Best Practices to Prevent Phishing Attacks


No cybersecurity techniques can prevent phishing or other types of cyber attacks if the end user doesn’t know best how to spot and prevent phishing attacks. That’s why training is essential to any cyber security program. Anti-phishing best practices require a combination of technical controls, employee education and incident response.

Technical Controls to Protect End Users

Malicious emails will undoubtedly wind up in some users’ email inboxes. The fewer received, the less likely your users will be to fall victim. Use Zero Trust strategy to protect end users from credential theft and malware. Here are four best practices to use:

  • Email content filtering. Installing an email content filtering system is the first step against spam and other malicious emails. By using a combination of methods to identify malicious emails, these filters block, quarantine or conversely, allow emails based on policy. They also protect against malicious URLs by rewriting, stripping links or working with web filtering tools to scan websites before allowing users to connect.

There are established vendors who offer on-premises and cloud-based email content filtering.  There are also cloud-native API-enabled email security (CAPES) vendors who work with cloud email providers  such as Microsoft  to provide an extra layer of protection.

  • Email authentication. Email authentication uses DMARC (domain-based authentication, reporting and conformance) so the security team can detect when incoming emails are using false “from” addresses. However DMARC only works when sender policy framework and DomainKeys Identified Mail are used. Trying to implement authentication so that legitimate email traffic isn’t affected can be a challenge for most internal teams. There are however vendors that can help.
  • Provide security awareness training to all. No anti-phishing solutions will succeed without security awareness and training solutions mandated to staff. E-learning modules, assessments, workshops, promotionally themed content, user data segmentations and phishing simulation platforms are also necessary. They help users recognize phishing attempts and alert the security team so they can alert the rest of the organization instead of being solely the CISO’s responsibility. Vendors  can help arrange these.
  • Leverage threat intelligence. Anti-phishing and email security vendors collect data from phishing attempts, open source intelligence or other private feeds to inform users of types of impersonation attempts, new attack types, as well as the  sender and domain reputation, and geolocation information about where possible attacks are originating from, and to flag emails from high-risk areas. 

Train Your Staff to Recognize Phishing Attempts

As we said, malicious actors will undoubtedly attempt to infiltrate your data with sophisticated phishing. Some of those emails will inevitably pass through your technical controls and end up in users’ inboxes, making your users the last line of defense. Train them how to stand guard by following three best practices to keep your organization protected:

  • Create e-learning modules. Your work staff needs to be trained to recognize phishing emails and how to handle them after they’re spotted. Create e-learning modules for security awareness and training solutions. These modules will not only teach users to report the email to the IT team so it can be identified as risky but also share the information with the rest of the workforce as an attack attempt. Deleting the email is simply not enough, Warnings to the rest of the workforce that similar attacks could be coming their way is essential. It’s also essential to update filtering technologies to stop future attacks. Keep in mind that this training should not be just a yearly procedure but ongoing and based on real-world attacks.
  • Report phishing attempts. As stated above, deleting a phishing email is not enough. There should be a procedure set up to teach all employees the protocol to follow whenever the emails reach their inbox. Reporting the emails not only allows the security team to protect the organization, but also helps them learn which attack types are coming through, the language used and other details that can be used to update security awareness and training content. The information is also used to update detection technologies.
  • Test and measure performance. Testing how well employees have retained their security awareness training by using simulated phishing emails gives the security team results that can be collected, tracked and reported back to them. The security team can then use those results to make improvements in their security awareness and training programs or to target riskier endpoint users with supplemental training as well as track the effectiveness of the program.

