Phishing remains one of the most pervasive and damaging cyber threats today, often targeting confidential information and financial assets. As an offensive security researcher, I’ve seen how a single click can cause major breaches. This post breaks down phishing attacks, how they work, and practical security measures IT teams can implement to stop them, based on real-world experience. It is also crucial to report phishing attempts to organizations like the Anti-Phishing Working Group (APWG) to help mitigate the issue. Additionally, staying informed about emerging threats, such as the use of deepfake technology to enhance phishing attacks, is essential as cybercriminals constantly adapt their tactics.
What is a phishing attack?
Phishing is social engineering where attackers impersonate trusted entities to trick victims into revealing sensitive info or downloading malware. Commonly, victims receive emails or messages that look legitimate, urging them to click links or open attachments leading to fake login pages or malicious code. Clicking links in these emails can expose users to significant risks, including data breaches and malware infections. Attackers also use direct messages on social media platforms to lure users into phishing scams. Often, these emails contain spelling mistakes or generic greetings, which can be a clue that they are not legitimate.
Recognizing a phishing message and verifying its authenticity by contacting the sender through official channels is crucial. Employees should be encouraged to report suspicious emails and direct messages as part of a broader strategy to enhance security awareness. Taking immediate action if one falls victim to a phishing attack can help minimize potential damage.
Types include:
Email Phishing: Mass emails pretending to be from legitimate sources to steal login info or spread malware.
Spear Phishing: Targeted, personalized emails crafted using victim information. Spear phishing is a targeted form of phishing attack.
Whaling: Spear phishing aimed at high-level executives for sensitive info or money.
Smishing: Phishing via text messages leading to fake sites.
Vishing: Voice calls pretending to be officials or support to extract info.
Phishing prevalence:
In 2023, phishing was the top reported cybercrime in the U.S., causing billions in losses. In Canada, 66% of businesses faced phishing attacks, with financial losses rising. Globally, phishing triggers 41% of security incidents and is involved in 80% of breaches. The Cybersecurity and Infrastructure Security Agency (CISA) plays a crucial role in combating phishing attacks by providing guidelines and support to organizations.
No organization is safe. Modern phishing is convincing, so focus on layered defenses and promoting skepticism rather than blaming users. Multi-factor authentication (MFA) adds an extra layer of security to user accounts, making it harder for attackers to gain access even if credentials are compromised. Using text messages for sending authentication codes is a common and effective method in MFA. Security teams play a critical role in monitoring for phishing incidents and streamlining employee reporting processes to enhance organizational defenses. Staying informed about evolving threats, such as advanced phishing tactics leveraging deepfake technology, is essential for maintaining robust security measures and preparing for future attacks.
Common phishing techniques: spear phishing
Spoofed Domains: Fake domains resembling real ones to bypass email security. Attackers manipulate DNS to redirect users by hijacking the translation of URLs to IP addresses. Always verify the legitimate website address to ensure you are not being redirected to a malicious site. Attackers often use phishing attempts disguised as legitimate communications to steal sensitive information.
Fake Login Pages: Copycat sites stealing credentials, often using HTTPS to appear legitimate. Recognize suspicious links and verify their authenticity before clicking to avoid falling for these fake pages. Be particularly cautious of any malicious link that could lead to system damage or unauthorized access to sensitive information. Look out for grammatical errors as they can be a warning sign of phishing emails.
Vishing & Smishing: Phone calls and texts using urgency or fear to trick victims.
Business Email Compromise: Fake emails from executives or suppliers requesting money or info.
Phishing Kits & Automation: Tools that automate large-scale phishing campaigns.
Adversary-in-the-Middle Attacks: Proxies intercepting MFA tokens, bypassing standard MFA protections.
Next, we’ll cover best practices to reduce phishing risks with layered controls. It is crucial to understand phishing to recognize and prevent these attacks effectively.
