I have heard this question asked a few different times and a few variations. The answer is no, but read below for some ways you can stop phishing attacks.
Is there a product I can get to stop emails coming from my CEO about gift cards?
Is there any way that you can stop hackers from sending phishing emails?
The short answer, and should be the only answer, is no. And if there is a product that claims they can stop phishing attacks, just know they are lying about being able to stop it completely. Minimizing maybe; but stopping phishing altogether isn’t going to happen.
A threat actor is going to utilize different tactics continuously until they work. Persistence is key for the hacker, and from repeated actions, he will get a level of success. However, the persistence comment works both ways. Organizations can do many things when it comes to topping phishing attacks. I like to refer to the strategy “Security in Layers” (see blog post here). Make it difficult for the attacker to gain access to the Crown Jewels. Make the attacker trip on landmines, make the attacker crawl through the mud, just to hit a wall. While this strategy isn’t a new one, its one that I have utilized for about 20 years.
For security in layers in this case, lets call it minimizing the attack surface of the organization. If you do these 3 things, you will effectively minimize the chance that a hacker will be successful phishing your organization.
- Security awareness training, then targeted security awareness re-training. What mean here is that you will need to develop a robust and evolving security awareness training for phishing. It will need to evolve into the current and common tactics threat actors are using. Threat actors often cast a wide net, so they utilize the same scenarios to many companies. If you follow current phishing scenarios in the wild you can taylor a plan that has real-world examples that will help employees understand. If any of the staff fails a phishing exercise, reassign them a refresher with a test at the end, this is critical. Remember the human element is the weakest link and you need the same persistence of the attacker when it comes to security awareness into phishing hacks and ways to spot a phishing email.
- Email security, there are some protections that are included and some that are available as an add-on product. While I cannot recommend any one of them specifically, I can tell you even the standard and included phishing protection should be enabled and monitored. This will not remove the risks 100% but it will minimize many of them. And remember, security in layers, make it difficult for the attacker to get what he wants.
- implement policies internally related to requests through emails. When in doubt follow up with a phone call, ask for verification. Phishing attacks rely on impulsive and escalated requests that are time sensitive, putting stress for the victim to react quickly. Don’t fall for it. A second look, a follow up phone call, or an email to IT Security or HR can sometimes stop an attack dead in its tracks. If anything seems like an emergency, follow up, don’t act on impulse.
Black Hat Pen-Test can assist with phishing exercises and ways you can prevent attacks. Get in touch on our Get a Quote page to learn more.