Plan for Technical and Human Failure

Even though you’ve made your employees aware and taken every technical precaution possible, someone will be successfully phished. It’s a given, especially with the sophistication these days of well-crafted malicious emails. It could happen by someone clicking on a malicious URL, opening a malware-infected file or going to a website that asks for their credentials. Despite technical controls to limit the impact of these actions, your team must also be ready to respond quickly to clean up the mess. Here are three best practices to limit the impact of a successful phishing attack:

  1. Use browser isolation technology (BIT).  BIT technology isolates web sessions into a protected sandbox to make malicious sites harmless and prevent the delivery of  malware to endpoints or the gathering of sensitive information from employees who click on phishing links. 
  2. Enable multi factor authentication (MFA). Many phishing attempts try to gain the credentials of the  user so the attacker can create another attack. Using MFA makes it much harder to capture those  credentials.  Google reported that it completely stopped credential-theft once it implanted hard tokens for MFA. 
  3. Create, practice  an incident response playbook. When all else fails, the quality of your incident response will make the difference between a disaster or a bad problem. The playbook will direct the actions of what happens after a successful phish. That playbook should be regularly practiced. Your managed service provider (MSP) can help with this if you don’t have an internal incident response team.

Craft a Layered Defense Strategy to Prevent Phishing Attacks

Technical controls alone won’t protect endpoint users. A combination of prioritized  technical controls, endpoint user education and incident response offer the best protection. 

In addition:  

  • Customize the modules. Be aware that some users loathe security awareness and training solutions because they are boring or impersonal. Users need to be engaged with their anti-phishing educational content. If possible, use vendors that offer customizable learning platforms and learning modules that your own security team can edit to include examples which are relevant to your organization and relatable to your team.
  • Invest in authentication capabilities. Phishing emails often appear to be from a legitimate sender using your own domain. DMARC protects against email spoofing, but it is complex. Your MSP should be able to help with this or choose a vendor who can so you’re not only reporting emails but also rejecting some based on authentication.
  • Use a phishing takedown service. There are phishing takedown services  that step in after a user has clicked on a malicious link. These services limit or block access to the website to which the phishing email directs users. These services can also hunt down malicious domains and work with hosting providers to remove them so users are never directed there in the first place. 
  • Take the shame out of your security policies. Shaming a user for being victimized by phishing attacks that would fool even the most senior security practitioners is simply not helpful. It often sometimes makes them more resistant to security policies and less likely to report phishing attempts or complete their training. Empathy is best. Frame security policies and security education in a positive light. That will shape security as a helpful business enabler rather than an exclusive, bitter group.
  • Make it personal for your personnel. Phishing attacks are often thought to be singular, limited solely to the inbox of the recipient. They’re not. Cybercriminals often target that recipient’s personal email as well emails from corporate systems or networks, thereby introducing risks into your environment. 

The risks of home online safety should be incorporated into training materials so users can share the knowledge with their family as well. Security education should be encouraged to protect users outside of the office and off your network.

Need help implementing best practices to prevent phishing attacks or do you have other cybersecurity or IT support needs for your business? Contact us or book a meeting for a no-obligation consultation.

Sources: Forrester, Best Practices: Phishing Prevention (

Posted in
Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Share this Blog

Not Sure Where To Start Looking for an MSP?

Our Managed IT Checklist will help you choose the right IT provider.

Get the checklist

Explore the Latest Trends in IT

Azure vs Aws

Azure vs AWS: Which Should I Choose?

The Azure vs AWS debate is a complex one to handle. You’re likely thinking about which cloud architecture of the...
Cloud Organization Tips

8 Best Cloud Organization Tips (And Why You Should Use Them)

The cloud makes it easy to share, store and manage files, but without routine maintenance, it can become messier than...
Reply Chain Phishing Attacks

Reply Chain Phishing Attacks: Protect Your Business

Did you know that phishing is still the primary method for cyber attacks? Protecting yourself and your business from threats...
6 Tech Tools Past Their Due Date in 2023 (1)

6 Tech Tools to Stop Using in 2023

Technology is ever-changing. As new products emerge or innovations offer improvements on older ones, it’s no wonder many become obsolete...
New IT partner

Is It Time for a New IT Partner in 2023?

Threat actors have successfully harmed many small and medium-sized businesses (or SMBs) over the past several years. SMBs have had...
lasspass incident

LastPass Incident and Intrust’s Recommendation

We’ve been advocating for and using password manager software for many years. After extensive testing, we landed on LastPass several...