Cyber-attacks are on the rise. In just the past few years major retailers, insurance companies, and financial institutions have been the victims of hacks attacks that have exposed personal information of millions of individuals. Of course these major corporations have security policies in place as well as enterprise-level security safeguards. But yet, somehow, a few savvy individuals were able to gain access to the network.
One way that cyber criminals worm their way into corporate systems is through fake emails disguised as an email from a legitimate company. This is known in the industry as phishing. Phishing is defined as -
The attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
With this method, an employee opens an email from what looks like a legitimate sender and either clicks on a link in the email or downloads an attachment. This action then installs malware on their system to collect information that then gives those behind the fake email access to the network.
Hackers have become savvier in how they send phishing emails. We have received fake emails from major entities such as FedEx and the United States Postal Service (usually with a message such as a fake delivery notification). They use logos, branding, and even are sometimes able to forge the domain so the phishing email looks like it originated from a legitimate source. So how exactly do you protect your businesses from highly-sophisticated phishing emails?
Here are two ways you can protect your business against phishing.
Establishing SPF Records
A Sender Policy Framework (SPF) record is a type of Domain Name Service (DNS) record that identifies which specific mail servers are permitted to send email on behalf of the domain. Companies can configure SPF records on their domain as a way to prevent spammers from sending messages with forged “From” addresses at their domain. The recipient’s mail server can scan the email to see if the email was sent from the servers approved by the SPF record. If the email didn’t come from an approved mail server, the recipient’s mail server can mark the message as spam and/or more the email to the recipient’s spam folder in their email – reducing the risk of the employee inadvertently opening and downloading content from a fake email.
Training Employees on Email Best Practices
Human error plays a major role in a large percentage of cyber-attacks. Because of this, companies need to train their employees on best practices and protocols for dealing with phishing emails. Employees should be trained on how to scour phishing emails for any potential information giving away the email’s identity as a fake. There should also be a process in place for employees to contact IT or forward these emails to the IT department should they have doubts about an email’s authenticity.
Businesses need to build training materials stressing to employees that they should NEVER open a link in an email or download an attachment if they are unsure of where the email originated from. An easy “tell” for phishing emails is to verify the email by calling the “sender.” Instruct your employees to never respond to an email they are unsure of, but if they do have questions, give the company that appears to have sent the email a call to verify its authenticity.