The term phishing is something we’ve all heard of countless times. With phishing now at an all time high, if you haven’t taken it seriously before – now is definitely the time to be vigilant. It’s a common misconception that phishing comes in the form of a miss-spelled email that is clear to spot. In recent years, cyber criminals have upped their game massively – you don’t have to be a fool to get phished. Whatever your sector, and however big or small, you will get phishing emails at some point. The question is, do you know how to spot them?
#1: Start With Understanding Your Data And How You Use It
In order to protect your business and its data, you must first understand what data you hold and how you use it. With this knowledge, you can then consider how a hacker would attempt to access it. This understanding within your organisation means that you and your staff can then be aware of any unusual activity.
Something that may seem insignificant such as your staff being aware of any suppliers that you have regular contact with, could make a difference. In the case that you do get an email form a business you don’t currently have a relationship with, staff should then know to be cautious.
You can then think about what barriers you have in place to prevent any scams from being successful, such as whether emails (especially those mentioning money and invoices) from senior individuals are challenged to be legitimate. Another thing you should consider is processes you have in place regarding money transfer within your business and with any suppliers or contractors. Something as simple as avoiding discussing fund transfers over email where possible and calling to confirm any money transfer requests can prevent a disaster.
#2: Configure Your Accounts To Reduce Potential Damage
To ensure the potential impact of a cyber-attack is minimum, configure your staff emails so that they have enough access only to do their jobs. This can help reduce the damage of an attack if these users do fall victim to a phishing attack.
Another key way is to make sure users don’t browse the web or check emails using an account with Administrator rights. Administrator accounts have the ability to modify security settings, install software, and access all files on relevant devices. This means that if an attacker manages to phish an Administrator account, this can be a lot more damaging.
#3: Identifying Phishing Emails
Phishing attacks are constantly changing and improving, and are often in line with current situations, such as the present COVID-19 pandemic. Although phishing emails can come in any form, there are some general tell-tale signs to keep an eye out for.
- Although spelling mistakes should be a giveaway, keep an eye out for the less obvious signs such as grammar mistakes. As the phishing email may come from overseas, spelling is easy to check but grammar takes more attention to detail.
- Always check the recipient if you are hearing from someone unexpectedly for the first time. You can check the exact domain of the organisation they claim to be from from their company website if they have an email on the contact page.
- Be careful when clicking links or files from any contacts, especially if you aren’t expecting anything. Although you may trust and know the sender, their email could be compromised.
- If an email uses generic terms to address you such as colleague or valued customer, the chances are because they don’t know you. This should also flag suspicion.
- If you’re receiving an email from a large organisation or institution such as a local council, be sure to check any logos included in the email. If the quality of the image looks poor, this is a sign that something is not quite right. A lot of large organisations also have email signatures, so if the email claims to be from Microsoft for example, but contains just plain text, flag it.
- If an email from an unknown sender creates a sense of urgency – be very sceptical. This tactic is another very common one used to scare users into following command without much thought. It also means that they can get you to act fast enough to not think about the legitimacy of the email.
The general rule you should follow is if something seems off about an email, trust your instinct and consult your IT provider.
#4: Be Wary Of Information That You Disclose Online
Something you need to think about in regards to your cyber security is how much information you, your staff, and any external contractors give about your business online. As cybercrime becomes more sophisticated, hackers will more often do their research on you before they try to attack. Using your digital footprint, they can best target you according to what data you hold, and also using the information to make scams more believable.
As well as being cautious on your website, social media is also something that can be gleaned and used against you. Something as simple as someone sharing a picture with the name of a supplier in the background gives hackers the name of a business they can pose as to fool you in a supply-chain attack.
You can find more information on your digital footprint on the CPNI website here. (https://www.cpni.gov.uk/my-digital-footprint)
Although phishing will always be around as long as businesses continue to use email, there things your business can do to protect itself. To get in touch with us about what we can do to help protect your business, get in touch here.
To help businesses in this difficult time, we have created a COVID-19 resources page where you can find all of our corona-virus themed content in one easy to access page.