How to Protect Your Data from Email-Based Phishing Attacks

Recap from FBI HQ

On October 21, 2020, at a press conference on election security at the FBI headquarters, the Director of National Intelligence, John Ratcliffe, and FBI Director Christopher Wray addressed the subject of foreign actors’ attempts to interfere in the U.S. elections and the public’s role in assisting the intelligence community in maintaining the integrity of the elections

Director Ratcliffe informed the public of such interference attacks being carried out by Iran and Russia.  More specifically, the two foreign actors were able to obtain some voter registration information.  It was then used by Iran to send “spoofed” emails and communicate false information to registered voters.  The director assured that all such attempts were instantly detected and disrupted by the FBI and DHS.

Director Wray further emphasized the commitment of the FBI and its intelligence community partners to bolster security as well as to identify and neutralize cyber threats.  He encouraged the public to exercise thoughtfulness and caution when consuming information online – a message that echoed Ratcliffe’s appeal to the public to do their part and act responsibly when receiving manipulative emails.

Email-based phishing: is your organization vulnerable?

However, Director Ratcliffe’s and Director Wray’s call for public participation and responsible consumption of online information goes to the heart of a larger issue: email-based phishing attacks.  This type of cyber threat goes beyond its potential impact on the elections.  Verizon’s 2020 Data Breach Investigations Report found that 22% of breaches in 2019 involved phishing.  It is one of the main ways for hackers to gain access to users’ sensitive data, such as email addresses, phone numbers, names, credit card information, and physical addresses.

Data is stolen when a user is tricked into opening a phishing email and clicking on a malicious link.  Additionally, it provides hackers with a confirmation that a specific email account is legitimate and can be used for attacks in the future.  According to the FBI’s 2019 Internet Crime Report, individuals and businesses suffered $3.5 billion in losses in 2019 due to internet-enabled crimes and scams, $57 million of which was due to phishing scams.

How to protect your organization

It is imperative for organizations to be both mindful of the possibility of such attacks and proactive in strengthening their security.  Educating employees on the ways to spot such emails and to exercise caution are actionable steps towards better organizational security.  According to IBM, more than 90% of cyberattacks succeed due to some type of human error.  That means that by organizing regular training sessions and keeping your employees up to date on responsible digital behavior, you are slashing the chances of hackers succeeding in their attacks.

The Gamma team advises implementing additional measures that go beyond installing the latest Anti-Virus and Anti-Malware (AV/AM) software and employee training. Such measures include:

●      Flagging emails that come from outside your organization,

●      Adding secure email gateway capabilities that allow only approved Domain Name System (DNS) resolver and forwarders to be used,

●      Incorporating multifactor (MFA) email authentication.

As an organization, you are only as strong as your weakest link.  A single user’s click on a malicious link within a scam email can pose a threat to the entire system.  Implementing these additional security measures will act as fail-safe against human error.