Best practices and practical controls to protect against phishing attacks
Protecting yourself from phishing requires both technical tools and user awareness. Recognizing suspicious messages early can prevent breaches, and identifying warning signs such as generic greetings and mismatched email domains can help prevent breaches. Layered defenses ensure that if one control fails, others can stop the attack.
Phishing scams often exploit current events to trick users into revealing sensitive information. Organizations like the Anti-Phishing Working Group collect data to combat phishing and improve defenses. Never share confidential data in response to unexpected requests. Security teams should regularly assess training effectiveness through mock phishing tests and identify gaps.
1. Set up DMARC, DKIM, and SPF for your domains
These email authentication protocols verify that emails claiming to be from your domain are legitimate, blocking spoofed messages. Correctly configured, they prevent attackers from sending convincing phishing emails that appear to come from your organization. Microsoft recommends DMARC to reduce spoofing and phishing risks. Training employees to report suspicious emails, verify requests like password resets, and use a phone call to confirm the legitimacy of suspicious emails is also essential.
Attackers often request account information in phishing emails, impersonating trustworthy entities to trick individuals into revealing sensitive data. Educating employees about these tactics can significantly enhance your organization's cybersecurity measures.
Additionally, it is crucial to verify the web address of links in emails to ensure they lead to legitimate sites. Recognizing the true web address behind suspicious links can help avoid falling victim to scams that bypass traditional email security measures.
Steps for technical implementation:
SPF (Sender Policy Framework): SPF allows you to specify which mail servers are allowed to send email on behalf of your domain. It's implemented via a DNS TXT record. For example, if your company uses Office 365 for email, your SPF record might look like:
1 example.com. IN TXT "v=spf1 include:spf.protection.outlook.com -all"
Emails from example.com should only be sent from servers that are listed in Microsoft's SPF record; any others (-all) aren't allowed. To set up SPF, you need to collect all the services that send emails using your domain and add their SPF details to your record. Once you've got that, publish the TXT record in DNS, and then check it using tools like the MXToolbox SPF checker or dig/nslookup.
DKIM (DomainKeys Identified Mail): DKIM is all about using a public/private key pair to sign email headers. This way, you can check where an email is coming from and make sure it hasn't been messed with. Here's how it works: you create a key pair, stick the public key in a DNS TXT record, and the mail server uses the private key to sign the emails. When someone gets your email, they grab the public key from DNS to check the signature. The DNS record name includes a selector you choose (like selector1._domainkey.example.com). Here's what a DKIM DNS record might look like:
1 selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh...ABC123...; "
The p= value is basically a public key that's been encoded in base64. Lots of email services, such as Microsoft 365 and Google Workspace, let you turn on DKIM in their admin settings and give you the DNS records you need to publish. Once you've got those published, you can use tools like DKIM core validator to make sure your emails are signed properly.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC works with SPF and DKIM to tell email receivers what to do if an email fails authentication. It also provides feedback on emails sent from your domain. You'll find the DMARC policy as a DNS TXT record at _dmarc.yourdomain.com.
1 _dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; aspf=s; adkim=s;"
Let's break it down:
p=reject: If an email doesn't pass SPF/DKIM checks, the receiver should block it. (Other options: quarantine to mark it as spam, or none to just report and do nothing.)
rua=mailto:...: This is where the summary reports will be sent (use a service or an email address).
aspf=s; adkim=s: Set SPF and DKIM alignment to strict, meaning domains must match exactly. This tightens security against similar-looking domains.
Start with p=none to just watch how emails from your domain are treated, then move to quarantine, and finally to reject once you're sure all legit senders are verified. DMARC gives you great insights with reports if someone tries to misuse your domain. With enforcement (reject or quarantine), fake emails from your domain will be blocked by receivers as intended.
