1) Protect your email service with two-factor authentication
The most effective way of preventing a business email hijacking is to have two-factor authentication (2FA) protecting your email. Two-factor authentication is an extra layer of security that requires you to key in a one-time PIN when logging in to an email account every once in a while, or when the login request has come from a new device, browser, or location.
This may sound tedious, but it is a powerful security measure to prevent hackers from hijacking your mailbox and using it to reset passwords on cloud services such as PEXA. Services like G Suite and Office 365 already support 2FA features for free, they just need to be turned on and configured for your email service.
2) Tune your email service to preventing email impersonation attacks
Cybercriminals often rely on two distinct email spoofing techniques for taking over email. Criminals will typically pose as a person of authority from the your organisation and lure you into clicking on web links. Often this leads to fake login pages, opening file attachments containing malware, or giving away passwords and sensitive information.
The good news is that you (or your IT staff) can make changes to your email service to reduce the risk of email-based impersonation attacks.
3) Make sure you’re using the right anti-virus software
You should ensure you are using the right anti-virus suite and that all your devices have an up-to-date antivirus software installed. Better antivirus products can not only protect your computer from viruses, but they can also safeguard you from phishing and ransomware attacks.
Sadly, many IT service providers do not deploy the right antivirus for your business needs. They often resell products that come in heavily-discounted software bundles or offer the best resale margin, rather than picking a product that provides superior protection based on independent software testing.
Ensure that every device in your business has an antivirus product and that the product features include phishing protection, safe browser plugins, ransomware protection and sandboxing.
4) Invest in anti-phishing protection for your email service
To prevent cybercriminals from luring your employees into email account hijacking, your incoming emails should be pre-screened for phishing attempts.
You should be aware that neither built-in spam filters in Office 365, G Suite nor previous generation anti-spam services feature advanced anti-phishing techniques to pre-screen emails for phishing. Hence, these old technologies will leave your firm unprotected from today’s cyber-threats.
Anti-phishing services, on the other hand, feature techniques like Machine Learning and Artificial Intelligence (AI) algorithms to identify phishing attempts. Special algorithms look for the specific red flags indicating a phishing attempt, such as typical wording and text semantics, invalid digital signatures, and poor sender reputation. File attachments are also analysed in safe environments for known and unknown threats, and embedded hyperlinks are modified to perform real-time analysis (and block) any malicious URL when the recipient clicks on them. These technologies are only available in anti-phishing services that were specifically designed to protect organisations from phishing threats.
Advanced anti-phishing protection is available as an add-on to and works in conjunction with your existing email service. You can buy software services or on-premise products to pre-screen your emails for phishing.
5) Use managed web browsing protection
More sophisticated cybercriminals may try to outsmart these advanced anti-phishing technologies used in business email by targeting staff through their private email and instant messenger accounts instead.
Free email providers such as Gmail, Yahoo Mail, etc. do not have advanced anti-phishing protection that your corporate email service may have. Criminals may also try to contact your employees via Facebook Messenger, WhatsApp or iCloud Messenger. These services are not capable of identifying and blocking these targeted attacks on your employees, but you can protect your staff with what is known as a DNS firewall, which can be set up on all your employee devices, protecting them even when they are not in the office.
DNS-based web browsing protection services can block your employees from accidentally visiting websites hosting fake login pages or hosting malicious password-stealing software and malware. Web browsing protection services are not only for big businesses, services such as ours are available for even a sole practitioner protecting a single device. We suggest subscribing to such as service to get comprehensive protection for your business.
6) Educate your employees with phishing awareness training
Phishing is not merely a technology problem but is a human problem too. The last line of defence are your employees. Hence, they need to be vigilant and trained to identify phishing attempts.
In covering the human element, phishing simulation is an effective way to test and train employees’ cybersecurity awareness and susceptibility to social engineering tactics, spear phishing and ransomware attacks. With the right tools, you can simulate a phishing attack against your own business. You can then identify vulnerable employees (i.e. those who fell for the attack) and train staff with appropriate education. There are both free and paid security awareness training materials available to your staff to help them recognise and respond to phishing attempts.
This post was written by Gabor Szathmari from www.ironbastion.com.au.