How to Prevent Phishing: Ultimate Playbook for CISOs

Your ultimate guide on how to prevent phishing. Everything you need to know to implement best practices and set up training that measurably reduces risk.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
December 20, 2024
Written by
Maxime Cartier
Fact checked by

The anatomy of modern phishing techniques

Mass campaigns are still fairly popular (mainly because they're easy to create cheaply)...

But spam filters are getting better at filtering out bulk phishing emails.

Why? Because these bulk attacks (for the most part) get successfully filtered out by email spam filters.

And some companies even limit bulk email deliveries to their domains entirely. 

To get past filters, attackers started using more targeted 'spear-phishing' attacks.

These are tailored to a specific person or company.

Attackers will take notes on your organization's branding, style of communication and also any information they can get from your social media accounts.

This targeted approach means that although fewer phishing emails get sent out, the chances of success are far greater.

Emails from free services are the easiest for organizations to filter out, which is why malicious actors are increasingly using third party services or compromised email accounts to send out phishing emails.

Note: The content of an email isn't always the deciding factor for filters. Many of them focus on the origin of the email or the technology used to send it

What types of phishing attacks do you need to be aware of?

Spear phishing

As mentioned above, spear phishing targets specific individuals or organizations, using personal information to make the attack more convincing.

Attackers research their targets to craft personalized messages that appear to come from trusted sources.

This type of attack is particularly dangerous because it can bypass generic email filters and deceive even well-informed users.

Spear phishing example

Whale phishing

Whaling phishing is a form of spear phishing that targets high-profile executives and decision-makers within your organization.

These attacks often involve more sophisticated social engineering tactics.

Whaling attacks primarily target individuals with high levels of authority with access to sensitive information, or control over financial transactions (CEOs, senior managers etc).

Whale phishing example
Source: ResearchGate

Clone phishing

Clone phishing attacks duplicate a legitimate email that the target has previously received and add malicious links or attachments.

Malicious actors might copy the design, logos, and even the writing style of a legitimate email to make it seem genuine.

They'll then send it to the target again, making it look like it's from the original sender.

Clone phishing example
You can see above that if you hover over the link, it looks suspicious 👀

Smishing (SMS phishing)

Smishing is when attackers send malicious messages to individuals via text, attempting to trick them into clicking on suspicious links or providing sensitive information.

These messages often appear to come from legitimate sources and may include urgent requests or enticing offers.

Smishing example

Invoice phishing

Invoice fraud is common.. but is also often hard to actually spot.

Invoice phishing will usually come in the form of service provider impersonations.

Attackers pretend to be service providers and send fake invoices from domains intended to look like the real thing.

Invoice fraud example
Source: University of Liverpool

Attackers are also now used more advanced tactics

As organization's defenses have grown more sophisticated over the years, so have the tactics cybercriminals use to get around them.

Attackers have invented new ways to bypass security filters, firewalls, and to fool the humans behind them.

Attackers will go to great lengths to make mail, links and attachments look safe - to avoid some of the more common phishing red flags that might give them away.

HTTPS-protocol

More than 70% of the malicious landing pages seen in the last 4 years have had some type of SSL-certificate on the website.

False HTTPS badge on the side of URL often makes visitors feel more protected, as this used to be a hard thing to falsify to end users.

Email spoofing

By spoofing the sender-field of the email, masking files (using techniques such as right-to-left override), pretexting and also shortened links can make emails look like legitimate sender, these also help at bypassing filters and making recipients feel more secure.

Gift cards and crypto

Attackers can decrease the risk of getting tracked after the attacks have been implemented by using gift cards and cryptocurrencies as a currency of the exchange as these payment methods don’t request personal data for usage.

Signs of phishing to watch out for

Suspicious email address

One of the biggest tell-tale signs of a phishing attempt is an off-looking sender address.

Since this is perhaps the most obvious giveaway, it should be the first thing employees check.

Fake email addresses will often look similar to legitimate ones...

But there'll be subtle differences that give them away.

  • Misspellings:  fraudulent email domains will often have names near-identical to legitimate ones, but will tend to have small variations, numbers or spelling mistakes.
  • Unknown sender: Email phishing attacks mostly come from unfamiliar email addresses (but this isn't bulletproof: may sometimes imitate contacts you know).
  • Non-corporate domain: Email phishing scams might come from domain extensions like gmail or outlook instead of a corporate domain like companyx.com.

Sense of urgency

Phishing messages often rely on creating urgency to convince their target to take action.

Employees might receive an email telling them an account is being locked or that it has been compromised.

These unexpected, urgent requests may also push recipients into going around standard verification procedures...

And the more urgency attackers can stir up, the less likely we are to check the legitimacy of the message.

To increase their chances of success, attackers sometimes make their emails seem as if they're from high-level executives.

