How to protect your company against phishing and social engineering

Resposta direta

To protect your company against phishing, combine three layers: technical defenses (DMARC at p=reject, phishing-resistant MFA with FIDO2, EDR and browser isolation), a continuous awareness program with controlled simulations, and a response plan for when someone clicks — contain, reset credentials and hunt the intruder. No single layer is enough on its own. Decripte implements all three and contains critical incidents within 1 hour.

Principais conclusões

  • Defense against phishing requires three combined layers — technical, human, and response; email filters stop mass phishing, but not spear phishing and BEC, which are often just text.
  • DMARC should reach p=reject (not stop at p=none) to prevent spoofing of your domain, but it does not cover lookalike domains, which require separate monitoring.
  • Phishing-resistant MFA (FIDO2/WebAuthn) is the gold standard per NIST and CISA because it binds the credential to the real domain; SMS and TOTP MFA can be bypassed by AiTM attacks — and weak recovery flows must be closed too.
  • BEC is the fraud with the greatest financial impact (roughly USD 2.8 billion in 2024 per the FBI IC3) and is defended with process: second-channel verification for every financial request.
  • Effective awareness programs are continuous and measure the report rate, not just the click rate; simulations in Brazil require a legal basis under the LGPD and must not punish individuals.
  • Generative AI has eliminated the classic signs of phishing (writing errors) and enabled voice and video deepfakes; the defense has shifted from the form of the message to the verification process.
  • When someone clicks, speed is everything: revoke active sessions, reset credentials, and hunt for hidden forwarding; Decripte contains critical incidents within 1 hour.

What phishing is and its variants (spear phishing, BEC, vishing, smishing, quishing)

Phishing is a social engineering attack in which the criminal impersonates a trusted person or brand to trick the victim into handing over credentials, approving a payment, installing malware, or authorizing access. The attack exploits human trust and haste, not a software flaw. That is why it crosses firewalls, antivirus, and VPNs without triggering an alarm: technically, the email or message is legitimate — it is the person who is manipulated.

Generic phishing casts the same bait at thousands of targets. Targeted variants are more dangerous because they are personalized. Spear phishing aims at a specific individual with real context (the boss's name, an ongoing project, a genuine supplier), gathered from LinkedIn, breaches, and social media. BEC (Business Email Compromise) is the fraud with the greatest financial impact: the attacker impersonates an executive, supplier, or lawyer and instructs the finance team to make a transfer or change the bank details on an invoice. According to the FBI's IC3 2024 report, BEC caused roughly USD 2.8 billion in losses across 21,442 complaints in the US alone — the second-largest financial loss among all cybercrimes.

Variants outside email are growing because corporate filters still focus on the inbox. Vishing is voice phishing (a call pretending to be the bank, IT support, or HR). Smishing uses SMS and messaging apps such as WhatsApp. Quishing delivers the malicious URL inside a QR code — in a PDF, email, or poster — to evade scanners that only read links in text; the victim points their personal phone, outside the company's monitored perimeter. Recognizing these variants by name is the first step to training people to be suspicious on the right channel.

Why humans are the vector and why email filters are not enough

Email filters (secure gateways, antispam, sandbox) block most mass phishing, but they fail against the attacks that truly cause harm. Spear phishing and BEC carry neither malware nor obvious links — often they are just text: 'Can you push this payment through today?'. There is no attachment to detonate in a sandbox and no known signature to match. The content is indistinguishable from a legitimate message, so the filter delivers it and the decision falls on the person.

The attacker also has time on their side. Newly registered domains, compromised email accounts of real suppliers (from which the email passes SPF and DKIM because it comes from the genuine server), and ephemeral infrastructure on legitimate services like netlify.app, vercel.app, or Google Forms sidestep reputation and blocklists. When social engineering happens by phone, SMS, or QR code, the email filter is simply not in the attack's path.

The operational conclusion is that filters are necessary but insufficient: they reduce the volume, not the risk. Real protection requires assuming that some malicious messages will get through and building defense in depth — authentication that resists password theft, people trained to be suspicious and stop, and a plan to contain when, inevitably, someone clicks. Treating the user as 'the weak link' is a mistake: they are the last line of defense, and the job of security is to equip them, not blame them.

Technical defenses: DMARC, phishing-resistant MFA, EDR and isolation

The first technical layer is authenticating email from your own domain to prevent others from impersonating it. Configure SPF (lists the servers authorized to send), DKIM (cryptographically signs messages), and DMARC (defines the policy when SPF/DKIM fail). DMARC should progress in a monitored way: start at p=none, collecting reports for a few weeks, advance to p=quarantine, and finish at p=reject, which actively rejects emails that spoof your domain. Stopping at p=none is the most common mistake — in that mode DMARC only observes, it does not protect. Important: DMARC defends against exact spoofing of your domain, not against lookalike domains, which require separate monitoring.

