When Linton Harris, a security operations manager, encountered his first phishing email incident, he soon grasped the seriousness of the issue. He delved deep into understanding and resolving the problem, only to realize that more work needed to be done. As a result, he began examining tool configurations, improving testing and training procedures, and considering additional measures.
Phishing attacks like the one Harris faced have become increasingly common, with the number of incidents growing by more than 150% annually since 2019, according to the Anti-Phishing Working Group (APGW). In 2022 alone, the APGW recorded over 4.7 million phishing attacks.
Among the various phishing methods, business email compromise (BEC) is by far the greatest threat, targeting specific employees or role types within an organization. BEC attacks can involve impersonation of email accounts or domains. Successful attacks can cause compromised account credentials, loss of corporate data, or financial losses from payroll diversion or payment of fake invoices.
Hours and Dollars Lost
Phishing attacks not only cause reputation damage for an organization but consume countless hours of the IT and security teams’ time. According to Osterman Research, handling phishing threats can take up as much as one-third of these teams’ weekly available hours. Osterman Research also found that dealing with a single phishing email takes an average of 27.5 minutes, costing more than $31 per message.
These factors make phishing a unique type of cyberattack that requires a specialized approach beyond general cybersecurity measures.
A Tacklebox of Dedicated Tools
To effectively thwart phishing attacks, security professionals recommend using dedicated tools and processes separate from the standard cybersecurity technologies commonly in place.
“When it comes to phishing, you have to be a specialist,” said Jake Williams, an independent security consultant with IANS Research, a cybersecurity consulting firm. “Rolling phishing protection into all your other security protection is a bad idea.”
While no one-size-fits-all approach exists, a combination of phishing email protection tools can prevent various threats.
The base layer should include a secure email gateway (SEG), software that intercepts emails during transit to the corporate email server. There are even a few AI-enabled SEGs available, which analyze the language used in emails to identify suspicious patterns. For example, if a business associate usually signs off an email with “Best Regards” but suddenly signs off with “Thank you for your consideration,” it gets flagged.
Despite organizations relying on Google Workspace or Office 365 to block some malicious email attachments, implementing an SEG remains critical, Williams noted. “The fact that some of the largest organizations on the planet are Google Workspace or Office 365 customers and are still using SEGs tells you everything you need to know about its value,” Williams said.
However, SEGs are just the tip of the iceberg for countering phishing threats. “Secure email gateways aren’t designed to detect malicious intent,” explained Michael Sampson, a principal analyst at Osterman Research. “[SEGs] are designed to detect malicious content in an email message." Therefore, when relying solely on a SEG, an organization’s efficacy in detecting such threats in an email will be relatively limited.
Complementing SEGs with a malware detonation system can provide another layer of protection, Williams added. A malware detonation system will securely open and examine suspicious attachments within a controlled environment. While malware analysis tools aren't typically part of SEG offerings, many SEGs can be configured to automatically forward attachments to a malware detonation system.
Additionally, implementing email authentication methods such as Sender Policy Framework and Domain-based Message Authentication, Reporting, and Conformance can reduce spoofing and domain-related attacks.
Creating a Phishing-Aware Culture
Tools play a vital role, but any effective defense against phishing requires the active involvement of users. That means organizations must conduct frequent phishing simulations and provide training programs.
Phishing simulators provide feedback for IT and security teams to evaluate the efficacy of the company’s technology defenses and training.
Dr. Denae Brooks, a senior information security risk analyst at USAA, said her recent research confirms that training improves workforce phishing failure rates. Brooks recommended that organizations establish a company culture that prioritizes phishing awareness training.
Harris, who is currently a cybersecurity leader at Veritext Legal Solutions, a deposition and litigation support solution provider, said he is currently revamping the company’s phishing simulations and training. The company increased the frequency of testing from quarterly to monthly. Phishing email training is provided to users that continue to fail tests.
Sampson stressed the importance of strengthening internal processes. For example, he recommended hardening vendor onboarding processes so that the ability to change a bank account isn’t tied to a single email request – a practice that can prevent BEC attacks that seek to divert payments or engage in payroll fraud.
Additionally, while some might think it’s overkill, Harris is a fan of using a policy against accepting email attachments. Instead, he favors secure file-sharing platforms such as Box, Dropbox, OneDrive, and Google Drive, where files can be examined first.
Swim With the Current
Despite all these efforts, the phishing threat isn’t going away anytime soon. In fact, the threat is likely to get worse as phishing attackers incorporate AI and innovative tactics. While these advances may be frustrating, organizations must continuously evolve their phishing email protections.
“If you are relying on [defenses] that worked even three or six months ago and the threats have changed, [those defenses] will be ineffective,” Harris said.