There’s a crime wave underway. Cybercriminals are targeting your employees with a wave of phishing emails. The deviousness and effectiveness of these attacks is higher than anyone in the security industry has seen in years.

Exploiting the anxiety and lack of information around the coronavirus pandemic, these emails also take advantage of the fact that many people are working from home — far away from direct IT support, often distracted by family or household issues, and with an even higher than usual reliance on email.

These attacks often impersonate trusted government or international institutions. For example, the FBI warned people to be on the lookout for fake CDC emails and other coronavirus-related phishing attacks. Valimail has found evidence of threat actors sending email from domains that look like the CDC, such as cdc.agency. Attackers have sent coronavirus-themed phishing emails while exploiting an open redirect on the Department of Health and Human Services’ website to spread malware. And the World Health Organization is warning people about scams where phishers have impersonated WHO officials.

To prevent damage from these phishing attacks, organizations need to take a few simple but important steps to improve their email security posture.

Follow these six strategies, and your email infrastructure will be far safer from phishing and business email compromise (BEC). And you’ll be protecting not only your employees, but also your customers and partners, from one of the most commonly used attack vectors on the planet.

1. Mandate MFA

Corporate IT departments should maintain good security hygiene by mandating multifactor authentication (MFA), also known as two-factor authentication, for email accounts as well as all corporate applications. This is more important than ever in the newly distributed, heterogeneous IT environment of today. It greatly reduces the risk of account takeover in the event that an employee does get successfully phished and clicks on a malicious link.

2. Institute Simple, Clear Anti-phishing Training.

The purpose of training is not to make employees solely responsible for stopping phish, but to make them harder targets — and make sure it’s very clear to every employee what they should do if they spot an email that looks suspicious. Employees should never wonder what to do or how to respond when they see a message they think is “phishy.”

3. Make it Easy for Employees to Report Suspected Phish.

Provide a way for people to let IT know about any suspected phishing emails, so your security team can maintain good situational awareness.  This can be as simple as an email address monitored by your IT team, or as complex as a cloud-based system that integrates into your email so employees can mark suspicious messages with the click of a button. This provides critical intelligence on what’s getting through your existing defenses, and how you might need to adjust your defensive strategy or email policies.

4. Implement DMARC Enforcement

If your domains aren’t already protected by DMARC enforcement, now is a good time to prioritize that project. Keep in mind that simply publishing a DMARC record won’t actually stop phishers from spoofing your identity until you configure an enforcement policy. You need to configure SPF and DKIM properly, and then configure DMARC with a policy of “quarantine” or “reject,” to stop these damaging impersonations.

Incidentally, the FBI recommends using DMARC to mitigate the risks of BEC.

5. Build a Layered Defense

Look into solutions that protect against email attacks based on validating the identity of the sender, not just the contents of the message or its context. Content-centric email security solutions can often miss the most devious phish, which contain no malware or malicious links. They can often be fooled by content that has never been seen before — which is about ⅔ of all phishing content, according to Google. Meanwhile, emails that masquerade as a trusted sender often sail right through email defenses. As a result, nearly 90% of all phish use sender identity fraud as their attack vector. Layer content- and identity-centric solutions to ensure maximum protection, as Forrester Research has recently recommended.

6. Audit Email-sending Platforms and Servers

The average enterprise uses dozens of cloud-based services for nearly every business and IT function under the sun. Many of those services are able to send email on behalf of the company, whether that’s a payroll system sending notifications to the staff or a marketing platform sending emails to prospective customers.

Companies we work with are constantly surprised to discover that there are two or three times as many services sending email on their behalf as they expected. If you find services that aren’t being actively used or which don’t actually need to send email, shut them off to prevent them from being used as a phishing conduit.

The same goes for email servers. Despite the shift to the cloud, we have found that most companies we work with still have a few orphaned mail servers still actively sending out messages. If they aren’t being actively used for a legitimate business purpose, turn them off.