How to prevent Phishing Attacks in your Google for Work domain

July 29, 2016 | Posted by: Meghan Donovan
According to TechTarget, Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.  Attackers have a variety of tools in use to take advantage of unsuspecting victims, including social engineering that entices the delivery of a username and password.  An uninformed user can be dangerous to an organization, depending on the amount of data that the account can access.
The FBI received 16,594 reports of phishing attacks in 2015, and by indications are that phishing attacks were in decline later in 2015, but more sophisticated attacks are prevailing like spear phishing or whaling.  
 

 
Spear phishing is an e-mail spoofing fraud attempt that targets an organization, seeking access to confidential data. Spear phishing attempts are not typically initiated by "random attackers" but are more than likely carried out by cyber extortionists out for financial gain, intellectual property or information that is gained through social engineering attacks.  
Whaling, is a form of spear phishing that targets high level actors like C-Level staff, and high ranking officials.  Using the same tools to find personal information,  these types of attack are hard to detect and even undetectable by conventional spam solutions because of their narrow focus.
Combating phishing attacks can be daunting, below are steps that will help fight phishing attacks.  Implementation of these suggestions can lead a reduction of risk of data and financial loss for your business that utilizes Google for Work.  We encourage that these options be considered, we would be happy to setup a time to discuss the options with you and your staff.

Security Awareness Training

The unaware user can be as much a liability as that ones doing the attacking.  Perpetual security awareness training has become as much a necessity as ethics or sensitivity training.  A staffmember that knows what to look for, to protect the business will know that they are protecting.  Regardless of how much investment is made into equipment and devices to protect our businesses from exploits and threats, the bottom line is: the members of your user community are the weakest link in the security chain.  Security awareness training is as necessary as ethics training, providing a perpetual schedule of training will reduce the risk of having a threat that impacts your organization.
Development of a periodic security awareness program that gives the opportunity to remind and review any changes Acceptable Use Policy and covers the threats that could impact company operations.  Consider engaging in a program provided by Managed Security Services Provider that can provide training and provide metrics by performing phishing tests on your staff.  Repetitive training and testing can help to reduce risks and help to better understand where the weak points are with your staff.

Turn on 2-Step Verification for your Google Apps Domain

2-Step is a method of confirming a user's identity by using a combination of two different factors. These factors may be something that the user knows, something that the user possesses or something that is inseparable from the user.  
2-Step Verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key.
In this case, the factors are the username and password of the user and the something that is inseparable from the user is their cell phone.  Read more on the next post on additional options that can be leveraged to enhance security using 2-Step Verification and Google Apps for Work.