6 Best Practices for Phishing Prevention

Posted on August 18, 2020 - by Justin Gratto - in Building Your InfoSec Program

Your email accounts are where you are most vulnerable to being a victim of a cybercrime. Yet email security is often forgotten, even though a surprising number of attacks use phishing attacks to infiltrate a company.

Because our inboxes are connected to nearly all the critical systems used in business operations now.

What is Phishing?

Phishing is when cybercriminals target you by email, telephone, or text message and pose as a trusted contact in an attempt to lure you into providing bank credentials, contact information, passwords, or confidential information like a social security number.

–>This phishing email was sent to an employee at Securicy, claiming to be from our CEO.

Cybercriminals are attacking company email accounts on a daily basis with phishing scams. Ransomware attacks, many introduced to a company network through a malicious email, are on the rise. The numbers don’t lie. Between the first and second quarters of 2018, email attacks against businesses rose 36 percent. Industries like retail, healthcare, and government saw the highest volume of attacks. But phishing attacks have hit every industry at this point.

Regular employees made up for 60% of targeted malware and phishing attacks while executives received 29% of attacks. While the percentage for executive attacks may seem small, the fact that the number is growing shows the cybercriminals are becoming bolder in their attempts to steal sensitive information. 

Employees are also receiving fraudulent emails from stolen identities of their coworkers requesting personal information, such as social insurance numbers and banking information.

Besides starting a security awareness training program at your work, what can you do right now to increase your email security against these attacks?

1. Pick Strong Passwords 

We’ve been preaching this gospel of strong passwords for years, and we’re not stopping anytime soon. Strong passwords are the most basic requirement for email security. You can also write a requirement to use a password manager into your email security policy. A weak password is never going to protect your email and company data that is contained in your email account. A strong password (and your company’s password policy) should follow these guidelines:

  • Upper and lower case letters
  • Numbers and special characters
  • Avoid words that can be found in a dictionary
  • Do not include any information that someone could easily guess based on your identity:
    • Phone numbers
    • Dates of birth
    • Anniversaries
    • Children’s or pets’ names
    • Home addresses
    • Avoid common letter/number substitutions
    • Use phrases rather than words
    • Update passwords on a schedule

2. Use Two-Factor Authentication

This step may sound difficult or a hassle but it is becoming a more common practice. And it’s actually an easy tool to boost your email security. Two-factor (or multi-factor authentication) creates another level of security beyond your password. Typically two-factor is connected to your cell phone or an app like Google Authenticator. After signing in with your password, you will be prompted to enter a code that has been sent to you via text message or app notification.

Then if a cybercriminal does crack or guess your password, they will also need your cell phone or access to the authenticator app. You should not have the two-factor message sent to your computer because if your device was stolen, the code would be sent directly to the attacker.

3. Never Open Unexpected Attachments

You can’t get through a day in the office without receiving an email with an attached file. It’s almost instinctive to immediately open a file when you see it. But you should pause, take a breath, and review the email before you click “open.”

Verify the email address itself; do not trust the display name, this can be spoofed. An email from a manager, coworker, or client that commonly sends you attachments is most likely safe to open. By default, many email applications have virus scanning abilities and can filter common spam and known offenders. You can review these settings in your email or have the IT department review them with you.

4. Never Use Company Email for Personal Reasons

Your company should have a policy in place that clearly outlines the security and acceptable use for email. It will tell you what you can, and can not, use company email for. These policies form the infrastructure for your entire security program. Restricting email usage to only business activities reduces the number of areas where your email is exposed on the internet.

If you’re using your company email to shop online, sign up for subscription services, or emailing friends then you’re broadening the exposure to cybercriminals. Everyone should keep their email use restricted, from the newest employee to the CEO, nobody should use their company email for personal reasons. If upper management follows this email security policy, every worker in the company should as well.

5. Avoid Public Wifi (or Use a VPN)

Are you sometimes working from an airport, waiting for a flight, and answering emails? More often than not if you’re in this scenario you’re using public access wi-fi. Anybody sitting in the airport could hack your data via the public wi-fi connection. An attacker could be sniffing all the data that is going across the wi-fi, including your emails with company data. Installing and using a VPN (virtual private network) when working on unsafe networks is essential for security.

Not only do VPNs encrypt the data, but they allow you to work safely and securely in public. The data will be encrypted from end-to-end by your VPN, offering you security and keeping your company data private. VPNs are not very difficult to implement, depending on your organization. You can use a VPN service that is usually quick and easy to set up or your IT department can create their own VPN depending on the structure of your network. You should make sure you also choose a trustworthy provider with a solid track record.

6. Be Careful What You Click

Many attempted attacks appear in your inbox looking like an email from a person or service that you trust. It could be PayPal or your bank. If it looks unusual, feels unexpected, has any typos, or it just seems “odd” then do not click any of the links.

One way to verify the link before you click it is to hover over a hyperlink in your inbox, without clicking. When you hover over a hyperlink, you’ll see the target url in the lower-left corner of your browser. However, this won’t help if it’s a redirected link – even a legitimate redirect through a marketing tool.

If you can, call the person or business at a phone number you trust and ask them if the suspicious email is valid. Send an email to a known address, or Slack the coworker to see if they really sent that weird email. This gives you a second method of communication to verify the email.

Tax season is especially rife with fraud targeting small businesses or individuals, as in this story about a tax-season phishing scam. Let your employees know how they will be getting tax documents and warn them to be watchful.

If an email is phishing? Many businesses, especially financial institutions, have an inbox specifically designated for you to report scams and phishing. That way employees, vendors, or customers can notify the security team so they can respond quickly.

In the end, you should mark a suspicious email as spam and delete it. You don’t want it hanging around in your inbox the next time you search for an emailed receipt.

Don’t Overlook Your Email Security Policy

You also want to make sure that you’re not the only person at your business on the lookout. It’s important to make sure you have security policies in place, that everyone knows to follow them, and that you have a security awareness training program. If one person at your company clicks the wrong link, that could be an entry point to compromising your computer and every other device in the company network.

So start using these tips to secure your email now. Even simple actions can thwart a cyber attack. Keep your security high and risk exposure low.


Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is accountable for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He leads the customer success team, coordinates advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.