Click to learn more about author Nick L. Kael.

In 2019, businesses will spend over $124 billion on cybersecurity products and services to protect their networks and data. And while that statistic indicates significant and increasing investments in cybersecurity, the fact remains that security incidents cost companies $6 trillion annually. 

One reason for this disconnect is the consistent success of social engineering. Rather than forcing their way through advanced security solutions, attackers can compromise your employees with phishing campaigns and gain access to your network.

But phishing is far from a new concept. It’s a problem that organizations and individuals have been dealing with for years. We could reasonably expect it to become less prevalent as awareness increases.

However, in 2018 alone, attackers launched nearly 500 million phishing campaigns—twice as many as in 2017.

What’s leading attackers to persist in deploying these types of threats?

It’s not that people are falling victim, over and over, to the same phishing campaigns. Rather, cyber attackers are proving that with sufficient creativity, phishing campaigns are the threat that just keeps giving.

In February 2019, a new phishing campaign surfaced, using “log in with Facebook” functionality on popular websites to quietly capture user credentials. And in March 2019, attackers started mimicking mobile browser animation and common mobile design features to trick users into entering credentials in fake windows.

Even the most vigilant employees can fall victim to the new crop of creative phishing campaigns. But still, it’s your job to keep that from occurring and to protect your network at all costs.

Don’t rely on maintaining the status quo approach to preventing phishing success. Apply these four key steps to prevent creative campaigns from breaking through.

1. Educate your workforce

Most security vendors want you to believe that their advanced new tool du jour will help you keep pace with increasingly sophisticated attackers and prevent costly data breaches.

However, most business leaders understand that security incidents aren’t always a purely technical problem. A Kaspersky study found that 52 percent of businesses view employees as their greatest weakness in cybersecurity. All it takes is for one employee to fall victim to a phishing scam for an attacker to capture admin credentials and compromise an entire network.

While you can’t fully rely on employees to remain vigilant against creative phishing campaigns, every business has to make cybersecurity awareness training a priority to avoid giving attackers low-hanging fruit to access sensitive data.

You’ll never be able to completely eliminate human error — that’s simply the nature of business. But with ongoing security awareness training, you can help employees spot warning signs of phishing campaigns, such as:

• Email addresses that are just a bit “off”(e.g. ending in “.co” instead of “.com”)
• URL destinations that appear suspicious or misaligned with the email message
• Familiar logos and branding to trick users into trusting a message, but which contain subtle grammatical errors or misspellings
• Email subject lines that promise monetary gain or free offers
• Pushy or aggressive messaging that asks for passwords, personal information, or unusual attachment downloads

Sophisticated attackers work to minimize these kinds of warning signs when designing creative phishing campaigns. And as a result, additional layers of security are required to serve as a safety net when humans err.

2. Take advantage of password managers

Password managers are usually recommended for a few key reasons—easy organization, unique and stronger passwords, encryption, etc. What isn’t often discussed is how they can help keep creative phishing campaigns from compromising your business.

Your ongoing awareness training is meant to help employees spot phony login fields and pages. Instead of making that your only line of defense, you can use password managers to add an extra set of automated eyes.

Password managers save your credentials for specific, approved websites. When you visit that website login page again, the password manager should give you an option to auto-fill your credentials. If employees don’t get that prompt, they should immediately recognize it as a red flag that they may be on a compromised web page.

It’s not just the ability to spot phony web pages and login fields that make password managers valuable against phishing campaigns. There is also the benefit of employees creating more complicated password strings.

If an employee can’t remember a 15-character string of random numbers and letters, they won’t be able to inadvertently give it away to an attacker’s phishing campaign, no matter how creative it is.

3. Adopt multifactor authentication

It only takes one distracted or unsuspecting employee for an attacker to compromise login credentials and gain a foothold within your network. It doesn’t matter how strong passwords are if an employee falls for a creative phishing scheme and inadvertently gives his password away. That’s why multifactor authentication has become such an important component of a multilayered security strategy.

Multifactor authentication ensures that at least two forms of identification are required to verify a login attempt. In most cases, the first form of identification is a password or PIN. Two-factor authentication then adds another layer of protection by sending users a code via text message, email, or phone call to verify any login attempt.

In many cases, two-factor authentication is enough to keep attackers from accessing your network with a stolen password. But for more advanced protection, you can include a third factor for verification such as fingerprint scanning, facial recognition or voice verification.

4. Implement zero-trust browsing

Perhaps the best, most comprehensive way to combat phishing attacks of all kinds is by implementing zero-trust browsing across your organization.

The zero-trust approach to security stipulates that nothing and no one is automatically trusted on your network. Instead, they must be verified before access is granted — and only to the specific assets and segments for which the user is authorized.

This is all well and good for internal systems and networks. However, while a whole range of solutions is available to help you verify and control activity within your network, there’s no way to ensure the sites that your employees visit are safe.

Since the internet cannot be verified, remote browser isolation (RBI) opens all browser content outside of your endpoints and networks without negatively impacting the user experience. Opening all web pages in isolated containers ensures that any malicious activity is executed off-network and that only a clean interactive content stream is passed to your users.

But it’s not just about isolating all internet activity. The right RBI solution will also help identify suspicious web pages, opening them in read-only mode to prevent unsuspecting users from entering credentials on phishing sites.

The multilayered approach to phishing prevention

All of these steps combine to create a multilayered approach to cybersecurity across your organization.

Attackers are relentless and becoming increasingly creative (and not just with phishing campaigns). Security incidents and attempted attacks will continue to be a fact of life, and you need to put a full range of tools and tactics in place to safeguard your network.

Your job isn’t to be as creative or technically-advanced as every would-be attacker in the world. Rather, your job is to put as many layered security measures in place to ensure that even the most innovative attacks can’t slip through the cracks.

Don’t let your employees remain easy targets for phishing campaigns. Take away the low-hanging fruit and protect your most valuable assets.