Spelling and grammar

Legitimate businesses don't typically make too many spelling or grammar mistakes.

This is why these kinds of errors can be an indicator of a phishing attempt.

Despite being technically sophisticated, many phishing attacks often still make these mistakes.

This may be due to:

  • Non-native language use
  • Intentional errors to target less vigilant recipients
  • Generic greetings like"Dear customer," or "Hello," when the attackers do not have access to your personal details.

Suspicious links/attachments

For a phishing attempt to be successful, the recipient (usually) needs to click on a link or open a malicious attachment.

Phishing emails mostly use links to take targets to a website/form designed to capture personal details, bank details or login credentials).

Here are a few ways you can check the legitimacy of a link:

  • The link text in the email should match up to the preview URL when you hover over the link.
  • Hyperlinks without any additional information or context.
  • Malicious links may contain very minor variations or misspellings (.com becomes .org or .info).
  • Shortened URLs are used to hide the real destination of the phishing link (Bitly, TinyURL, Tinycc, etc).
  • Links to websites that do not use HTTPS can be a sign of phishing (but this isn't always the case!)

Beware of files types outside of the usual formats like .pdf or .docx.

Malicious, shortened link example

Requests for sensitive information

A legitimate company is unlikely to ask for things like passwords, social security numbers, or credit card details over email...

Especially not out of the blue!

Legitimate requests will most likely be via secure methods (e.g. secure websites, encrypted communication).

Email is not generally considered to be a secure channel for sharing sensitive information.

Urgent requests from authority figures

If a request comes from a high-level member of our organization, chances are we're likely to comply.

This is why attackers send emails impersonating high-level executives to exploit this authority.

These messages are very likely to create urgency too.

Attackers will use social engineering tactics to make their messages as convincing as possible.

A few signs to look out for include:

  • The sender’s email address may look okay at first glance but might contain small  variations or misspellings.
  • If an email request is legitimate, it should contain context as to why information is being requested.
  • Not all requests sent out of regular working hours are necessarily suspicious but may be a reason to double check their legitimacy.

Dodgy design

Off-looking design is one of the easier telltale signs of phishing.

Things like font style/size, layout and branding are very unlikely to change dramatically if sent from a genuine company.

Image quality is also something to look out for.

Phishing emails may use low-resolution images or logos that look pixelated.

Authentic emails will typically only use high-quality images.

Suspicious design example
Source: CheckPoint

Phishing prevention best practices

Modern phishing attacks are becoming increasingly difficult to catch as tactics grow in sophistication.

But there are measures you can take to protect your employees.

Encourage employees to check the URL address of any links sent to them

If an employee receives a link that doesn't look familiar, there are a few simple ways to check everything is legitimate:

  • Searching for the website they're being asked to visit via a search engine rather than using the link in the email.
  • Being wary of any websites that seem to be asking for unnecessary personal information - especially if asked as soon as they land on the page.
  • Hovering over links in emails - shortened, mismatched or very long URLs may be grounds for suspicion.

Implement multi-factor authentication (MFA)

Using MFA across your organization won't necessarily prevent phishing attacks.

But it will provide an extra layer of protection should an attack break through your human firewall.

MFA only grants access to users after they present at least 2 pieces of evidences of identification (e.g. password followed by an authenticator app).

This means that attackers won't be able to access accounts before an employee can change their password.

Make sure you have strong password policies

Implementing strong password policies is essential for protecting organizational data and systems from unauthorized access.

Ensure employees' passwords are complex enough to resist common attack methods such as brute force and dictionary attacks.

Passwords should include:

  • Length: Minimum of 12-16 characters.
  • Character variety: A mix of upper and lower-case letters, numbers, and special characters.
  • Avoid common patterns: Avoid using easily guessable information such as "password123", "qwerty", or any personal information.

Employees should also be changing their passwords regularly (ideally at least every 60-90 days).

To make this easier, you may want to use a password manager that can generate complex passwords and store them securely.

Regularly update software

Keeping all software and systems regularly updated and patched will help protect your organization against phishing.

Why? Because these updates often address security vulnerabilities that cybercriminals might exploit.

  • Updates often include enhancements to existing security features or the addition of new ones.
  • Phishing attacks frequently aim to install malware on a victim’s system. Regular patching ensures that security flaws which malware might exploit are fixed.
  • Security tools such as antivirus software, firewalls, and intrusion detection systems also receive updates to improve their effectiveness against new threats.
  • Phishers often use social engineering techniques to trick users into installing updates that are actually malicious.

Make reporting quick and easy

The more long and laborious your reporting process is, the less likely employees will be to actually report real-life threats.

Your reporting process should be as easy and effortless as you can make it.

Not only does this prevent successful attacks, but also gives you data on what threats are actually out there in the wild.

