Security Experts:

Connect with us

Hi, what are you looking for?



Phishing Attacks: Best Practices for Not Taking the Bait

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.

According to a 2019 study, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks? 

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails [or text messages] are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails [or SMS messages] often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”

According to the 2019 Verizon Data Breach Investigations Report (DBIR), nearly one third of all breaches in the past year involved phishing. For cyber-espionage attacks, that number is a whopping 78%. Phishing attacks can be categorized into the following four types:

• Deceptive Phishing – The most common type of phishing attacks, whereby threat actors impersonate a legitimate company to steal users’ personal data and access credentials. 

• Spear Phishing – These types of attacks are more sophisticated, whereby the threat actor customizes the attack email with the target’s name, job title, company, and other personal information to make the recipient believe they have a connection to the sender. 

• CEO Fraud – This type of attack targets executives to steal their access credentials, often to commit financial fraud by subsequently tricking employees to authorize fraudulent wire transfers or gain access to W-2 information.

• Smishing – Phishing attacks are no longer limited to email, since threat actors are now also sending malicious text messages to users’ phones.

How to Protect Against Phishing

Users should apply common sense in all their communications and keep the following precautions in mind:

• Don’t post personal data that can be used for social engineering, like birthdays, travel plans, or personal contact information, publicly on social media.

• Check the sender’s email address by hovering over the ‘from’ address.

• Don’t click on links, but rather go to the sender’s website and validate the authenticity of the page indicated in the email.

• When an email from a known source seems suspicious, contact that source with a new email, rather than just hitting reply.

• Read the email and check for spelling and grammatical mistakes, as well as strange phrases. Legitimate companies know how to spell. 

• Slow down. Urgency, which forces users not to think, is the fuel attackers rely on. Take a breather and revisit the steps above before taking any action.

For businesses, IT security professionals can implement the following proactive measures to protect their organization:

• Educate users about the risk of phishing and the characteristics of these attacks.

• Implement email protection software to “sandbox” inbound emails and validate, as well as sanitize links users might click on.

• Exercise caution when deploying third-party Web tools. Investigate their security protocols to determine if they’re comprehensive enough to minimize malware injections. Obviously, restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.

• Implement multi-factor authentication (MFA), which requires multiple methods for identification (something you know, something you have, and something you are), and therefore is one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. This should be standard practice for all organizations. 

• Apply risk-based access controls to define and enforce access policies based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access controls are often used in combination with MFA.

Ultimately, stealing valid credentials via phishing attacks and using them to access a network is easier, less risky, and ultimately more efficient than exploiting existing vulnerabilities, even a zero-day. Cyber security defenses need to adapt to this reality. User education and beefing up an organization’s authentication systems are two essential steps that can minimize the risks associated with phishing and subsequent cyber-attacks aimed at data exfiltration. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...