NCSC – Introduction to Phishing

How to defend your organisation from email phishing attacks.

Original NCSC article found here

Introduction to Phishing

Phishing attacks: defending your organisation contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques. It outlines a multi-layered approach that can improve your resilience against phishing, whilst minimising disruption to user productivity. The mitigations suggested are also useful against other types of cyber attack, and will help your organisation become more resilient overall.

• This guidance is aimed at technology, operations or security staff responsible for designing and implementing defences for medium to large organisations. This includes staff responsible for phishing training.
• Staff within smaller organisations will also find this guidance useful, but should refer to the NCSC’s Small Business Guidebeforehand.
• This guidance concludes with a real-world example that illustrates how a multi-layered approach prevented a phishing attack from damaging a major financial-sector organisation.

What is phishing?

Phishing describes a type of social engineering where attackers influence users to do ‘the wrong thing’, such as disclosing information or clicking a bad link. Phishing can be conducted via a text message, social media, or by phone, but these days most people use the term ‘phishing’ to describe attacks that arrive by email. Email is an ideal delivery method for phishing attacks as it can reach users directly and hide amongst the huge number of benign emails that busy users receive.

Phishing emails can hit an organisation of any size and type. Aside from the theft of information, attacks can install malware (such as ransomware), sabotage your systems, or steal money through fraud. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data. In a targeted campaign the attacker may use information about your employees or company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.

Why phishing works

Phishing works because it exploits people’s social instincts, such as being helpful and efficient. Phishing attacks can be particularly powerful because these instincts also make us good at our jobs, and shouldn’t be discouraged.

The mitigations included in this guidance require a combination of technological, process, and people-based approaches. They must be considered as a whole for your defences to be really effective. For example, if you want to encourage people to report suspicious emails, then you need to back that up with a technical means of doing so, and a process behind it that will provide timely feedback on the email they submitted. Only then will the user obtain any value from reporting, and the mitigation be effective.

Phishing defences: a multi-layered approach

Typical defences against phishing are reliant on users’ abilities to detect phishing emails, and the NCSC has discussed the limitations of doing this. However, by widening your defences, you can improve your resilience against phishing without disrupting the productivity of your users. You’ll also have multiple opportunities to detect a phishing attack, and then stop it before it causes harm to your organisation. Accepting the fact that some will get through will help you plan for the day when an attack is successful, and minimise the damage caused.

This guidance splits the mitigations into four layers on which you can build your defences:

1. Make it difficult for attackers to reach your users
2. Help users identify and report suspected phishing emails
3. Protect your organisation from the effects of undetected phishing emails
4. Respond quickly to incidents 
5. Some of the suggested mitigations may not be feasible within the context of your organisation. If you can’t implement all of them, try to address at least some of the mitigations from within each of the layers. As a result, you’ll be in a much better place to defend against phishing attacks.