Phishing protection solutions are a category of cybersecurity software designed to prevent phishing attacks. Since their conception, phishing attacks have evolved to become highly complex and targeted, allowing them to evade traditional email security gateways. As a response to this, email security providers developed a new type of solution dedicated specifically to phishing protection and the prevention of business email compromise (BEC): Integrated Cloud Email Security (ICES) solutions.
Integrated cloud email security solutions sit within each user’s inbox and use machine learning to scan inbound and outbound emails—and sometimes other internal communications—for malicious activity. If the solution finds something suspicious—such as an unusual attachment type from an unknown sender, or an unusual request from a known user—the email is either removed, quarantines, or delivered with a warning banner explaining to the recipient about the potential risks associated with the email.
Cloud email security solutions usually also include a “report phishing” plug-in that enables users to report phishing attacks directly from their inbox. The best solutions combine this functionality with phishing simulations that train users to identify and report phishing threats. Together the combination of technological and human-centric security creates the most effective barrier against phishing attacks.
In this article, we’ll explore the best phishing protection solutions. Some of the providers on this list combine cloud email security with phishing simulations; others extend their phishing protection beyond email to cover other communication channels, such as Slack and Teams. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer for which they are best suited.
Phishing Protection Solutions: Everything You Need To Know
What Is Phishing?
Phishing is a type of cybercrime based on fraud. In a phishing attack, a cybercriminal contacts their target—usually via email—and tries to manipulate them into doing something that will put their data at risk. A user may be encouraged to share their credentials and financial information, or installing malware that will enable the attacker to access their machine.
Traditionally, phishing attacks were used to target hundreds or even thousands of people at once. Today, these attacks are becoming increasingly targeted; instead of sending a generic email to lots of users, the attacker will research their target before messaging them, then pretend to be someone the target knows in order to gain their trust. Because of this, the attacks are much more convincing and difficult to spot – the target is more likely to share sensitive information. These targeted phishing attacks are known as “spear phishing”.
Aside from traditional phishing and targeted spear phishing attacks, there are a few more types of phishing attack that you should make your users aware of:
- Whaling is a type of spear phishing that targets high-ranking members of an organization, such as C-suite executives, who are likely to have privileged access to critical corporate systems or valuable data
- Vishing, short for “voice phishing”, is a phishing attack delivered via phone call, rather than email. These attacks often create a high sense of urgency because the attacker is communicating with the user in real-time and can use this to add pressure
- SMiShing, or “SMS phishing” is delivered via text message. These attacks often claim to be from a trusted organization, such as a bank or an email post-delivery company, rather than a specific individual
- Phishing websites look like normal web pages—usually login or payment pages—but they scrape user data and send it directly to an attacker. Often, users open phishing pages from the links sent in phishing emails, but sometimes they can stumble upon them when browsing if the attacker has managed to hide the malicious page within a legitimate website
How Common Are Phishing Attacks?
According to the FBI’s Internet Crime Complaint Center (IC3), phishing is the most prevalent threat type in the US. Unfortunately, phishing attacks are not only prevalent but also highly successful; recent research from Verizon found that 82% of data breaches last year involved a human element, such as phishing or the use of stolen credentials. A further report from IBM discovered that one fifth of companies that suffer a malicious data breach are compromised due to lost or stolen credentials, while 17% are compromised via a direct phishing attack.
What Is Integrated Cloud Email Security And How Does It Work?
Traditionally, email protection came in the form of a secure email gateway (SEG). SEGs create a defensive perimeter around your organization’s email client, preventing the delivery of threats such as spam, graymail, and mail sent from senders on a deny list. However, they aren’t very effective at blocking highly specific and targeted spear phishing attacks.
Integrated cloud email security solutions sit within the user’s inbox, scanning all inbound and outbound (and sometimes also internal) messages for anomalous or malicious activity. Integrated cloud email security solutions use machine learning to detect threats; this enables them to pick up on indicators of compromise that are likely to go unnoticed by a SEG, such as unusual communication patterns, typos and grammatical errors, and unusual attachment types. When a cloud email security tool does find an indicator of malicious activity, it either deletes the email from the user’s inbox, quarantines it, or delivers the email but inserts a warning banner at the top to alert the user to its potential malice.
Some cloud email security providers (including many on this list) also offer a plug-in as part of a phishing simulation program that enables users to report phishing threats from directly within their inbox.
Many organizations choose to implement a SEG alongside an integrated cloud email security solution to ensure maximum protection against multiple types of email threat. The SEG acts like the wall around your castle, deflecting known threats; the cloud email security solution acts like the guards patrolling your castle grounds, looking for anything out of the ordinary.
