Protecting Your Business from Phishing Attacks – Decrease Your Exposure

Phishing is one of the most common attack vectors that we encounter. From the perspective of a hacker, it’s a simple scam to run. They take a long list of email addresses, send out the same email to all of them, and then see who bites.

This set up often works well for them, which is why they keep the con going.

While there is no fool proof way to protect yourself 100% of the time, there are things that you can do to mitigate your risk. In this article we’re going to take and in depth look at some concreate tactics to decrease your exposure to phishing scams.

Keep Your Business, Business, and Keep Your Personal, Personal!

One of the easiest methods to reduce your exposure is very simple. Keep your business, business, and keep your personal, personal.

In other words, don’t ever use your business email address to sign up for anything that is not business-related. It’s very common to see people signing up for social media and online shopping accounts using their work email address. They may not have a personal email, or sometimes it’s simply because they don’t think about it. There are many reasons why we recommend not using your work email for personal business. From a security aspect, it makes a huge difference is decreasing your exposure.

For example, if you get an email from Facebook to your business email address, but you know that you didn’t sign up using that email, then it’s obvious that it’s a phishing email. The same goes for other social media sites, as well as online shopping and bill pay. If you don’t have a personal email, that can be easily fixed by signing up for a free email account from Google or Microsoft.

Don’t Play the Password Variation Game

Take a moment and think about the password that you use to sign into your bank account. Now try to remember how many other places you use either that same password or a derivative of it.

It’s common for people to try to make passwords easy to remember by using a root concept or keyword for all their accounts. For example, if your dog’s name is Chester and you got him in 2019, when you sign up for your free email account you decide an easy-to-remember password would be Chester2019. Then you sign up for online access to your bank account and need a new password for this as well. Rather than trying to come up with something new, you re-use Chester2019.

But the bank requires a more “complex” password. So, you add a symbol and Chester2019 becomes Chester2019!. This process continues for every new online account you sign up for. Now you have several different variations of the same password.

What’s the risk here?

Pretend that you fall for a Phishing email, and now the attacker has your email password. One of the first things a savvy attacker will do is look for emails from your bank, Amazon, and other sites. This is to see what other online services you use and other accounts they can take advantage of. Then, they go to those sites and try the same password you just gave them. They will also try common variations of your password to see what works.

Try a Password Manager

We often hear that remembering multiple passwords that vastly differ from each other is extremely difficult. A Password Manager application can really help with this issue.

With a password manager, you only use (and must remember) the password to sign in. Once you’ve set up your account the manager becomes the repository for all your other passwords. Many password managers also have the functionality to automatically generate secure passwords for you, so that you don’t have to come up with passwords on your own.

A Quick Note

A web browser should not be used as a password manager. Historically, web browsers have been lax about storing this information in a secured format, leaving you open to attackers if your computer is compromised.

Consider Passphrases, not Passwords

There can be some cases and applications where a password manager is not a good fit. The Windows Login screen is a good example of one of these cases. For these situations, a simple technique for choosing a password that is secure and yet memorable is to stop using passwords.

You heard us right!

Rather than passwords try using short phrases. You can accomplish this by utilizing proper capitalization, adding a number here or there, and using proper punctuation. Doing this often meets the complexity requirements for most use cases. You’ll also have something easier to remember! For example, which of these would you say is easier to remember: “W@9da41!”, or “1 Really long password!”? The second is likely easier to remember, and technically it’s more secure!

You may have to play around with spaces and number of words in your passphrase, dependent on the requirements of the site you’re using. But a memorable passphrase can save you the headache a forgotten password might have caused!

Multifactor Authentication (MFA, or 2FA for short) is a must

As more online services are becoming increasingly security-aware, many provide an option for Multifactor Authentication.

MFA is defined as a security technology requiring multiple data points to prove who you are. The most basic authentication is your password. The second data point you’re asked to provide can vary. Lower security options can be an email or text with a random code which you then provide to complete the login process. Options at security’s higher end can ask for a fingerprint or a facial scan.

To truly fit the definition of multifactor security the data points must come from at least two of the following categories:

• Something you know - your password or passphrase
• Something you have - access to your email, phone, hardware token, or app
• Something you are - your fingerprint or facial scan

MFA provides increased levels of security over a simple password, but in most cases is still not bulletproof. For example, emailing or texting you a random code is considered the least secure method of providing something you have. If the attacker has already compromised your email account, they can read the email with the random code as soon as it’s sent. They can even set up a rule to redirect or delete emails so that you never know the code you requested arrived.

Wrapping Up Decreased Exposure

Decreasing your exposure to threats is essential to keeping your data secure. Passwords, Passphrases, Password Managers, and MFA are all great options, and we would recommend layering these as part of your cyber security plan. No security method is guaranteed, so with multiple layers, if one layer fails you have another to pick up the slack.

In part three of this series, we’re excited to present another method to keep you and your data safe from phishing by Increasing Your Awareness!

Read Part 3