With more than 3 billion phishing emails received each day, employees are bound to make a mistake, clicking on a malicious link that could result in a cyberattack. The Cybersecurity and Infrastructure Security Agency (CISA) estimates that over 90% of successful cyberattacks are initiated by a phishing email. But what exactly is phishing?

Phishing is a type of social engineering where threat actors entice email users to give up their login credentials or unwittingly click to visit malicious websites. Typically, threat actors use phishing campaigns to steal login credentials for network access or to deploy malware for activities such as escalating user privileges, disrupting systems, and maintaining persistence on compromised systems.

To reduce the impact of phishing attacks, CISA, the National Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center jointly released Phishing Guidance: Stopping the Attack Cycle at Phase One. The guide outlines phishing techniques, discusses mitigation, provides recommendations for small and midsize businesses, and offers guidance for software manufacturers.

The barrage of phishing emails from threat actors is relentless. Many of the emails are obvious scams, but others are quite convincing to the unsuspecting user. The guide explains how threat actors have two primary purposes when launching a phishing attack: 

1. To obtain login credentials. A threat actor poses as a credible source, such as a co-worker or executive, to entice email users to provide their usernames and passwords. Multifactor authentication (MFA) can be a strong tool for reducing a threat actor’s ability to gain access to credentials. However, the guide also explains instances where threat actors can effectively exploit weak MFA implementation.
2. To execute malware. A threat actor impersonates a trusted contact to trick a user into opening an email attachment or clicking on a malicious link via email, smartphone, or tablet. From there, the malicious malware downloads to allow initial access, theft of data, damage or disruption to the system, and escalation of account privileges to the threat actor.

Threat actors target organizations of every size and industry, so it’s important to follow best practices to reduce your cyber risk. 

To protect login credentials:

• Implement phishing training. Educate employees on how to identify a suspicious email or link, what to do when they suspect phishing, and why it’s important to report it. 
• Enable DMARC for received emails. Also, set domain-based message authentication, reporting, and conformance (DMARC) to “reject” for sent emails. 
• Monitor internal emails. Determine what is normal network traffic and pay close attention to any deviations from the norm.
• Implement free security tools. Tools such as OpenDNS Home can keep threat actors from redirecting users to malicious sites.
• Harden credentials by using FIDO MFA or public key infrastructure (PKI)-based MFA, or your organization can mitigate MFA fatigue by using number matching. Also, implementing a single sign-on program can help.
• Review MFA lockout, consider alert settings, and track denied logins. You should conduct a lockout when unusual activity happens and minimize any unnecessary disruptions.

To prevent malware execution:

• Enable firewall rules and use denylists at the email gateway and to block known malicious domains, URLs, and IP addresses
• Restrict Windows and MacOS users from having administrative rights and use the principle of least privilege when administering user accounts
• Use application allowlists
• Block macros by default
• Use remote browser isolation solutions, free security tools, and a free protective domain name system (DNS) resolver
• Set up a self-serve app store

The guide also recommends incident response and reporting measures to remediate identified phishing activity. 

Recommendations for Small and Midsize businesses

Many small and midsize businesses simply do not have the budget to hire a dedicated IT cybersecurity staff. For these organizations, the guide recommends following best practices to stay safe from phishing.

To protect network resources, organizations should implement annual phishing awareness training, identify network phishing vulnerabilities, and use a strong form of MFA.

To prevent phishing compromises, organizations should use technical solutions such as requiring strong passwords, employing DNS filtering or firewall denylists to block malicious websites, implementing antivirus solutions and file restriction policies, setting software applications to automatically update, enabling safe web browsing policies, using a secure virtual private network with MFA enabled, and migrating to managed cloud-based email services.

Guidance for Software Manufacturers

Software manufacturers should create and distribute software that is safe from phishing threats to improve cybersecurity for their customers. The guide recommends putting secure-by-design and default tactics into software development practices. CISA offers additional in-depth principles and approaches for technology providers and software developers. 

Threat actors send billions of phishing emails every day, and, no doubt, several malicious emails are arriving in your employee inboxes. To stay safe from phishing attempts, your organization should heed government agency guidance and take proactive steps. Read the full guide to learn more.