Phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a dodgy website. Phishing can be conducted via a text message, social media, or by phone, but the term ‘phishing’ is mainly used to describe attacks that arrive by email.
The mitigations described here are mostly focused on preventing the impact of phishing attacks within your organisation:
Make it difficult for attackers to reach your users
Make it harder for email from your domains to be spoofed by employing the anti-spoofing controls: DMARC, SPF and DKIM, and encourage your contacts to do the same.
Reduce the information available to attackers
Attackers use publicly available information about your organisation and users to make their phishing (and particularly spear phishing) messages more convincing. This is often gleaned from your website and social media accounts (information known as a ‘digital footprint’).
Protect your devices from malware
Malware is often hidden in phishing emails, or in websites that they link to. Well configured devices and good end point defences can stop malware installing, even if the email is clicked.
Prevent attackers from using known vulnerabilities by only using supported software and devices. Make sure that software and devices are always kept up to date with the latest patches.
Prevent users accidentally installing malware from a phishing email, by limiting administrator accounts to those who need those privileges. People with administrator accounts should not use these accounts to check email or browse the web.
Protect your users from malicious websites
Links to malicious websites are often a key part of a phishing email. However, if the link is unable to open the website, then the attack cannot continue.
Most modern, up-to-date browsers will block known phishing and malware sites. Note that is not always the case on mobile devices.
Organisations should run a proxy service, either in house or in the cloud, to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns.
Protect your accounts with effective authentication and authorisation
Passwords are a key target for attackers, particularly if they are for accounts with privileges such as access to sensitive information, handling financial assets, or administering IT systems. You should make your login process to all accounts more resistant to phishing, and limit the number of accounts with privileged access to the absolute minimum.
Add additional security to your login process by setting up Two Factor Authentication (2FA), which is also called ‘Two Step Verification’ on some web services. Having a second factor means that an attacker cannot access an account using just a stolen password.
Consider using password managers, some of which can recognise real websites and will not autofill on fake websites. Similarly, you could use a single sign-on method (where the device recognises and signs into the real website automatically). Adopting these techniques means that manually entering passwords becomes unusual, and a user can more easily recognise a suspicious request.
Consider using alternative login mechanisms (like biometrics or smartcards) that require more effort to steal than passwords.
Respond quickly to incidents
All organisations will experience security incidents at some point, so make sure you’re in a position to detect them quickly, and to respond to them in a planned way. Knowing about an incident sooner rather than later allows you to limit the harm it can cause.
Ensure users know in advance how they can report incidents. Bear in mind that they may be unable to access normal means of communication if their device is compromised.
Get access to the phising attacks infographics from the NCSC here: https://www.ncsc.gov.uk/guidance/phishing#downloads
