Phishing attacks remain the top threat vector in 2024. According to recent LastPass survey data, 81% of businesses say they've seen more phishing attacks over the past year. Even more worrisome? Despite 88% of respondents saying they're confident in phishing test programs, just 16% of users were able to identify 75% to 100% of suspicious activity under controlled conditions.
The result? Attackers are casting more lines and it's harder than ever to dodge the hook. Here's what companies need to know about common phishing practices, how to spot potential problems, what steps users can take to reduce phishing risk, and what to do if malicious anglers get a bite.
Understanding Phishing Attacks
Phishing is a simple concept: Attackers create fake emails that look legitimate and send these emails to hundreds or thousands of recipients. These messages attempt to convince users that they need to take immediate action — this action could be downloading a file, clicking on a link, or providing sensitive information such as account login and password details.
Common techniques used in phishing attacks
There are several common techniques used in phishing attacks, such as:
- The urgent email
The urgent email wants users to act right now. It may contain warnings about breached passwords or account closures and often encourages users to follow a link that will fix the problem.
- The friendly email
The friendly email appears innocent. It may look like a B2B client reaching out, or an old "friend" making contact. Over the course of several messages, this technique builds trust until attackers share a link and users click through because their suspicions have been allayed.
- The in-house email
The in-house email appears to come from someone inside the company, often a manager or executive. It typically includes a request for staff members to take immediate action, such as transferring money or buying gift cards.
- The close-but-not-quite email
The close-but-not-quite email looks almost exactly like a message from a legitimate company, such as a financial firm or technology provider. From logos to colors to phone numbers, addresses, and tone of voice, the email is a near-perfect copy. Where it often falls short, however, is in the email address itself, which may add or remove a few letters or numbers to make it appear that the sender is legitimate.
Why phishing attacks are a significant threat
Phishing attacks remain a significant threat because they work.
They work because their target isn't corporate security systems or business infrastructure — it's the humans behind the screen. While security tools operate on inviolate rules, humans are naturally social creatures. As a result, staff can be unknowingly convinced to take unsafe actions that put corporate systems and data at risk.
Consider a technology-savvy middle manager who receives an email that appears to be from the company's outsourced IT provider. The email looks legitimate — from the graphics and fonts to the tone of voice and familiarity with business practices. The phishing message is simple: Due to a security breach, the manager needs to reset their password by clicking on a link.
And with one click, attackers open the path to business networks. It's not for lack of vigilance on the part of staff members; instead, it's down to the ability of attackers to leverage social capital and convince users to take action.
Recognizing Phishing Emails
While advanced security tools can help reduce the number of phish hooks that make it to employee inboxes, some still sneak through. Knowing what to look for can help staff members delete rather than dive into phishing messages.
How to identify suspicious emails
Be suspicious.
This is the simplest and most effective piece of advice to help identify phishing emails. It works because — much like zero trust — it does not assume good intentions. By encouraging staff to think critically about any messages they receive, IT teams can help reduce the risk of successful attacks.
In practice, this means providing regular training on new phishing techniques and creating policies that encourage the reporting of suspicious emails. The second part of this practice is critically important. While many companies talk about the importance of phishing defense, they're often critical of the production slowdowns associated with email reporting. By creating a culture of shared security, businesses can reduce the risk of compromise.
Red flags to look out for in phishing emails
Several red flags may indicate an email is not what it appears:
- Emails do not pass SPF, DKIM, or DMARC checks
- The sender's domain name does not match the information in the email
- Greetings are generic rather than specific
- There are large numbers of spelling and grammar errors
- The message is aggressively urgent
Protecting Your Personal Information
Despite best efforts, some phishing attacks will succeed. Taking steps to protect personal information, however, can help reduce their impact.
Best practices for safeguarding your sensitive data
There are several best practices for safeguarding your sensitive data.
First and foremost? Share as little as possible with the fewest people possible. Less data shared means a reduced risk of compromise. It's also important to regularly review and update security safeguards such as passwords to help frustrate attacker efforts.
Using strong and unique passwords
When it comes to passwords, two characteristics help improve protection: They should be strong and unique.
