Phishing plays on human emotions. But awareness, recognition, training and tech can blunt the most sophisticated attacks. Credit: YoungID / Getty Images Retailers are not the only people looking forward to the holiday season. It will be a busy time for scammers and fraudsters too as they send out coupons, deals and offers to consumers, and even thank-you vouchers to employees, purporting to come from organizations and brands they trust. In fact, CIO has reported that it takes only a few minutes for experienced hackers to set up a social engineering attack against enterprises (and their managed service providers) that consider themselves to be secure and protected. Even though email phishing – deceptive messages designed to trick a person into sharing sensitive data (or even money) or inject malicious software into the recipient’s system – is one of the oldest tricks in the book, email cyberattacks account for 90% of all data breaches even today, according to research by Hoxhunt. Taken together, these attacks exact a toll of $6 trillion from the global economy. While consumers and individuals have grown generally aware of these attacks over the years – even if they aren’t aware of the term “phishing” – they are still surprisingly common and effective. So what are the different kinds of phishing attacks prevalent today? What methods are cybersecurity experts using to minimize the impact of these attacks? How do enterprises combat these threats at a broader scale and prevent persistent phishing attempts? Let’s dig deeper. 1. Understand the different types of phishing attacks Phishers use social engineering tactics via almost every communication format and connection to launch phishing attacks. Unsurprisingly, there’s more to phishing than email: Email phishing: Attackers send emails with attachments that inject malware in the system when opened or malicious links that take the victim to a site where they’re tricked into revealing sensitive data.Spear phishing: Attackers send emails to specific targets who they know have the information they need – such as everyone in the sales or IT department.Whaling: Emails sent to senior executives such as CEOs or CFOs as part of a high-profile targeting scam.Smishing: Phishing over text (SMS) messages.Vishing: Voice over IP (VoIP) and Plain Old Telephone Services (POTS) are also susceptible to phishing attacks – attackers use speech synthesis software and automated calls to solicit victims to share bank details and login credentials.Social media phishing: Attacks executed over social platforms such as Instagram, Twitter, Facebook, or LinkedIn – designed to take over your account or use it for posting messages as part of a larger campaign.Pharming: Attackers use DNS cache poisoning (replaces a legitimate cached IP address with a malicious one) to redirect victims to fake (but similar-looking) sites where their login credentials are captured. 2. Train employees to recognize phishing attempts Along with being commonplace, phishing attacks have become so profitable (to the attackers) that the biggest cybercriminals have largely moved beyond individual customers. Rather, they target enterprise employees who can be duped into revealing information that’s much more sensitive, on a much larger scale. “An example might be a bank – we don’t want to target its customers, we think that’s dumb and slow, we want to target the bank itself,” said Mike Connory, CEO at Security In Depth. Since phishing attacks overwhelmingly target the human element, cybersecurity experts agree that the best defense against this is providing security awareness training to enterprise employees. This helps in early identification of attacks and increasing overall security hygiene. Some basic precautions staff in all departments need to take are: Keep email and website accounts (and even devices) separate for personal and work use wherever possible.Know that legitimate companies will never ask for passwords, personal, financial, or corporate information. Independently confirm with the institute or organization if you can.Never copy and paste links from emails; never click shortened URLs unless you trust the source.Check the sender’s email address. If you don’t recognize it, be wary of opening.Closely read all URLs for all sites where you log in and share, access or create sensitive data.Most messages and emails from phishers contain spelling and grammar mistakes. They aren’t professionally proofread.Coercive or threatening messages or calls are a red flag. Legitimate institutions won’t send such communication unless there is a legal dispute. Double check.Don’t log in to WiFi networks you don’t trust. Done correctly, these simple steps can make your staff battle-hardened defenders of your network. “You often hear that people are security’s weak link. That’s very cynical and doesn’t consider the benefits of using a company’s workforce as a first line of defense,” said Riaan Naude, Global Head of Consulting and Performanta. “Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results,” Naude added. This is important because the reporting rate of attempted phishing incidents currently languishes at a paltry 3%. 3. Use AI-enabled software to implement anti-phishing security measures In-house cybersecurity training is no longer a time- and skill-intensive process, given the prevalence of AI-based phishing awareness platforms. Today, ML enables gamified, personalized security training programs for each individual based on their current level of awareness, position in the organization, and browsing behavior. Further, AI is a potent tool in the arms of cybersecurity experts. It enhances the efficiency and effectiveness of security policies by improving and automating routine threat detection procedures. AI-enabled automation can help organizations put in place a variety of anti-phishing measures: Deploy anti-malware, antivirus, and anti-spam tools and keep key applications patched and updated.Deploy email authentication standards on enterprise email servers to check and verify inbound emails. Some protocols like the Domain-based Message Authentication Reporting and Conformance (DMARC) help admins and users block unsolicited emails effectively.Schedule regular security and phishing training for employees and remedial measures for those who fail tests.Model legitimate communication within the organization – based on predictable behavior of regular users, working out patterns of interaction between various entities, and analyzing the context of messages – and assigning dynamic security scores (with anomaly thresholds) to emails.Integrate with cloud email services to block malicious emails that filter past platform-native security.Give employees a one-click path to reporting suspicious emails and automating the categorization, analysis and management of these emails. People-first phishing defense While the effectiveness of any and all security measures depends on people, processes and technology, phishing can be defeated by the very tactic it thrives on: social engineering. Solutions that help people become smarter, sentient, resilient and responsive will win the day against the most advanced phishing attempts. Why not arm your team to be the winning one? Related content opinion Website spoofing: risks, threats, and mitigation strategies for CIOs In this article, we take a look at how CIOs can tackle website spoofing attacks and the best ways to prevent them. By Yash Mehta Dec 01, 2023 5 mins CIO Cyberattacks Security opinion Illuminating the black box: why CIOs should consider publishing an annual IT report Publishing an annual IT report allows CIOs to offer visibility into operations and execution through a business value lens. Utilize this formula to reclaim control of your IT narrative. By Michael Bertha and Duke Dyksterhouse Nov 15, 2023 10 mins CIO IT Leadership opinion How the new AI executive order stacks up: B- The executive order represents a step in the pivotal regulation and advancement of AI in the United States. However, it has its challenges and ambiguities, which warrant further scrutiny and refinement. By Rudina Seseri Nov 09, 2023 6 mins Government Artificial Intelligence opinion When least privilege is the most important thing The Principle of Least Privilege is a bedrock of information security. With mobile apps, IoT, the cloud, and AI, it is more important than ever. By Ben Rothke and Alan Lustiger Nov 02, 2023 13 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe