Phishing is an ever prevalent tactic used by cybercriminals, and therefore it remains a hot topic for data protection professionals. Across all industries we have seen a rise in phishing attacks, with attacks becoming more convincing and difficult to detect.
Some phishing attempts are multi-layered, whereby a phishing attack has been successful from a trusted source, and so when a communication from what appears to be a trusted organisation lands in an organisations inbox (the second level of the attack), it appears as though the communication is legitimate.
How is the risk growing?
Phishing remains one of the most common tactics used by cybercriminals largely because of its effectiveness. Attackers exploit human trust, disguising malicious emails to appear genuine. These attempts often play on urgency, fear or authority, increasing the likelihood that the recipient will act without thinking. Some phishing campaigns are even becoming multi-layered. For example, if an attacker successfully compromises a trusted source, they can use that access to send phishing emails from within. When the next wave of emails arrives in an organisation’s inbox, it appears to come from a legitimate and trusted sender, making it far more convincing.
When such attacks succeed, the impact can be significant. Sensitive information may be exposed, financial fraud carried out, or malware introduced into the organisation’s systems. Data protection professionals must consider not only how to stop phishing attempts, but also how to limit the potential damage if one succeeds.
How to mitigate the risks?
Mitigating the risks of phishing required a combination of robust processes and security awareness. Firstly, organisations should avoid using inboxes as filing systems. In the event that a malicious actor does manage to infiltrate your inbox, the less data that is in there, the better. Setting legitimate retention periods ensures emails are not kept longer than necessary, limiting the exposure window for sensitive information.
Equally important is discouraging the local storage of personal data on devices. Locally stored files are highly vulnerable to malware, which can easily be deployed via phishing attachments or malicious links. Organisations must communicate this risk clearly to employees and enforce policies that reduce unnecessary data storage.
From a technical perspective, IT measures are critical. This includes spam filters, the ability to revoke inbox access quickly, and remote wipe capabilities for devices. Having contingency plans in place ensures an organisation can respond rapidly if a phishing attempt is successful. Finally, trusted anti-virus or anti-malware tools should form the baseline of any cybersecurity strategy.
How to spot phishing attempts?
While preventative measures are vital, education and awareness remain just as important. Employees are your first line of defense, therefore it is essential that they are provided with sufficient training to detect phishing attempts and take action if an attack is successful. Phishing simulations are an effective way to test staff awareness and provide real-time feedback on how to improve.
There are several red flags that employees should always look out for:
- Suspicious links: These are usually a telltale sign of a phishing attempt, and will often contain misspellings, or special characters in place of letters to make it appear as though they are a legitimate link. Never click on a link that could be suspicious.
- Urgent messages: Messages that are designed to make you panic are also a giveaway. If you receive one, remain calm and double check.
- Unexpected attachments: Attachments from cybercriminals will usually contain malware. Never open an attachment unless you are 100% sure that you are the intended recipient, and that it has come from a legitimate source.
By empowering employees to pause, think, and verify before clicking or opening attachments, organisations can reduce their vulnerability. Combined with wider record management practices and device security training, a strong culture of vigilance can be built, complementing technical safeguards.
How to stay resilient against phishing threats?
Phishing for data will remain a challenge as long as cybercriminals can exploit human behaviour. However, organisations can make themselves more resilient. By implementing retention policies, strengthening IT security measures, and providing regular employee training, the risks of phishing can be significantly reduced.
For organisations looking to strengthen their data protection strategy, these practices are not optional; they are essential. At DPAS, we work with organisations to build comprehensive data protection frameworks that address evolving risks such as phishing. Whether through policy development, training, or technical guidance, ensuring resilience is key to maintaining trust and safeguarding sensitive data.
