There are two sides to preventing a successful phishing attack. The first side is focusing on the user; trying to train users to identify phishing attacks and to protect themselves from these types of attacks. Training is important, but there’s a responsibility on the company to act in a way that does not emulate common phishing techniques and set your users up for failure.
The second side of the successful phishing attack is the software and technology side. There are many techniques that companies can employ to make it easier for their users to identify fraudulent emails and there are some great security features that can be developed in your application and website to help protect users from the damaging effects if they do mistake a phishing email for a real one.
The optimal solution uses clear messaging and training for the user and a clear policy from the company.
This means as a company you must define how you will communicate with your customers, what you will ask for over each medium, explain the reasons to your customers, and adhere to those policies 100% of the time. You should support these choices by also providing your users a link to a clear policy about these choices and ways to verify the messages you send. Finally, train your employees to understand and identify concerned users and to help them in a safe way.
Also, if you’re using SiteKeys, stop. They’re an ineffective mutual authentication measure and a usability nightmare.
Here are a few examples of companies getting this wrong or when scammers have gone above and beyond to attack users.
- Valid email sent in a very phishy way
- An exceptional multi-phase phishing scam
- Would You Have Fallen for This Phone Scam? — Krebs on Security