How to detect and prevent phishing attacks

7 signs of a phishing attack

Threat actors constantly adjust their methods and tactics, but there are still some easily identifiable clues that can help you recognize a phishing attack.

A sense of urgency: An attacker will often pressure their victim into providing information, performing an action, or paying for something. They may tell you your account has been suspended, or that you have an unpaid invoice, and you must take action now. They may use language that suggests you need to act immediately — or else.

The email address or domain: Email phishing attacks sometimes come from public mail providers, or from domains that are crafted to impersonate the company being spoofed.

Web links: Similarly, phishing emails often include web links that purport to come from a legitimate company, but almost always redirect the target to another location. While these websites may look like the real deal, the URL will be for another website.

Generic language: In the case of bulk-sent phishing emails, they’ll use a generic greeting like “Dear Sir/Madam,” or just “hello.”

An element of surprise: If you can’t think of a reason why your social media account has been suspended or your bank is trying to get you to verify your information, or you’ve received an invoice you weren’t expecting, it’s worth taking a moment to check whether it’s legitimate.

Language style: People have their own unique ways of communicating. If you receive a message from a friend or a colleague but it doesn’t sound like them, be cautious.

Attachments: Be wary of downloading any attachments from senders you don’t know or which have not been scanned for viruses by your email provider.

7 strategies for preventing a phishing attack

Phishing can be hugely damaging for individuals and businesses. But with the right tactics, technologies, and training, you can prevent a phishing attack. Here are some tried-and-tested strategies that work:

Phishing awareness training will teach your employees what to look for, and what to do if they suspect a phishing attack is underway. According to research from Proofpoint published in 2022, 80% of organizations said that phishing awareness training reduced the employee’s susceptibility to phishing attacks.

Reinforce the awareness training with a simulated phishing attack. These show employees what a phishing attempt would look like in the real world, and how to apply the theory they’ve learned. According to research from the Infosec Institute, phishing simulations can double learning retention within 12 months. This means your employees are more vigilant against phishing attacks for longer.

Use MFA in your professional and personal lives. This isn’t a silver bullet, but it can drastically reduce the risk of a successful account takeover from a phishing attack.

Deploy an endpoint protection tool. These often include anti-phishing features, including a blacklist of known phishing sites, network and device-wide monitoring, and email security tools that can identify suspicious messages and malicious links.

Implement verification policies for payments, so multiple people have to approve an invoice before wiring funds, and that payments are only made via approved channels. Attackers will often require payments in methods that are hard to trace or block, including gift cards and cryptocurrencies.

Reduce your attack surface by embracing the Zero Trust concept of “least privilege access”. By ensuring employees have the least amount of access required to do their job (or, put another way, they can only access the tools and systems they need, and nothing else), you limit the potential damage from a successful phishing attack.

Adopt next-generation identity technologies like passkeys that support passwordless and phishing-resistant user experiences with continuous threat protection.