Working From Home – How To Keep Employees from Falling Prey to Phishing Attacks

Due to the ongoing situation, a lot of businesses were compelled to let their staff work remotely as a means to ensure that their efficiency was never affected.

However, while the remote working set up worked just fine for several organisations, it did put somewhat of a damper on their cyber security and IT support solutions; this further opened up a lot of opportunities for the cyber criminals.

Put simply, your employees when working from home don’t really have an enterprise level cyber security standard or knowledge, as compared to the tools available within your business network. This is one of the reasons why both your staff and mission critical data are at a risk of falling prey to breach, phishing attacks and other such IT related issues.

Nonetheless, when you talk about falling prey to cyber threats while working remotely, the biggest one that your employees are likely to face is a ‘phishing attack’.

Not only have these attacks increased significantly over the course of this pandemic but also become one of the go-to tools for cyber attackers.

As an organisation, therefore, you need to ensure that you have a robust 24/7 IT service help desk in place (click here to find out more about how IT helpdesk can benefit your business) alongside other cyber security measures. That way, you can help secure your business data and email accounts while your employees send and receive messages on their personal devices .

To help you keep your employees from falling victim to phishing attacks, here we have mentioned the top 5 practices you need to implement.

Let’s take a look!

1. Ask Employees to Leverage Business Email for Official Messages

When working from home, your employees tend to have both their personal and business email accounts open in their personal device. This can sometimes tempt them to use their personal email to send and retrieve official messages, which only opens your organisation to eavesdropping should the accounts of your employees get hacked.

In such cases, even your IT support team has next to no control over the messages and filters in the inbox of your employees personal email.

This is one of the major reasons why you need to encourage your employees to only rely on their business email for official messages. In doing so, you can help your cyber security strategies in various ways; the first one being the use of the organisation’s corporate server which already has various security features installed.

You can also ensure that malicious emails and attachments are being directed to your business server, where it can be evaluated and quarantined should it contain dubious macros. Finally, your messages can be archived and safely backed up in the event of a data breach.

2. Install Multi Factor Authentication

For every business email account, you need to ensure that your employees have turned on their multi factor authentication (MFA).

While most of them would be familiar with the process, here’s how it works –

Your employees firstly need to enter a password to access the account and then your system will share a secondary PIN (personal identification number) through a text message. Once the user enters the authentication PIN, they’ll be able to use their business email account.

Although this additional process might seem slightly inconvenient, it helps prevent cyber criminals from getting hold of their accounts through phishing attacks on their login details.

Along with emails, ensure that MFA is being implemented on the networks that can be accessed by employees remotely. Any and every business application containing sensitive company data also needs to have MFA. This is because it will only help you stop hackers from successfully tricking your employees into sharing their credentials.

Moreover, should cyber criminals gain access to your employees’ password, MFA won’t allow them to get full access into your systems. Having said that, if your business faces a phishing attack, ask your employees to immediately change their password.

3. Leverage Work Email or DMARC Services

Since attackers tend to use spoofed “from” email addresses, the email tends to look as if it was sent by a legitimate user making employees give away their personal and official data.

However, having work email or DMARC (domain-based message authentication, reporting & conformance) services in place is an excellent way to not only prevent this from happening, but also to protect all of your business’ website domains.

DMARC leverages the domain name system (DNS) protocol to ban IP addresses that are used to share emails on behalf of the organisation. This means when your email server receives a message, the system will evaluate the sender’s IP on various domain name servers. If the IP has been banned from sending mails, then the server will either alert you or quarantine the messages for further inspection – in either case, emails will be stopped from reaching your employees’ inbox.

Alongside leveraging DNS to prevent fraudulent emails, you can also use it to read the signature within the message to verify the mail.

When DMARC is combined with DNS, your server can easily get rid of most phishing emails. While cyber criminals can still go for alternative social engineering and email addresses, they can no longer use spoofed emails.

4. Add Email Filters to Scan Attachments

Yet another exploit vector for cyber criminals, malicious attachments come with scripts which when downloaded send malware to your device.

Typically, these email attachments are sent as MS Office documents which enable the macros (program) to operate when the file is opened. While the current version of MS Office warns your employees by default, many of them still end up giving permission to the program without thinking about the end results.

Macros, when inserted into your system, can conduct various changes to your network apart from simply loading malicious files. The changes caused can give the hacker more control over your network remotely. This can further enable them to view data on your system, easily transfer confidential data and use your systems to attack others.

However, by assessing and quarantining such suspicious attachments, the administrator can review and delete malicious messages that can cause problems. In doing so, you can even preserve false positives and make sure malicious attachments aren’t reaching your employees inbox.

5. Conduct Regular User Training

A good phishing and social engineering campaign can easily beat even one of the best email security practices.

Moreover, with zero user training in place, your employees won’t be able to determine a phishing threat and would end up falling prey to such attacks every now and then.

Since data breach has become a massive problem, health and financial institutes have also started conducting appropriate user training. This means just one thing – regardless of the size of your organisation, it’s important that you give your employees the right training.

By making cyber security training a crucial part of your organisation’s onboarding process and including it in the user manual, you can ensure that your employees are aware of the various insider threats. Through training, you can also see to it that your employees know how to spot and avoid social engineering and phishing attacks; they can also report it to the right person to further review the email.

To Conclude – Keep Up With Cyber Security to Protect Your Employees and Business Data

Although it’s a little tricky for your organisation to have complete control over the personal devices used by employees (for an obvious reason that they’re working remotely), you can still train them about the specific cyber security measures in place.

By leveraging the right technology and training resources, you can absolutely prevent social engineering and phishing attacks from entering your email accounts.

You can also secure your confidential business information all the while your workforce is functioning from home!