Hackers whose weapon of choice is phishing continue to refine their skills, and now appear to be taking greater aim at enterprises. That means corporate users need to be more vigilant than ever to keep these criminals from their end target: sensitive data.

Phishing is, unfortunately, a growing problem. A good share of its growth last year was in the area of business email compromise, with “impersonation attacks” taking center stage.

For instance, with the adoption of the GDPR data privacy and confidentiality rules in mid-2018, a wave of fake notifications followed. There were so many legitimate privacy policy notifications sent out by companies most affected by the new regulations that it was easy for hackers to leverage that for criminal purposes.

One banking company experienced a nightmare when it received a ransomware threat and refused to pay. The people behind the threat responded by sending waves of clearly bogus emails – appearing to come from this bank – to customers and local businesses. This not only harmed the bank’s reputation and image, but it also impacted the bank’s email service when its service provider – seeing a hundreds-fold increase in outgoing emails from the bank’s account – shut down its email service.

The bank was able to remedy this by implementing an email authentication system that helped it regain control of its email systems and return the bank to normal operations. But, unfortunately, by this time a lot of damage had already been done.

A more sophisticated enemy

 The days of crudely worded phishing emails that overtly ask for confidential data are behind us. As hackers have learned what works, their phishing efforts have become increasingly sophisticated and successful.

They use automation, social networks and convincing scam techniques, and they do their homework. The more advanced attacks start with research into their targeted victim company, determining key individuals, their roles in the company, and who they report to.

Then they start by sending impersonation emails to specific targets, or even to people in associated companies, such as vendors or customers. By impersonating a known entity, it increases the odds that the recipient will open the email and believe it is legitimate.

They work to gain trust, then lure the target into taking the desired action, such as providing key information or downloading a malware file that can open the door into the enterprise’s network. That is when the real damage begins.

The root of the problem

One problem when it comes to phishing emails is that security systems tend to focus on the content of emails. They look at key words, source countries or providers, and links or attachments, but they can’t do much with a legitimate-appearing email that is coming from an impersonator. Systems that do address whether a sender is legitimate aren’t as effective as they should be, in part because they too focus on content.

Email authentication standards address this issue, but it does require the owners of the email domains to configure this authentication in their domain name servers. While the number of domains doing this are growing, they are still a small fraction of the total.

Playing defense

The best offense for enterprises in this case seems to be a good defense, particularly a multi-tiered approach that starts with thorough email training for employees. In fact, this type of training could yield the greatest ROI of any of your security investments.

Employees who undergo training designed to help them recognize and resist phishing emails are far less likely to fall prey to such emails and click on something that they and their company will regret later. This training needs to be followed up with supplementary sessions on a regular basis as well as ongoing communication about the dangers of these emails.

Email authentication systems are a valuable defensive tool, allowing only authorized senders to use your domain and send messages. They have been shown to block the vast majority of fake emails. Secure email gateways are also important, as they can stop inbound messages that contain suspicious content.

And finally, the use of security keys can help as well. These are inexpensive USB-based devices or authentication applications accessible via mobile devices that are used in concert with passwords or even instead of passwords for employee logins. These keys may not prevent phishing attempts, but they do keep a hacker from accessing a user’s account even if they manage to successfully obtain that user’s password. The hacker would actually have to be in possession of the security key in order to gain access.

For more ways you can safeguard your employees and network from cybercriminals, download Gartner’s Top Security and Risk Management Trends report.