Scammers send fake emails to thousands of people, with links to bad websites or asking for bank details and other sensitive information. Whatever your business, you will receive phishing attacks. This article contains the first steps you need to take to help you identify the most common types.
Configure accounts to reduce the impact of successful attacks
- Configure your staff accounts giving staff the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced.
- Ensure that your staff don’t browse the web or check emails from an account with Administrator privileges.
- Use two factor authentication on your important accounts such as email. This means that even if an attacker knows your passwords, they still won’t be able to access that account.
Think about how you operate
Common tricks include sending an invoice for a service that you haven’t used, so when the attachment is opened, malware is automatically installed (without your knowledge) on your computer. Another is to trick staff into transferring money or information by sending emails that look authentic.
Think about how you can help make these tricks less likely to succeed:
- Do staff know what to do with unusual requests, and where to get help?
- Ask yourself whether someone impersonating an important individual (a customer or manager) via email should be challenged (or have their identity verified another way) before action is taken.
- Do you understand your regular business relationships? Scammers will often send phishing emails from large organisations (such as banks) in the hope that some of the email recipients will have a connection to that company. If you get an email from an organisation you don’t do business with, treat it with suspicion.
- Think about how you can encourage and support your staff to question suspicious or just unusual requests, even if they appear to be from important individuals. Having the confidence to ask ‘is this genuine?’ can be the difference between staying safe, or a costly mishap.
Check for the obvious signs of phishing
Your staff can’t be expected to delete every email, but many fit the mould of a traditional attack:
- Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official looking emails by including logos and graphics. Is the design (and quality) what would you’d expect from a large organisation?
- Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’?
- Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like ‘send these details within 24 hours’ or ‘you have been a victim of crime, click here immediately’.
- Look out for emails that appear to come from a high-ranking person within your organisation, requesting a payment is made to a particular bank account. Look at the sender’s name. Does it sound legitimate, or is it trying to mimic someone you know?
- If it sounds too good to be true, it probably is. It’s most unlikely that someone will want to give you money, or give you access to some secret part of the Internet.
It is also important to integrate phishing guidance into your ‘business as usual’, so look to include messages across your company communications. This can include induction/onboarding processes, security news bulletins, communication campaigns, management training courses, prompts/banners on email, and more formal security refresher training. This will help to reinforce a culture of security mindedness.
Report all attacks
Make sure that your staff are encouraged to ask for help if they think that they might have been a victim of phishing, especially if they’ve not raised it before. It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred. Do not punish staff if they get caught out. It discourages people from reporting in future.
If you believe that your organisation has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. If you are in Scotland contact Scotland Police on 101.
Keep up to date with attackers
Attackers are always trying different methods of attack, even when tools like automatic email protection have prevented previous attempts. Consider signing up for the free Action Fraud Alert service to receive direct, verified, accurate information about scams and fraud in your area.
Cyber Security: Small Business Guide
Advice from NCSC on Backing up your data, protecting your organisation from malware, keeping your smartphones (and tablets) safe, using passwords to protect your data, avoiding phishing attacks.
If you have any questions on how insurance can be used to protect your business in the event of a cyber incident, contact us today.
This information comes from the National Cyber Security Centre – https://www.ncsc.gov.uk/