This is why at Hoxhunt, our platform allows users to report both phishing simulations and actual phishing email with just a click of a button.

Hoxhunt reporting button

Have email filters in place

Email filters help identify and block malicious emails before they reach users' inboxes.

Most email filters will identify phishing attempts by doing the following 👇

  • Analyzing the content of emails to detect suspicious elements commonly found in phishing messages.
  • Assessing the reputation of the sender based on the IP address and domain reputation.
  • (For more advanced filters) Using machine learning to understand normal email patterns and detect anomalies.
  • Using blacklists of known malicious senders and whitelists of trusted senders to make filtering decisions.
  • Scanning email attachments.
  • Leveraging large databases of known spam and phishing emails.
  • Scanning URLs in emails.

Use threat detection and response software

Even with email filters in place, some threats will still make it through your defenses and land in employees' inboxes.

This is why here at Hoxhunt, we built our security operations to defend against the phishing attacks that your email filters don't catch. 

Here are just a few of the features:

  • Identify malicious emails instantly with an AI-powered threat classification model.
  • Focus on the highest-risk phishing campaigns and user groups by creating incident orchestration rules.
  • Flag allow-listed senders with feedback rules which, when triggered, give employees instant feedback that it's safe to respond to the email.
Hoxhunt security operations

Invest in quality phishing training

If you're in the cybersecurity space, you already know the stats...

82% of all cyberattacks involve the human element.

If you want to measurably reduce the risk of successful phishing attacks, training the humans within your organization is critical.

Research shows that a well-trained workforce is able to cut the cost of phishing by 50%.

Employee training and behaviors are both the biggest cost amplifier and mitigator of breaches...

Cost of data breach research

But not just any training will do.

One-size-fits-all, compliance-driven training doesn't have much impact on how people actually behave when it comes to cybersecurity.

And if you're not changing behavior, you're not going to reduce human risk.

Look for vendors that:

  • Personalize training so that its not cookie-cutter
  • Offer simulations to test employees skills
  • Are adaptive, so that every employee gets the level of training they need
  • Offer gamification of some kind

How we approach phishing prevention training at Hoxhunt

Hoxhunt's phishing training was purpose-built to reduce human risk through behavior change.

If your end goal is to protect your organization from cyber attacks, why not just ditch the typical awareness and compliance strategies and focus your time and budget on what actually works?

Here's how we do things here at Hoxhunt...

Engaging micro-training

Most of us struggle to pay attention to training that’s any longer than 5-7 minutes.

So, we made sure our training is broken down into digestible chunks.

Hoxhunt training is integrated into employees' workflows so that day-to-day work isn't interrupted.

Small teachable moments show learners how to improve in the future based on their past behavior - whether it be identifying suspicious emails or staying safe on social media.

Realistic simulations

Awareness alone is unlikely to move the needle on bottom line human risk.

This is why we use simulated attacks that mimic real-world tactics.

This will allow you to gauge how effective your training is and the likelihood of a real attack being successful.

Once you start running simulations, you'll be able to tailor training content to individual employee's performance.

Personalized learning paths

Here at Hoxhunt our adaptive training uses personalized learning paths.

In practice, this means that If an employee fails simulations, they'll be sent easier phishing threats to spot and report.

Then, once their confidence and motivation increases, they can be sent more difficult simulations.

Gamification

Gamified cyber security training has been shown to boost engagement by 60% and make 90% of employees feel more productive and involved.

We believe that training works best when its frequent, engaging and tailored to each employee's specific location, role and skill level.

People generally don't like tedious, mandatory security training.

This is why we use game mechanics - to turn training into something employees genuinely enjoy and engage with.

Reporting dashboards

You can't change what you can't measure.

So Hoxhunt gives you real-time visibility into your program performance with  dashboards comprising next-level metrics.

Set your priorities with data-driven decisions and report to leadership with ease and confidence.

Hoxhunt phishing training

How to prevent phishing FAQ

What are some common phishing techniques?

Phishing techniques include sending emails from what appears to be reputable companies, crafting fake websites that look identical to legitimate ones, and using scare tactics to prompt immediate action.

Spear phishing targets specific individuals, often within organizations, using personal information to increase credibility.

How can email clients help in phishing prevention?

Modern email clients have built-in spam filters and scanners for emails that detect and block phishing emails.

They can flag suspicious emails and move them to the spam folder, reducing the risk of exposure to malicious content.

What should be included in an incident response plan?

An effective incident response plan should include procedures for identifying and reporting phishing attempts, steps to take if a phishing incident occurs, and methods for mitigating damage.

Training employees on this plan ensures quick and efficient handling of phishing threats.

What should employees do if they receive a phishing email?

Employees should not click on any links or open attachments.

Instead, they should report the email to the IT department or use the phishing report function in their email client.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this