As training can be expensive and time-consuming for busy staff, we recommend prioritising high risk groups – such as Finance and Directors, and then using the results from simulated attacks to highlight other people at risk of falling for phishing attacks. Of course, if you have the budget and time, periodic user awareness and training is very valuable – however we have tried prioritising our tips to ensure the most effective methods are implemented first, whilst weighing up cost vs benefit.