Top Anti-Phishing Techniques from a Wise Fisherman

We are constantly hearing about phishing attacks and the damage they do. As a security professional, I am often asked what users can do to avoid becoming the victim of a phishing attack.

Organizationally, there are several things you can do to help avoid becoming a phishing victim, and to minimize damage if you are victimized. Some of these include:
 

1. Consider using dedicated systems for payment requests and approval processes. Consider disabling email access on any system involved with payment processing. If an attacker cannot compromise the systems in payment processing, he will have a harder time obtaining payment usernames and passwords, and a harder time actually requesting/approving a transfer.
2. Consider using a strong authentication mechanism on all payment processing systems. This would include replacing or augmenting username/password combinations with a hardware token and PIN, or with biometrics such as a fingerprint reader. An attacker will be unable to copy and reuse strong authentication such as a token or biometrics.
3. Do not allow Internet access for systems involved in payment processing. If the system genuinely has no Internet access, malware would be unable to talk back to its controlling systems and attacker.
4. Use tools available in your email client. Outlook, for instance, has the ability to help filter potentially harmful links. In Outlook, go to Tools/Options/Preferences/Junk E-mail/Options, and check “Disable links and other functionality in phishing messages” and “Warn me about suspicious domain names in e-mail addresses.” These are not perfect solutions but they can help.
5. Be diligent in your use of anti-virus and anti-malware software, including regular updates and scans. Most of the malware used as part of a phishing attack is not detected by standard anti-virus software, but some of it is. Some malware indicators may not be changed before an anti-virus update is available, and sometimes older versions of malware are distributed. Additionally, anti-virus software can help identify secondary infections that may be related to an attack.
6. Use reputation-based website, IP address, and URL filtering to help ensure that any systems accessed from within the company are not considered “bad” sites. You can extend this further by allowing only “white-list” access – access to addresses that have specifically been recognized as “good” sites (note that this has the potential to inhibit some Internet capability).
7. Consider enforcing time-of-day login and payment processing. Many fraudulent transactions occur after normal working hours. For instance, a series of large transfers that completed at 7:00PM Friday evening might be functionally ignored until staff return and see abnormal activities Monday morning.
8. Consider limiting access to payment processing systems from mobile devices, laptops, and systems based in home offices. These distributed systems are typically more vulnerable to threats.
9. Do not allow access to any internal organization system, especially payment processing systems, from a personally-owned home computer. There is simply no way the organization can enforce proper control over such a system.
10. Conduct employee security awareness sessions to instruct employees on how to identify phishing emails and avoid falling victim to them. Any reduction in exposure slows compromise and increases your organization’s capability to identify an escalating threat.
11. Explicitly communicate to employees, partners and clients that you will never solicit account information via email or send a link to update account information.

Individually, there are things employees can do to help avoid becoming a victim and compromising the integrity of organizational operations:

1. Never open attachments or links in unsolicited emails.
2. In general, be suspicious of all emails containing links. If you get an email with a link for you to click, do not click it. Navigate independently to the destination site (for example, by typing www.mybigbank.com into a new browser window) and find the referenced location without using the link.
3. Do not respond to suspicious emails in any manner.
4. Do not access emails on the same computers used to initiate or approve payments.
5. Make management aware when you receive a suspicious email.

Even well-trained users can fall prey to phishing attacks. Following these simple steps can help to avoid and reduce the impact of an attack.