How to Protect Yourself and Your Business from Email Phishing Attacks

Email phishing is the most common way that computer systems get compromised In any size or type of organization. As Muller Martini’s IT Manager, one of my responsibilities is to improve our resilience against phishing attacks, while minimizing disruption to employee productivity.

What is phishing?
It is a term given to any malicious email message that pretends to be from a legitimate source that tries to trick the recipient into revealing sensitive information such as passwords, account/credit card numbers, or clicking on malicious links.

So how do we protect ourselves against phishing?
Even though a business may have implemented strong technology-based defenses, cyber criminals are increasingly targeting the weakest link in security: the human factor. Therefore, the key solution is teaching employees some of the key indicators of an attack, including:

· Urgency. Any email that creates a tremendous sense of urgency, pressuring the recipient to act quickly and make mistakes, should be treated with suspicion.

· Pressure. Be wary of messages that pressure employees to ignore or bypass company policies and procedures. Business Email Compromise (BEC) attacks (see below) often use this tactic.

· Curiosity. Emails that generate excessive curiosity or seem too good to be true, such as notifications of undelivered packages or unexpected refunds, are often malicious.

· Tone. Employees should be trained to recognize when an email from a coworker doesn't sound like them or if the overall tone or signature is unusual or wrong.

· Generic Salutations. An email from a seemingly trusted organization that uses a generic salutation like “Dear Customer” instead of the recipient's name should raise suspicion. Legitimate organizations that have a relationship with you will typically know your name.

· Personal Email Addresses. Be cautious of emails that appear to come from legitimate organizations, vendors, or coworkers but are using a personal email address like @gmail.com.

Business Email Compromise (BEC)
A specific type of phishing, Business Email Compromise (BEC), needs additional diligence. This type of phishing attack aims to trick someone in the Finance department into authorizing fraudulent wire transfers or changing payment account details. These targeted attacks often involve text-based emails with no links or attachments.

To mitigate a BEC risk, companies should:
· Implement strict verification procedures for financial transactions and account changes, especially when initiated through email. This might involve requiring secondary approvals or verifying requests through a separate, trusted communication channel like a phone call to a known number.

· Train finance teams specifically on the characteristics of BEC attacks, emphasizing that even emails appearing to come from high-level executives should be treated with scrutiny.

· Emphasize that phishing attacks are not limited to email but can also occur via messaging (smishing) and voice/phone calls (vishing). Training should therefore make the workforce aware of social engineering tactics across these different communication channels.

By focusing on the common underlying social engineering tactics and the indicators mentioned above, and by implementing robust verification processes, especially for financial matters, companies can significantly enhance their protection against email phishing attacks and reduce the potential for financial losses.