Validation: Once you've set up your records, it's time to test them using some free tools. For SPF, try sending a test email to Gmail and check the headers for “Received-SPF: pass”. For DKIM, look for the “DKIM-Signature” header. For DMARC, services like dmarcian or MXToolbox are great for testing. Also, keep an eye on the email in rua= for XML reports from mail providers to see if DMARC is working.
Tip: Make sure all your email services (like newsletters and CRM) are on the same page. If you miss one, DMARC might block them by mistake. Use the monitoring phase to catch any problems.
Tools & References:
Free: DMARC Record Wizard – Dmarcian, Microsoft SPF/DKIM/DMARC guides.
Verification: MXToolbox SPF & DMARC checkers, Google Admin Toolbox Check MX.
Paid/Advanced: Email security gateways like Proofpoint, Mimecast, or Barracuda can enhance your DNS records.
Setting up SPF, DKIM, and DMARC usually just needs a one-time setup and some teamwork between DNS and email admins. This helps stop domain impersonation and blocks a lot of phishing attempts.
2. Use anti-malware and EDR to block malicious payloads
What it is and why it matters: Phishing often delivers malware through attachments or downloads. Anti-malware software and Endpoint Detection & Response (EDR) tools are essential for detecting and blocking threats in real-time, especially if users open malicious attachments. CISA recommends EDR as a key defense against phishing malware. It is also important to notify internet service providers (ISPs) about malicious emails to block them and conduct investigations into their origins. After a phishing attack, it is crucial to change passwords for all affected accounts to prevent further unauthorized access.
Blocking access to malicious websites is another critical step in preventing phishing attacks. These sites can install malware on victims' devices or trick them into divulging sensitive information.
How to implement:
Ensure all devices have up-to-date anti-malware/EDR solutions. Options include:
Microsoft Defender for Endpoint: Built into Windows with strong EDR features.
Third-party EDR suites: CrowdStrike Falcon, SentinelOne, etc.
Next-gen Antivirus: Uses machine learning to detect unknown threats.
Enable real-time scanning, automatic updates, and email attachment filtering. EDR also alerts your security team about suspicious activities.
Recommended tools:
Free: Windows Defender, Avast, AVG.
Paid: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint.
Consider email security services like Proofpoint or Mimecast to block phishing emails with malicious content.
3. Configure external email tagging
What it is and why it matters: Adding an “[External]” tag to emails from outside your organization helps users identify potential phishing emails that mimic internal messages, reducing risk. It is important to verify if an address matches the expected domain name before clicking on links to avoid phishing scams. Recognizing and managing suspicious messages is crucial as part of phishing attack simulations and email security measures.
Identifying phishing attempts through external email tags can significantly enhance your organization's security posture. No training can realistically prepare users to identify every phishing attempt, but creating a supportive cyber security environment where employees feel safe to report phishing incidents rather than fearing repercussions is essential.
How to implement:
Office 365: Enable external email tagging via PowerShell or mail flow rules.
Gmail: Turn on warning banners for external emails in admin console.
Other systems: Use transport rules to add “[EXTERNAL]” to outside emails.
Best practices:
Customize banners to warn users about external origins.
Make exceptions for trusted external systems.
Remind users that untagged emails aren’t always safe, as internal accounts can be compromised.
How to implement:
Office 365 (Exchange Online): Use PowerShell to turn on external email tagging with this command:
1Set-ExternalInOutlook -Enabled $true
This makes Outlook show alerts for emails from outside. You can also set up a mail flow rule to add “[External]” to the subject line.
Gmail (Google Workspace): Go to the admin console and turn on “Enable warning banner for external emails.” You can also choose to tag these emails with “[External].” Gmail will then show a yellow banner for emails from outside.
On-Prem Exchange or Others: Set up a transport rule to add “[EXTERNAL]” to the subject of emails from outside. Many email gateways have similar options.
Best practices:
If needed, make exceptions for certain systems, like external transactional emails, to avoid confusion. Remind users that just because an email doesn't have an [External] tag, it's not automatically safe—internal accounts can still be hacked.
