Vasu Jakkal, Vice President of Security of Microsoft highlights the importance of this concept by stating that “we cannot have any technological transformation without first thinking about security. As business leaders, it is extremely important to understand what security means in this new world.” Without this solid foundation, the adoption of new technologies becomes a risk for companies, governments and people.
One of the biggest challenges in cybersecurity today is phishing, a tactic used by cybercriminals to steal confidential information, posing as legitimate entities. Phishing attacks have evolved, becoming more sophisticated thanks to the use of artificial intelligence (AI). According to Jakkal, AI allows attackers to “do things like reconnaissance, find information about targets, create malware, and launch phishing attacks. We will see more password cracking and deepfakes in the near future.”
What types of phishing exist?
- Content injection: This type of attack injects a familiar website, such as an email login page or online banking portal, with malicious intent. It may include a link, form, or pop-up window that directs you to a secondary website, where you are asked to enter confidential information.
- Link manipulation: Sometimes a phishing scam takes the form of a malicious link that appears to come from a trusted source, such as large companies or famous brands. If the user clicks on the link, they are directed to a fake website where they are asked for account information.
- Email: This is the most common method of phishing. Phishing emails can arrive in personal or professional inboxes, and may include instructions to follow a link or open a malicious attachment.
- “Man-in-the-middle”: In this type of attack, a cybercriminal tricks two parties into sending mutual information. The fraudster can alter the data being sent or falsify requests between the parties involved.
- Spear phishing: A more advanced version of phishing that targets specific people, rather than random targets, using personalized information to make the attack more credible.
10 keys to avoid phishing and protect your information
These are the main keys that Microsoft recommends as part of smart cybersecurity practices:
1. Identify internal and external threats: It is essential that companies recognize that threats not only come from outside, but also from within the organization. According to Luisa Esguerra, Security Solutions Manager at Microsoft SSA, employees are often “the weakest link in the security chain.” Therefore, it is essential to train them in identifying phishing attacks and how to protect themselves from them.
2. Train your employees regularly: Phishing is based on human error. To reduce risk, organizations should provide ongoing training to their employees. Esguerra points out that “if an employee is not trained, they are more likely to fall into the trap of a malicious email or a fraudulent message.” Training should include identifying red flags in emails and security practices.
3. Implement multi-factor authentication: Esguerra mentions that “today, multi-factor authentication is one of the most effective barriers against identity theft and unauthorized access. “This technology requires users to confirm their identity using multiple methods, making it difficult for attackers to access.”
4. Eliminate weak passwords: According to Vasu Jakkal, “Hackers don’t sneak in; log in.” That is, weak passwords are one of the main access routes for attackers. Therefore, it is recommended to adopt solutions such as authenticators that eliminate the need for passwords and use more secure methods, such as biometrics.
5. Keep systems and browsers updated: Lack of updates is an open door for phishing attacks. Esguerra highlights the importance of keeping systems and browsers up to date: “updates include vital security patches that fix known vulnerabilities, reducing the attack surface.”
6. Scan suspicious emails: Carefully reviewing each email before opening attachments or clicking on links is essential. Signs of phishing include incorrect return addresses, generic greetings like “Dear Customer,” and messages that create a sense of urgency. Esguerra emphasizes that “hurry is the ally of cybercriminals; You always have to take the time to verify.”
7. Enable phishing and spam filters: Using advanced filters to detect malicious emails and block them before they reach employees is a crucial measure. “Preventing fraudulent emails from reaching employees’ mailboxes is one of the first lines of defense against phishing attacks,” says Esguerra.
8. Protect mobile devices: Phishing is not just limited to email. Attacks through text messages or messaging applications are increasingly common. Esguerra emphasizes the importance of protecting mobile devices by using biometric locks and restricting untrusted applications.
9. Continuously monitor your digital environment: Constant vigilance is a key to preventing phishing and other cyberattacks. According to Jakkal, real-time monitoring is essential to identify suspicious behavior before it causes damage: “with the massive volume of data circulating today, traditional systems are not sufficient to analyze and respond to attacks effectively.” .
10. Evaluate the resilience of your company: Companies must be prepared to respond quickly to cybersecurity incidents. Esguerra mentions that “if a company is not prepared to face a cybersecurity incident, the consequences can be devastating.” It is vital to conduct regular security audits and have a contingency plan in place.