What is phishing?
Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website.
Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email. Phishing emails can reach millions of users directly, and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money.
Phishing emails can hit an organisation of any size and type. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data. In a targeted campaign, the attacker may use information about your employees or company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.
Every organisation can play a part
The mitigations described here are mostly focused on preventing the impact of phishing attacks within your organisation, but they include some measures that will help protect the whole of the UK. For example, setting up DMARC stops phishers from spoofing your domain (that is, making their emails look like they come from your organisation). There are numerous benefits in doing this:
- Your own company's genuine emails are more likely to reach the recipients' inboxes, rather than getting filtered out as spam.
- From a reputational aspect, no organisation wants their name becoming synonymous with scams and fraud.
- The wider community will also benefit if your contacts (such as suppliers, partners and customers) are encouraged to register their details with DMARC. This can give you much greater assurance that the email asking for information (or money) actually comes from where you think.
The NCSC are encouraging organisations to lead by example and set up DMARC, and then start asking their contacts to do the same. It's in everyone's interest to promote widespread adoption, as the more organisations that take part, the harder it is for the phishers to succeed.
Phishing defences: why you need a multi-layered approach
Typical defences against phishing often rely exclusively on users being able to spot phishing emails. This approach will only have limited success. Instead, you should widen your defences to include more technical measures. This will improve your resilience against phishing attacks without disrupting the productivity of your users. You'll have multiple opportunities to detect a phishing attack, and then stop it before it causes harm. You also acknowledge that some attacks will get through, as this will help you plan for incidents, and minimise the damage caused.
This guidance splits the mitigations into four layers on which you can build your defences:
- Make it difficult for attackers to reach your users
- Help users identify and report suspected phishing emails
- Protect your organisation from the effects of undetected phishing emails
- Respond quickly to incidents
Some of the suggested mitigations may not be feasible within the context of your organisation. If you can't implement all of them, try to address at least some of the mitigations from within each of the layers. The mitigations within each layer are summarised in the following infographic.