Customize the banner message for clarity, warning about external origins and suggesting caution with links and attachments.
Tools & References:
For Office 365: Microsoft documentation on ExternalInOutlook.
For Gmail: Google Workspace Admin settings.
For third-party email filters, check their documentation for features related to external email banners.
4. Use password managers and enforce strong, unique passwords
Phishing targets reused or weak passwords. Password managers like 1Password or Bitwarden help create and store strong, unique passwords, reducing credential theft risks. Browser plugins can auto-fill and warn users on suspicious sites, aiding in identifying fake websites. Combine strong password policies with MFA for enhanced security. Change passwords promptly after breaches and verify password reset requests carefully. Always verify emails claiming to be from reputable companies, especially if the email domain looks suspicious.
5. Train users to avoid reusing corporate credentials on external sites
Using work credentials on non-work sites increases risk if those sites are breached. Security training should emphasize unique work passwords and encourage accessing official sites directly rather than via email links. Phishing simulations reinforce this. Promptly reporting suspicious activity, including malicious messages in email clients or platforms like Microsoft Teams, is crucial to improve security and filtering.
6. Monitor for exposed credentials
Use tools like Have I Been Pwned to detect if company emails or passwords appear in breaches. Cybercriminals often impersonate trusted figures to trick individuals into deceptive demands. Prompt affected users to change passwords immediately. Integrate breach data into password policies to block compromised passwords and provide early warnings. Notify credit agencies to place fraud alerts to prevent identity theft.
7. Enforce least privilege access
Limit user and system access to only necessary resources to reduce damage if credentials are compromised. Use separate admin accounts, privileged access management, and network segmentation. Regularly audit permissions and promptly report phishing incidents to contain breaches.
8. Test employee phishing awareness and system controls
Conduct regular mock phishing campaigns to train users and evaluate defenses like spam filters and EDR. Use results to identify weaknesses and provide targeted training. Share findings with management to improve security posture. Reporting phishing attacks to appropriate authorities is essential for mitigation. Tools like GoPhish and KnowBe4 assist with simulations. Educate employees on recognizing phishing tactics, including false urgency, to prevent successful attacks.
System check-up tips:
Test if phishing emails bypass spam filters and adjust settings accordingly.
Verify EDR alerts on opened malicious attachments and tune detection.
Check DNS filters or proxies catch fake malicious links using safe test URLs.
Evaluate effectiveness of external email tags; enhance visibility if needed.
Tip: Share results with management and teams, highlight improvements and areas for extra training. Simulated phishing campaigns act as fire drills, preparing your team and testing defenses to reduce real attack impact.
Conclusion
Phishing attacks are still a big deal for companies, but using a layered defense approach can really cut down the risk. Protecting financial information and login credentials is crucial to prevent unauthorized access and data breaches. Here’s what you can do:
Educate and Empower Users: Make sure everyone knows what phishing is and how to spot it. Give them tools like password managers and tags for external emails, and encourage checking requests through other channels. Recognizing phishing emails and understanding the importance of not falling victim to them is essential.
Harden Email and Accounts: Use SPF, DKIM, and DMARC to stop domain spoofing. Require strong passwords or MFA. Keep an eye on breach data to fix compromised passwords.
Layer Technical Protections: Set up email filtering, link scanning, and attachment sandboxing. Use endpoint defenses (EDR) and network segmentation to keep intrusions in check.
Test and Verify: Run phishing simulations and drills to find and fix weak spots. Regular testing keeps everyone on their toes.
Tip: No single step is perfect, but mixing user training, security measures, endpoint protection, and testing builds a strong security setup. Each layer acts like a safety net, catching threats that get past others. Stay alert, keep educating, and update defenses as threats change. A well-trained team and smart controls are your best shot at beating phishing. Using an email client to report phishing emails can help security teams investigate and mitigate threats effectively.