Phishing Remediation

A January 2013 SANS whitepaper titled “Phishing Defenses for Webmail Providers“, by Rich Graves, discusses how security professionals can remediate the growing problem of phishing.

1. Spam Filter

Using and configuring spam filters can be the first layer of defense to prevent inbound phishing emails.

2.  Security Awareness Training

In phishing exercises, the targets are people. People need to be effectively trained to identify phishing emails, and to stop and think before clicking on links, opening attachments, or replying to emails.

3. Phishing the users

While this may seem extreme, security personnel, on management approval, can set up simulated phishing campaigns to tests the users and provide targetted feedback and training to help them identify phishing emails (both real and fake) and not fall victim.

4. Blocking access to certain domains and web forms

Security personnel can block outbound traffic to well-known phishing domains and web collection forms and prevent the users click from translating to the loading of a malicious web page.

5. Identify and contain compromised account

If, however, a user does end up compromising his system or credentials by following a phishing link, his account should be disabled, and a password change must be forced. Further his devices need to be cleansed with an anti-virus or anti-malware, before being allowed back on the network.

6. Log monitoring

Network logs and access logs should be monitored to detect traffic to malicious sites or unusual activity.


Graves, R. (2013). Phishing Defenses for Webmail Providers. Retrieved from