The second layer is phishing-resistant MFA. MFA via SMS or app code (TOTP) can be intercepted by reverse-proxy kits (AiTM, adversary-in-the-middle) that capture the code and the session cookie in real time. The structural defense is FIDO2/WebAuthn (physical security keys and passkeys): the credential is cryptographically bound to the real domain, so a fake page cannot complete authentication — there is no code to steal. NIST SP 800-63B and CISA classify FIDO2/WebAuthn and PKI as the gold standard of MFA. Watch for a detail that undoes everything: if the account recovery flow still accepts SMS or password reset, the attacker simply attacks the weak path — close the fallbacks too.

The third layer protects the endpoint and the browser. EDR (Endpoint Detection and Response) detects and responds to malicious behavior on the machine should a payload actually execute. A sandbox detonates suspicious attachments and links in an isolated environment before delivery. Remote browser isolation (RBI) renders risky pages in a disposable container, so that typed credentials and malicious code never touch the real device. Add DNS filtering to block known malicious domains. These defenses do not replace training — they buy time and reduce the blast radius when social engineering works.

A continuous awareness program and phishing simulations

Security training is not an annual compliance video — it is a continuous program that changes behavior. The effective model combines short, frequent micro-trainings, communication about real current threats (the invoice scam, fake IT support), and recurring phishing simulations that measure people's actual response, not just their attendance at training. The goal is to build a reflex: faced with a message carrying urgency, authority, or an out-of-pattern request, the person stops, verifies through a second channel, and reports.

Run simulations in a structured and ethical way. Set an objective and a baseline, vary the difficulty (from obvious bait to personalized spear phishing), and segment by area (finance and the executive team are BEC targets and deserve specific scenarios). The metrics that matter are not just the click rate: track the report rate (how many clicked the 'report phishing' button), the time to first report, and repeat offenses by group. A team that reports fast is worth more than one that merely does not click — the report triggers containment. Whoever falls for it receives immediate, contextual training at the moment of the click, when learning is greatest.

Legal and cultural care are part of the program. In Brazil, monitoring and simulating attacks on employees requires a legal basis under the LGPD and transparency: state in the internal policy that simulations are part of the security program, avoid themes that expose sensitive personal data or induce disproportionate stress (fake layoffs, fake bonuses), and never use the results to punish individuals — the simulation measures the system, not people. Gamification and positive recognition of those who report work better than embarrassment. At Decripte, we run awareness programs and phishing simulations calibrated by sector, with reporting metrics and reports for leadership.

Response when someone clicks: contain, reset credentials and hunt

Start from the assumption that someone will click — what separates a scare from a breach is the speed of the response. The minute a click or credential submission is reported, the goal is to cut off the attacker's access before they move laterally or approve a transfer. That is why the report button and a clear incident response channel are as important as any firewall: they turn the victim into a sensor.

Containment follows a practical order. First, invalidate the session and reset the credentials of the affected account — and revoke active session tokens and cookies, because resetting the password does not tear down a session the attacker has already opened via AiTM. Second, force MFA re-enrollment, removing devices or methods the attacker may have registered. Third, isolate the involved endpoint via EDR if malware is suspected. For BEC frauds with a payment already sent, immediately contact the bank and, in the US, the FBI's IC3 channel — the first hours decide the chance of recovering the money.

After containing, hunt. Investigate the scope: which inbox rules the attacker created (hidden forwarding is typical of BEC), which emails they sent in the victim's name, what other systems the credential gave access to, and whether customer data was accessed. Search for the same indicators (domain, IP, sender) across the whole estate to find other victims. Document the timeline, notify in accordance with the LGPD and the ANPD if personal data was exposed, and fold the lessons learned into the awareness program. Decripte operates with a 1-hour containment SLA for critical incidents, precisely because in this type of attack time is the most expensive asset.

AI-assisted phishing: deepfakes and personalization at scale

Generative AI has removed the classic signs we used to train people to recognize. Grammar mistakes, odd formatting, and generic greetings are gone: language models produce flawless emails, in the right tone, in any language, and personalize each message by cross-referencing the victim's public data. Spear phishing, once handcrafted and expensive, is now produced at industrial scale. The rule 'be suspicious of poorly written email' is obsolete — the new rule is to be suspicious of the request and the channel, not the form.

The most dangerous leap is voice and video deepfakes. With a few seconds of public audio, an attacker clones an executive's voice and calls the finance team demanding an urgent transfer; in video calls, real-time deepfakes have already been used to validate payment frauds involving millions. The defense is not technological but procedural: establish out-of-band verification (second channel) and code words for any financial request or change of bank details, so that no transfer depends on recognizing a voice or a face.