Strong means they use a combination of letters, numbers, and symbols, and are at least 12 characters long. Unique means that passwords aren't common words or variations on those words — such as "password" or "pa55wo3d". In addition, passwords should be regularly updated.
Implementing two-factor authentication
Two-factor authentication (2FA) can also help reduce the risk of phishing attacks. 2FA adds another layer of security; along with login and password details, users must also provide a second "factor" to authenticate their identity. This factor may be a one-time text code or a USB token that must be physically inserted into a device.
2FA acts like a firebreak — even if attackers obtain login and password data, they can't access networks without the second factor.
Securing Your Online Accounts
Secure online accounts can reduce the chance of a successful phishing attack.
Tips for creating strong and memorable passwords
Passwords are the front lines of data defense. For passwords to be effective, however, they must be strong and memorable.
Strong passwords are both long and varied. Here's an example:
12345678 is a weak password because it contains a sequence of numbers that's easy to guess and is only 8 characters long.
1@3$S6&8 is a better choice because it includes some symbols and a letter, but it could still be improved since the sequence is largely unchanged. While adding length and random characters can further increase strength, this can create a knock-on issue: Users may forget their passwords.
Thankfully, it's possible to create passwords that are both strong and memorable. The key? Think phrases rather than simply characters.
Consider this phrase-based password:
tapered finlike cheese mumbo
Thanks to the human capacity for imagination, users can create mental connections that make this type of passphrase easy to remember. For a computer program designed to crack passwords, meanwhile, this type of phrase is difficult to parse.
By applying some of the strengthening techniques above, this passphrase can be further enhanced:
Taper3d finLike Cheezee mumbo>
Using a password manager for enhanced security
Companies can also improve security and reduce the risk of phishing attacks with secure password managers, like those from LastPass. With LastPass, you create a secure, encrypted vault to store your login data. Only you have the Master Password, and passwords for trusted sites are auto filled to reduce the risk of keylogging and other password theft methods.
Regularly updating and patching your software
It's also important to regularly update and patch your software. From productivity and collaboration tools to security products, any piece of software is a potential attack entry point if malicious actors can find and exploit vulnerabilities. Keeping software up to date reduces this risk.
Educating Yourself and Others
Phishing attacks evolve over time, making education a key part of prevention.
Providing phishing awareness training
Companies should hold awareness training at least twice a year or once per quarter if possible. These training sessions should include details about current phishing methods and what to look out for in unsolicited emails.
Teaching employees or family members about phishing
Phishing attacks don't always take a direct route. For example, if criminals can compromise the accounts of family members, they may use these accounts to target employees. To limit the chance of these attacks, it's important to teach both staff and their families about phishing. Again, the simple rule applies: Be suspicious. Better to accidentally delete a legitimate email than open an infected one.
Sharing resources and tools to combat phishing
It's also a good idea to share resources and tools that can help combat phishing. Tools might include 2FA applications or password managers, while resources could include government websites, such as those from federal agencies like the FTC or state IT departments.
Reporting and Responding to Phishing Attacks
When phishing attacks happen, reporting and response can reduce the impact.
Steps to take if you fall victim to a phishing attack
If you fall victim to a phishing attack, start by changing all your account passwords. This limits the chance of further compromise. Next, take stock of what has been compromised. Is it your personal email account? Business account? Financial or e-commerce account logins?
Understanding the extent of the attack can help inform your next steps.
Reporting phishing attempts to the appropriate authorities
Once you know what happened and where it happened, report the incident to the relevant authorities.
For example, if your Amazon account is compromised, report the attack to the company. If your financial data is accessed, contact your bank, or credit card companies, and report the incident to the FTC.
Recovering from a phishing incident
Recovery from a phishing incident can take time. While getting back control of your accounts and changing your passwords may take a few weeks, the fallout from compromised data can last months or years. For example, in the case of credit card compromise, it's worth contacting credit monitoring agencies such as Equifax or TransUnion to flag your accounts for suspicious activities.
Post-phish, it's also worth bolstering your security posture. This could mean implementing 2FA if you don't have it, improving the strength and uniqueness of your passwords, or moving to a password management platform.
Bottom line? Phish happens. Reduce the risk by spotting common techniques, improving password security, and creating an incident response plan.
Frustrate phishing efforts — start your LastPass trial today.
