How to Counter Phishing Attacks
Cybersecurity experts say combating increasingly sophisticated phishing emails requires a combination of state-of-the-art technology, more holistic and recurring employee training, and rethinking the channels HR uses to communicate with the workforce.
On the technology front, a key strategy is to implement email filtering solutions and anti-phishing software that can detect and block cybercriminals’ emails before they ever reach employees’ inboxes. HR should work with information technology (IT) and security groups to ensure that the organization is using email authentication tools such as sender policy framework (SPF), domain keys identified mail (DKIM) or domain-based message authentication reporting and conformance (DMARC) technologies.
“You want to ensure your organization has technical controls in place like SPF, DKIM or DMARC to validate that emails are coming from someone within your organization,” Kron says. “Those email filters help eliminate or remove as many phishing emails as possible.”
Kron says filters that alert employees that an email is coming from an external address are particularly valuable in stopping phishing attacks.
“It gives people a valuable heads-up,” he says. “If a bad actor fakes a domain name by one or two letters, for example, you wouldn’t ordinarily notice it with a quick glance at the email. But these filters tell employees that, while the email looks like it’s coming from an internal address, it’s actually coming from outside the company.”
Lakhani agrees that companies can reduce their phishing risks by implementing banners and clear notifications when email is received from outside the organization.
“Adding technologies such as digital signatures and email PGP [pretty good privacy, an encryption system] can be a tremendous help and, in some cases, make the risks very small,” Lakhani says. “The problem is these solutions require a level of effort and cost to implement and support. They also require user training and retraining, which can be a burden to organizations that lack resources.”
In a 2023 report on phishing threats, Cloudflare suggested organizations “meet employees where they are” by making the technologies they use every day on the job more secure and preventing them from making mistakes.
“For example, remote browser isolation technology, when integrated with cloud email security, can automatically isolate suspicious email links to prevent users from being exposed to potentially malicious web content,” the Cloudflare study’s authors wrote. “Keyboard inputs can also be disabled on untrusted websites, protecting users from accidentally entering sensitive information within a form fill or during credential harvesting.”
Employee training is another vital component in preventing successful phishing attacks. Workers need to be educated on what phishing is and the best techniques to combat it, such as not opening email attachments from unknown sources, hovering over hyperlinks before clicking to view the link’s real destination, looking for spelling or grammatical mistakes, and much more. In addition, deploying regular, impromptu simulated phishing tests can reinforce the training and identify weak spots in the company.
But some experts say that too often there’s a missing element in phishing awareness training: teaching employees how to recognize and regulate their own emotions.
“Training should help employees identify the telltale signs of phishing, but you also want them to understand that if they have a strong emotional response to an email, text or phone call, it’s vital to take a deep breath and pause,” Kron says. “That may mean getting up to take a short walk around the desk or office and then come back to look at the email more critically, because phishing often plays heavily on the emotions.”
Lakhani agrees that the phishing awareness training used by many organizations needs an upgrade.
“For example, implementing regular phishing simulations with team-specific, customized messages can help assess individuals who may need additional or specialized training,” he says.