How to protect your business against Phishing in 2024 — Complete Guide

08-MAR-2024- Written by Yves Soete — Blacksight LLC visit us to use our free website security scanner on scanner.blacksight.io

Get notified when new articles drop — visit blacksight.io/blog to subscribe

Employees today still fall into the Phishing trap. A lot of systems have been implemented, yet, the bad guys still manage to filter through and day by day companies experience massive financial losses — mostly unreported — by invoice fraud, ransomware or identify theft.

Practical personal experience has shown this usually starts with a sophisticated phishing attack.

These are the steps companies should take preventing an attacker from successfully compromising the organization in 2024.

This is a combination of configuring systems correctly and training employees.

1. Implement security standards on your Email systems correctly including the new BIMI specification

These standards are helping email servers to check if sending emails on your behalf is allowed to do so. You set this up in your DNS server and is an easy first mandatory step to prevent Phishing attacks to even reach your users. One new kid on the block is the BIMI Specification which helps massively to ensure the organization’s domain validation.

SPF: Sender Policy Framework

DKIM: DomainKeys Identified Mail

DMARC: Reporting and Conformance

BIMI: Brand Indicator for Message Identification

2. Enforce 2FA (MFA) or Web Authentication (WebAuthn)

There are several ways to implement a primary defense mechanism regarding identity theft. A common situation is where after the successful phishing of a target the attacker uses this account to act as the victim to gain credibility and request certain actions.

The strongest MFA methods are based on industry standards like FIDO2 (Fast Identity Online v2) or Web Authentication (WebAuthn).

You can also go a step further and implement password-less authentication methods using zero-trust which are based on the SAML (Security Assertion Markup Language).

3. Setup Content Policies

In Microsoft 365, Google Workspace and most others, you can define or install a 3rd party tool that will automatically analyze replies or email conversations and block emails that will contain certain key information, credit cards, passwords, bank account numbers, social security numbers, and other financial information that should be guarded and not shared externally.

4. Implement Anti-Phishing tools

There are several tools available that connect to the APIs of your email servers or services and analyze the headers, links, content, external images, formatting and even relationship between senders and receivers to rank the trust level.

Google workspace advanced security, Microsoft Defender for Office 365, Proofpoint, Ironscales, Mimecast, Barracuda Sentinel, Cofense, Avanan and Sophos Email are examples of such tools.

5. Train your colleagues, all of them, specifically the higher-ups

People have so much to do in a day, but training people regularly on how to detect phishing attacks and what the consequences are is crucial. Personal experience showed me that a lot of the higher-ups fall into the traps because they are the bigger target for the attacker. Do this on a recurrent basis according to your budget. This is a very important part of keeping your business secure, it is almost always a human error that causes damage at the end. Make this part of the HR on-boarding process, involve everybody in the organization.

6. Test your colleagues, all of them, specifically the higher-ups

After or during phishing training people should be tested without being informed of the test. There are many tools that provide test phishing attacks and analyze how people react to them such as open rates, click rates etc. Improve the number of what people are doing before, during and after training. Do this frequently and inform the minimum needed persons for this test. Reward people if they are doing the right thing. Great idea for a KPI here ;-)

7. Implement safeguards and control mechanisms in your company’s workflows

For invoice fraud, as an example, the attacker takes control of a person’s mailbox and contacts customers, vendors etc and asks for change of bank details to receive valid payments of invoices on the attackers account. Implementing safeguard systems in the company’s workflow, for example, contacting the supplier via voice call to confirm the change of bank account, can prevent financial loss.

People are used to communicating over messengers and email but in certain cases more steps should be implemented for certain actions such as payment changes.

8. Setup an internal contact point for incidents or questions

Create a company culture such that everybody can report issues if they suspect something phishy — no pun intended —

Create a contact point on your slack/email/company portal that people can even anonymously report security issues and reward people to do so, don’t judge, security is a culture

Hopefully this guide helped you to implement steps in your organization and you can prevent nasty attacks via phishing. I have personally been involved in extremely costly (6 and 1 time 7 figures) phishing attacks that could have been completely prevented if the above 8 steps were implemented. They always called me too late.

Bonus: Use our free website vulnerability scanner at scanner.blacksight.io

Liked this article? Get notified when new articles drop! visit blacksight.io/blog to subscribe