Methodology

Phishing: sharing best practices to protect Information Systems

From small businesses to large corporations, from town halls to state institutions, no organization is immune to cyberattacks. Let's take a look at several best practices to protect your IT fleet against one of the most common attack vectors: phishing.
3 min

Phishing: definition 

Phishing involves attackers sending a message containing a link, or even a QR code (this is known as Quishing), by e-mail or SMS (Smishing), leading to a fraudulent site. The design is generally copied from services usually used by victims, and once on the fraudulent site, they are invited to use his or her login and password, or personal data, which the attackers can easily retrieve.  

The risk is everywhere, as this technique is used en masse by all types of attackers. It is also on the rise on mobile devices, with a Slashnet study revealing that Smishing accounts for 39% of mobile threats by 2024.  

With over 70% of employees admitting to risky behavior that leaves them vulnerable (Proofpoint 2024 study), vigilance and awareness remain crucial!  

Here are 5 best practices to share with all IT users to avoid falling into the trap. 

5 things you need to know to avoid phishing 

Anti-spam filter  

Anti-spam filter provides a first level of sorting to keep messages identified as fraudulent out of the inbox.   
However, this tool does not dispense with the verification reflexes we’ll look at in the next section.  

Verifying message content and sender  

By e-mail or SMS, senders of fraudulent messages redouble their inventiveness to deceive their victims… without necessarily using elaborate techniques.  

That’s why it’s important to carefully check sender of the message: is the name known, and is it spelled correctly? Is the domain of the reply e-mail known and legitimate?   

If there’s a link in the message, which URL does it lead to, and is it a legitimate site (check this by hovering over it with your mouse, not by clicking on it directly).  

If it’s an e-mail with an attachment, before opening it, an antivirus or mail scanner can generate notifications. 

Antivirus  

An antivirus identifies and blocks malicious files, and can notify the user if there is any doubt about the legitimacy of an e-mail attachment (document, pdf…).  
Its e-mail scanning functions enable it to detect the presence of files attached to an e-mail containing a virus.   

It can also include e-mail scanning functions, enabling it to detect the presence of virus-containing e-mail attachments. 

Password manager   

Password managers are a basic security tool. They store strong passwords for accessing services or sites. As a result, they can provide valuable clues as to which sites are being visited!  

As we saw earlier, before clicking on a link, you should check the URL to which it points. If the link claims to lead to a well-known site or service already in use, the password manager pre-fills the credentials. If this is not the case, the website visited is probably not authentic. 

Multifactor authentication  

In the panoply of security devices, every layer counts. If a link has been clicked in a fraudulent e-mail or SMS message, and credentials have been entered on the malicious site… Multifactor authentication (MFA) provides an additional layer of protection.  

As several forms of authentication are required, attackers will need more than just a username and password to access to the service they are trying to infiltrate. 

Still in doubt?  

Go back to basics. Contact the sender by other means (phone, text, etc.)
to confirm the request is legitimate.

Also, by notifying your security team and IT department, 
you can further reinforce your org’s security and limit risks.


Best practices against phishing

Beyond phishing, what are the other types of threat
and how can you protect your IT fleet?