What Are Phishing Simulations And How Do They Work?
Security awareness training (SAT) is a human-centric form of phishing prevention. Usually, a security awareness training course is made up of two parts: content-based learning, and phishing simulations.
Phishing simulations are fake phishing emails that test a user’s ability to identify and report phishing threats. The strongest phishing simulators include a “report phishing” button that plugs into each user’s inbox, enabling them to report simulations (and, in some cases, real phishing threats) directly to their IT team as they come across them.
If a user fails a phishing simulation, they’re informed of where they went wrong, and IT and security teams can assign them more training as required.
What Else Can You Do To Stop Phishing Attacks?
Implementing a robust email security solution that combines ML-driven threat detection with phishing simulations is one of the best forms of defense against sophisticated spear phishing attacks. However, there is no single silver bullet solution to phishing. To ensure your best chances of staying secure, we recommend that you take a multi-layered approach to defense by implementing the further following tools.
Using a variety of tools in a complimentary approach will result in a well-rounded, comprehensive cybersecurity infrastructure, which will also help protect you from other web, identity, and endpoint threats.
Security Awareness Training (SAT)
Security awareness training solutions train users on how to identify and correctly respond to a range of cyberthreats, including phishing attacks. Most SAT solutions combine a mixture of content-based, bite-sized training modules to teach users what different types of attack may look like, with phishing simulations that enable security teams to test how users are likely to respond to a real-life phishing attack. If a user clicks on a link in a phishing simulation, admins are notified and can assign that user further training. SAT is a great way of training users to be more vigilant in their work and personal lives, whilst instilling a culture of security within the organization.
Many organizations make the mistake of assigning security awareness training annually. While this might be enough to tick off a compliance checklist, it’s unlikely to actually improve your security. For best results, we recommend delivering regular, bite-sized training.
Multi-Factor Authentication (MFA)
Multi-factor authentication requires users to verify their identities in two or more ways before being granted access to an account, application, or system. By implementing MFA, you can stop an attacker from accessing a user’s account, even if they’ve managed to get their hands on that user’s password via a phishing attack.
Different MFA solutions support different methods of authentication—some of which are less “phishable” than others. The strongest methods of authentication to prevent phishing attacks are biometric authentication (such as fingerprint scanners, facial recognition, and behavior recognition) and hardware authentication (using smart cards or USB sticks).
Endpoint Security/Antivirus
Some phishing attacks are used as a means of infecting an organization with malware, such as ransomware or an infostealer. The attacker simply sends the malware as an attachment and tries to manipulate their victim into downloading it. Implementing strong endpoint security or antivirus software can help mitigate the impact of a successful phishing attack by preventing the spread of malware across your organization, even if a user clicks on a malicious attachment.
Web Security
Phishing attacks are usually delivered via email, but there are millions of phishing webpages online that trick users into thinking that they’re entering their credentials or payment information into a legitimate website, when really the information they enter is being harvested by a cybercriminal.
A strong web security solution can help prevent your users from entering their details into phishing pages. There are several tools that can be used to achieve this.
- DNS filters do this by blocking phishing domains
- URL filters block individual phishing pages that are being hosted on non-malicious domains
- Remote browser isolation solutions can prevent users from inputting data into suspicious or malicious pages by restricting them to “view only” access
Strong Password Practices
Enforcing strong password practices won’t necessarily prevent phishing attacks, because phishing involves the threat actor stealing a password directly from your users, rather than cracking it using brute force. However, it can help minimize the damage that an attacker is able to do if they do gain access to a user’s account.
We recommend that you ensure that passwords are regularly updated across your organization, either through the use of password policy enforcement software or a business password manager. This means that, even if a password is compromised, the attacker will only be able to use it for a limited amount of time.
Caitlin Jones
Deputy Head Of Content
Caitlin Jones is Deputy Head of Content at Expert Insights. Caitlin is an experienced writer and journalist, with years of experience producing award-winning technical training materials and journalistic content. Caitlin holds a First Class BA in English Literature and German, and provides our content team with strategic editorial guidance as well as carrying out detailed research to create articles that are accurate, engaging and relevant. Caitlin co-hosts the Expert Insights Podcast, where she interviews world-leading B2B tech experts.
Craig MacAlpine
CEO and Founder
Craig MacAlpine is CEO and founder of Expert Insights. Before founding Expert Insights in August 2018, Craig spent 10 years as CEO of EPA cloud, an email security provider acquired by Ziff Davies, formerly J2Global (NASQAQ: ZD) in 2013, which has now been rebranded as VIPRE Email Security. Craig has extensive experience in the email security industry, with 20+ years of experience helping organizations to stay secure with innovative information security and cyber security solutions.
