Phishing is a widespread form of cyber-attack involving a target being contacted via email, phone, or text message by someone impersonating a legitimate organization with the goal of luring out sensitive data such as passwords or credit card details. Criminals typically use this information to steal their target’s money or, worse, their identity.
The likelihood of employees accidently responding to a phishing email is becoming inevitable. Phishing attacks are widespread, with spear-phishing identified as one of the most successful tactics used by attackers today. In this environment, the need for email security can’t be overemphasized. Employees must know what to do, and how to act fast, should they respond to a phishing email.
Phishing emails can target anyone within an organization. So, it’s critical to establish best practices that all users can apply. These guidelines should be incorporated into an organization’s comprehensive security awareness training program.
Before we establish the appropriate actions to take after an employee is tricked by a phishing email, it’s essential to point out that these scams can be delivered not only through traditional emails but also text messages. Attackers who use the latter method will impersonate a legitimate existing entity, such as a user’s bank.
The phishing mitigation steps outlined here demand cooperation from all responsible parties within your organization to be effective. There should be coordination among respective entities—the employee who responded to the email, the security analysts, and the information security manager. In the case of individual users, the steps outlined below also apply, provided the affected party engages the appropriate law enforcement agency.
Change your Account credentials
Over the years, phishing attacks have become increasingly more advanced and stealthier. They can be deployed in multiple ways, but their main objective of harvesting login usernames and passwords has in most instances remained consistent.
If an employee clicked on a link that directed her to a faux website where she made login attempts, the attacker can acquire her login credentials and use them to perpetrate other cybercrimes such as email fraud. Given the likelihood of this type of attack, it’s crucial that a compromised user immediately changes the password for the respective account(s) that could have been comprised.
Spear-phishing is a type of phishing attacks usually conducted thorough information-gathering processes on their targets once they’ve been compromised. After the attacker ties the phishing attack victim to a particular account, they will try to use similar credentials on the user’s other known accounts. So, it’s highly important to change passwords not only for the compromised account but also for other associated user accounts. In many cases, victims use a single password across various accounts.
In short, changing passwords for all online accounts is recommended. Email passwords must be changed immediately, and new passwords must be validated against set email password policies to ensure they meet password complexity requirements.
Report the phishing incident
Attacks are often deployed in a mass campaign, targeting many victims at once. Often, this attack will target many employees within an organization. Therefore, timely reporting of the incident can help ensure that other employees who might have received the same phishing email and not yet responded to it, don’t also become victim of the attack.
Phishing incidents should be reported via the IT service desk or in accordance with the organization’s cyber incident response procedures (CIRP). At this stage, the report is meant to initiate an internal investigation concerning the phishing attack.
Fast reporting of incidents (immediately after the employees realize they’ve responded to a phishing email) allows information security technical staff to launch crucial information-gathering about the attack. VirtualDoers phishing email reporting analysis and remediation tool, PhishAlert allows for timely reporting of suspected phishing emails to security teams and subsequently allows incident response teams to launch timely responsive activities.
Investigate the phishing attack
Initiating a preliminary investigation of the incident upon report via the IT service desk is crucial. The objective of such an investigation is to gather relevant and critical details about the attack and to assess its impact.
Key steps at this stage involve:
- Identifying the phishing emails that users engaged with,
- Locating other messages from the same sender or that have the same link,
- Determining who else in the organization may have received the same email to understand how widespread the attack may be, and
- Pulling those messages out of users’ inboxes.
At this stage, endpoint analysis must also be conducted to identify potential malicious software that could have been introduced on the attack victim’s computer or the associated network. Phishing attack victims need to be on the lookout for identity theft.
Furthermore, it is a good idea to block the compromised account. A user could ask their bank, for instance, to block their online banking account if it’s been directly compromised by an attack. Upon notification, the owners of the spoofed email should also launch investigative procedures to check for anomalous activities. For example, a financial institution should monitor the account of a customer who is a phishing attack victim.
Engage relevant regulatory authorities and law enforcement
Several industry standards or government regulations require an organization to report phishing incidents within a stipulated period following the first time the incident is identified. For organizations operating in the healthcare sector, an incident involving a response to a phishing email must be handled in a way that ensures continued compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements.
Besides ensuring compliance with industry standards and regulations, there’s a strong need to file a case with the appropriate law enforcement agencies. Filing a report with law enforcement may sometimes be dependent on the extent of the damage that the incident would have caused.
Implement remediation strategies and safeguard against future attacks
As a first line of defense, users must be well-informed about the phishing attack vectors that attackers are currently employing. To help ensure that happens organizations must conduct comprehensive cybersecurity Awareness Training.
Internal simulations of phishing scams are an effective strategy to help users avoid falling victim to phishing emails. Simulations expose users to real-world examples of phishing attacks so they can better spot a phishing email.
In addition to educating and training the workforce about the threat of phishing scams, organizations need to implement appropriate technical controls. These controls include, but aren’t limited to, blocking phishing emails through the application of email security techniques such as email filtering , sandboxing, machine learning models and browser isolation.