For additional credibility, phishing attacks are often combined with spoofing. Spoofing is a technique that allows cybercriminals to alter the sender’s header so their messages can look like they’ve been sent by a source trusted by their victims. Thankfully this is a technological trick and thus other technologies, like SPF and DMARC, exist to detect and prevent those messages from making it into organizations. The biggest problems arise when spoofing is not employed, leaving only the content to give away its intent. Since technologies, like AI, are not there yet when it comes to detecting the patterns of these fraudulent messages, it is up to us humans to use our judgment. In many cases, IT value their judgment over their users’. So how can IT intercept these messages before they make it to the recipients?
A two-pronged approach is the best way.
First, the non-technical issue must be addressed. All company business MUST be conducted from a company email account. This puts an end to executives using personal email addresses when communicating with other employees. The second prong will leverage this at the technical level by quarantining all email received externally and matching an executive’s name. All emails received from external sources and having the sender name match an executive will be directed to a special mailbox for IT moderation. Assuming everyone is following the company policy, anything being caught by this rule should be fake. If it’s not, someone can choose to let it through and follow up with the transgressor for more end-user training.
Cybercriminals are smart and protecting your organization requires techniques that are both pragmatic and creative. At the end of the day, phishing preys on user behavior and thus requires a change in behavior to overcome. Technology and company policies can play their part but end-user education is very important. Remember that email is only one of the vectors that phishing can use; it can also come via text message, phone call, and other apps. The education will go a long way in helping users identify phishing scams in all its forms, and safeguard not only corporate information but also their own.