Be Cyber Smart: How to Defend Against Phishing Attacks for NCSAM 2020
Every October, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) promote the National Cyber Security Awareness Month (NCSAM). The theme for NCSAM 2020 is “Do Your Part. #BeCyberSmart.” The purpose of this message is to emphasize personal accountability when it comes to defending against cybersecurity threats such as phishing attacks.
In support of NCSAM 2020, Zix | AppRiver is pleased to share some email security best practices from the end of its 2020 Mid-Year Global Threat Report. Individual users and organizations alike can leverage these steps to harden their email security and keep themselves safe against phishers and email-based attackers.
These recommendations are presented below.
Never Reuse Passwords
Organizations and users want to make sure they don’t reuse their passwords across multiple services and accounts. The danger here is that malicious actors could attempt to conduct what are known as password reuse attacks. In these operations, nefarious individuals use a set of login credentials they compromised with a phishing email or other attack to try to authenticate themselves across other accounts so that they can gain even greater access to broader swaths of their victims’ digital presence. Acknowledging that threat, organizations and users are advised to create a strong and unique password for each of their web accounts and services.
Use a Password Manager
Creating a strong and unique password for multiple accounts might be easy enough. But remembering them is another thing entirely. To make this easy, users and organizations might be tempted to use shortcuts that make the process of remembering their passwords easier. The issue is that those methods could ultimately weaken their security and leave them more exposed to the threat of account takeover by a phisher. Consequently, organizations and users should consider using a password manager. Not only do these solutions help by remembering passwords for their customers, but many of them also have built-in tools for generating strong passwords that organizations and users can then use to protect their accounts.
Always Use MFA
Even if they have strong and unique passwords that are stored with a password manager, users could end up falling for a phish. (It’s nothing to be ashamed about it. Sometimes we let our guard down. It’s human nature.) Fortunately, organizations and users alike can further protect themselves against phishers by implementing Multi-Factor Authentication (MFA) as an additional layer of email security. This mechanism requires that all users provide multiple factors of authentication such as a thumbprint or security key in order to successfully log in. This helps to protect an account even in the event that a phisher compromises the login credentials.
Verify Suspicious Messages
Sometimes, users will receive a message from (what appears to be) a trusted contact. But something’s wrong. Maybe the grammar’s slightly off. Maybe the email has an unusual sense of urgency. Maybe the message just doesn’t sound like how the sender usually sounds. In those cases, users should take the initiative to verify the email by contacting the sender via another medium such as telephone. Organizations can support this type of verification by creating security policies that mandate multi-media verification for things like authorizing wire transfers and/or changing the banking details of a trusted vendor.
Avoid Clicking Links
This goes without saying, but users want to be careful when clicking on email links if they want to avoid falling victim to a phishing attack. Nefarious individuals are known to include malicious links in their emails. In the event a recipient ends up clicking on that link, the phishing email could send them to a malicious domain designed to steal their account information and/or install malware on their device. Users can avoid this fate by exercising caution around all email links, and organizations can reinforce this behavior using ongoing security awareness training.
Invest in a Robust Solution
Organizations and users would be mistaken to rely solely on awareness in the fight against phishing. To be truly secure, they should also invest in a security solution that’s capable of scanning incoming email messages for malware signatures, campaign patterns and other indicators of known threat behavior. The solution should perform this type of analysis in real time so as to allow legitimate correspondence to reach its intended destination.