How to protect your business against phishing

A big part of protecting your business, employees, and customers from phishing attacks is by leveraging industry standards and implementing best practices whenever possible. Standards like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are all intended to fight the prevalence of SPAM by allowing receiving email servers to authenticate the servers they receive mail from. Put another way, the goal of these standards is to ensure that mail servers claiming to be sending on behalf of your domain is authorized to do so. Each of these standards are based in DNS and are relatively straightforward to implement.

In fact, you probably get your email through a service provider like Google or Microsoft, and that service includes up to date implementation of these standards. Professional email services like these provide some level of protection against phishing already, but they are far from perfect, leaving open a market for these services.

One major attack method is geared toward stealing information through low-tech methods such as email replies. Tools like content policies available in business productivity services such as Microsoft 365, Google Workspace, and even as a third-party tool from multiple vendors, are invaluable for preventing this sort of attack from reaching a successful conclusion. Content policies help automate the identification of key information types like credit card or bank account numbers, social security numbers, and other information that should be closely guarded, and prevent this information from being sent outside the organization.