Phishing Attacks Are Surging: How to Protect Your Team

Published 2020-06-15 by TechNet New England

Phishing attacks have increased dramatically, with cybercriminals taking advantage of the rapid shift to remote work and the general uncertainty that comes with major disruptions. The emails are more convincing than ever, and they are targeting businesses of every size.

Why Phishing Works

Phishing succeeds because it exploits human psychology, not technical vulnerabilities. Attackers use:

• Urgency: "Your account will be locked in 24 hours"
• Authority: Messages that appear to come from your CEO, your bank, or Microsoft
• Fear: "Unusual login detected on your account"
• Curiosity: "You have a new voicemail" or "Your package is being held"
• Helpfulness: "IT department: Please update your password using this link"

What Modern Phishing Looks Like

Forget the obvious scam emails with broken English and Nigerian prince stories. Modern phishing emails:

• Use perfect grammar and professional formatting
• Replicate real company logos, colors, and email templates
• Come from addresses that look almost identical to legitimate ones
• Reference real people within your organization
• Include legitimate-looking links that redirect to credential harvesting pages

How to Protect Your Team

Technical Controls

• Deploy advanced email filtering that scans for phishing indicators
• Enable multi-factor authentication on all accounts (this limits damage even if credentials are stolen)
• Implement DMARC, DKIM, and SPF records for your email domain
• Use web filtering to block known phishing domains

Training and Awareness

• Conduct regular security awareness training, not just once a year
• Run simulated phishing campaigns to test and reinforce training
• Create a simple reporting process so employees can flag suspicious emails
• Celebrate catches rather than punishing failures to encourage reporting

Process Controls

• Establish verification procedures for financial transactions and sensitive requests
• Use out-of-band confirmation (phone call, separate chat) for any unusual requests
• Never change payment information based solely on an email request

What to Do If Someone Clicks

If an employee falls for a phishing attempt, speed matters. Have a clear incident response plan:

1. Immediately change the compromised password
2. Report the incident to your IT team or MSP
3. Check for any unauthorized changes to the account (forwarding rules, app permissions)
4. Alert other employees who may have received the same email
5. Document the incident for future training

Phishing is not going away. The best defense is a combination of technology and trained, alert employees. If you need help building your phishing defense strategy, contact TechNet New England.