Online publishing directories and organizational charts can also fuel more sophisticated spam campaigns, known as spear-phishing attacks. In these attacks, phishers aim for quality over quantity, seeking out specific targets and designing carefully crafted email campaigns using the names of senior administrators or other key details to give them an air of legitimacy.
IT teams should look at the public materials they present to the world through the lens of an attacker. Are they giving away information that presents little public benefit but might be useful in crafting phishing attacks?
Reducing the amount of publicly available data minimizes the organization’s public profile and reduces the likelihood of a successful phishing attack.
2. Train Your Workforce for Cyber Incidents
Phishers depend on employees to act as the weak link in the security chain by clicking a link or responding to a message.
Employee education and awareness is an important pillar of any campaign to protect against these attacks, helping employees recognize suspicious messages and react properly. These educational campaigns should include real examples of phishing attacks experienced by the organization to lend credibility and urgency.
Avoid “naming and shaming” individual victims of an attack, but make it clear that real employees have fallen victim to transforming the threat of phishing from a theoretical boogeyman to a real threat that has compromised their colleagues.
READ MORE: Get tips on how to conduct tabletop exercises in advance of a cybersecurity incident.
The JAMA phishing study included a valuable finding: Repeat exposure to phishing simulations helps employees recognize attacks.
Hospitals conducting their first five phishing simulations experienced a median click rate of 25.1 percent, the study found. Those running more than 10 campaigns found that click rate almost halved, at 13.4 percent.
3. Filter Out All Suspicious Content
Technical controls can also help stop phishing attacks by preventing them from reaching their targets in the first place.
Healthcare providers running their own email systems should ensure those systems use the best available filtering to block inbound phishing attempts. This includes using phishing blacklists that quarantine inbound messages from known spam sources. Sending these messages to the digital dustbin eliminates the chance that an employee will inadvertently click a malicious link.