In phishing attacks used to obtain login credentials, Malicious actors pose as trustworthy sources
(e.g., colleagues, acquaintances, or organizations) to lure victims into providing their login
credentials. Malicious actors can use the compromised credentials (e.g., usernames and passwords)
to gain access to enterprise networks or protected resources, such as email accounts.

Tier3 advises that small- and medium-sized organizations with limited resources in Pakistan should prioritize the following best practices to safeguard their network resources from prevalent phishing threats:

• User Phishing Awareness Training: Implement a standardized anti-phishing training program and make it mandatory for employees to undergo an annual review of phishing training materials. Furthermore, conclude the program with a training assessment to confirm that employees have retained the information presented in the training program. Small businesses are encouraged to introduce commercial phishing awareness training programs for their employees. Moreover, Tier3 offers free anti-phishing training resources for small businesses through their Small Business Cybersecurity initiative.
  
• Identify Network Phishing Vulnerabilities: We encourage business organizations to take part in Tier3’s Phishing Vulnerability Scanning assessment service.
  
• Enable Multi-Factor Authentication (MFA): Activating robust MFA is the most effective method for small businesses to shield their internet-facing business accounts from threats related to phishing. For more insights into why MFA is vital for small businesses, learn about the MFA hierarchy. This helps users identify the most secure form of MFA, allowing them to select the most suitable MFA method based on their operational requirements.

Additionally, Tier3 recommends that SMBs in Pakistan to implement the following technical solutions to prevent compromises related to phishing:

• Enforce strong password policies for user authentication. These policies should adhere to password strength requirements, including minimum character length, the use of numbers, special characters, and case sensitivity, while prohibiting users from reusing previous passwords.
  
• Deploy DNS filtering or firewall deny lists to block access to known malicious websites.
  
• Utilize anti-virus solutions to mitigate malware and prevent the execution of malware if users open a malicious hyperlink or attachment from an email.
  
• Implement file restriction policies that restrict the downloading and execution of malicious, high-risk file extensions (e.g., .exe or .scr) that are unnecessary for daily business operations, particularly on standard business accounts.
  
• Ensure that software applications are configured to update automatically, ensuring that network software is always up-to-date and safeguarded against exploitation by malicious actors through vulnerabilities.
  
• Enforce safe web browsing policies to restrict employees to accessing only necessary websites for daily business operations. These policies also prevent users from visiting malicious websites, which often contain malware capable of harvesting user credentials or deploying additional malware to compromise organizational systems.
  
• Deploy a secure virtual private network (VPN) with MFA enabled.
  
• Refer to the Tier3 Cybersecurity Planning Guide, which includes information on how small businesses can enhance their overall cybersecurity posture.
  
• Consider transitioning to managed cloud-based email services from reputable third-party vendors. We strongly encourage small businesses with limited resources to explore managed cloud email services provided by trusted third-party vendors.
  
• Migrating from on-premises mail systems to reputable third-party cloud-based email providers benefits customers due to regular system updates and patching. Providers also frequently conduct thorough email traffic monitoring and offer anti-phishing malware services.
  
• For additional information on cloud services, consult the Tier3 Secure Cloud Business Applications Guide. Tailored to business organizations, this guide offers guidance and capabilities applicable to all organizations with cloud-based business application environments.