The authentication infrastructure itself is under new fire. The PoisonSeed campaign, identified in 2025, abused the passkey QR-code flow to log in a device without a local credential: the attacker displays a legitimate authentication QR on a phishing page and the victim approves it with their phone, completing the attacker's session. This reinforces that phishing resistance depends on the entire chain — including recovery and cross-device — and that training and technology must evolve together against attacks that are also generated and optimized by AI.

Passo a passo

  1. Authenticate your domain: configure SPF, DKIM, and DMARC, progressing from p=none to p=quarantine and up to p=reject in a way monitored by reports.
  2. Deploy phishing-resistant MFA (FIDO2/WebAuthn) on all critical accounts and close the weak recovery flows (SMS, password-only reset).
  3. Harden endpoint and browser: EDR, sandboxing of attachments and links, remote browser isolation for risky sites, and DNS filtering.
  4. Establish out-of-band verification processes — second channel and code words — for every payment request or change of bank details, neutralizing BEC and deepfakes.
  5. Run a continuous awareness program with micro-trainings and phishing simulations segmented by area, measuring the report rate and speed, with a legal basis under the LGPD and without punishing individuals.
  6. Implement the report-phishing button and an incident response plan that, on the first click, revokes sessions, resets credentials, forces MFA re-enrollment, and isolates the endpoint.
  7. Hunt and learn: investigate the scope (hidden forwarding, sent emails, exposed data), search for the same indicators across the whole estate, and feed the lessons back into the awareness program.

Perguntas frequentes

How do I protect my company against phishing?

Protect yourself in three layers. Technical: DMARC at p=reject to prevent spoofing of your domain, phishing-resistant MFA with FIDO2/WebAuthn, EDR on endpoints, and browser isolation. Human: a continuous awareness program with phishing simulations that measure the report rate, not just the click rate. Response: a plan to contain when someone clicks — revoke sessions, reset credentials, and hunt the intruder. No single layer is enough; email filters stop mass phishing, but not spear phishing and BEC.

What is spear phishing?

Spear phishing is a phishing attack targeted at a specific individual or role, personalized with real information about the victim (the boss's name, a current project, a genuine supplier) gathered from LinkedIn, breaches, and social media. Unlike mass phishing, it does not cast the same bait at thousands of people — it is handcrafted and convincing, which makes it much harder for automatic filters to detect. AI tools now make it possible to produce personalized spear phishing at scale, without the writing errors that once gave the scam away.

What is BEC (Business Email Compromise)?

BEC is a fraud in which the attacker impersonates an executive, supplier, or trusted partner to trick the finance team into making an improper transfer or changing the bank details on a payment. It is usually just text, with no malware or links, which makes it invisible to antivirus and sandboxes. It is the fraud with the greatest financial impact: the FBI's IC3 2024 report recorded roughly USD 2.8 billion in losses. The central defense is procedural — second-channel verification for every financial request or change of bank details.

Are phishing simulations worth it?

Yes, when done well. Simulations measure people's actual behavior in the face of bait, build the reflex to be suspicious and report, and reveal which areas need more training. The most important metric is not the click rate, but the report rate and speed — a team that reports fast triggers containment. Run them with LGPD care: state it in the internal policy, avoid themes that induce disproportionate stress, and never use the results to punish individuals. The simulation measures the system, not the people.

What should I do if someone clicked a phishing link?

Act fast, in this order: invalidate the session and revoke active tokens and cookies (resetting the password does not tear down a session already opened by the attacker), reset the credentials, force MFA re-enrollment while removing devices registered by the intruder, and isolate the endpoint via EDR if malware is suspected. Then investigate the scope: hidden forwarding rules, emails sent in the victim's name, other accessible systems, and exposed data. If there was a transfer (BEC), contact the bank immediately. Notify in accordance with the LGPD if personal data was involved.

Does SMS MFA protect against phishing?

Not reliably. MFA via SMS or app code (TOTP) can be intercepted by adversary-in-the-middle (AiTM) reverse-proxy kits, which capture the code and the session cookie in real time, and SMS is still vulnerable to SIM swap. The structural defense is phishing-resistant MFA based on FIDO2/WebAuthn — security keys and passkeys cryptographically bound to the real domain, with no code to steal. NIST and CISA classify FIDO2 as the gold standard. Close SMS account recovery too, or the attacker attacks the weak path.

Want an awareness and phishing-simulation program?

Decripte builds continuous awareness programs and phishing simulations, with metrics and technical defenses (DMARC, MFA FIDO2, EDR).