In a typical phishing attack, a scammer sends a fake email requesting sensitive information or containing a link to a malicious website. They might try to trick the recipient into sending money, steal personal details to sell, or there may be a political or ideological angle to accessing a company’s information.
Phishing emails are becoming more sophisticated and all businesses are likely to receive phishing attempts. There are ways to spot these attacks, and regular security training for employees will help keep them vigilant to potential phishing, but there will be limits to what can be expected.
In this blog, we look at the proactive measures you can take to protect your organisation from phishing, how to handle suspicious emails and the steps to take if you’ve clicked on a malicious link or opened an infected attachment.
1. Consider User Privileges
We recommend always configuring online accounts to reduce the impact of successful attacks when they occur. Giving staff the lowest level of user rights required to perform their jobs means if they succumb to a phishing attack, the potential damage is minimised.
Ensure that staff don’t browse the web or check emails from an account with Administrator privileges. An Administrator is authorised to change security settings, install software and hardware, and access all computer files. So an attacker with access to an Administrator account can do more damage vis-a-vis a standard user account.
Set two-factor authentication (2FA) on critical accounts such as email. This means that even if an attacker knows a password, they still won’t be able to access that account.
2. What makes Your Organisation Vulnerable?
Consider ways that a scammer might target your organisation, and ensure your employees understand the company’s standard practices. Then they’re more likely to pick up on requests that are out of the ordinary. A common trick is sending an invoice for a service that was neither ordered or used, so when the attachment is opened, Malware is automatically installed on their computer (without the victim’s knowledge).
Think about how you can encourage and support your staff to question suspicious or unusual requests, whoever they appear to be from. Having the confidence to ask if a request is legitimate could prevent an expensive error.
3. Be Aware of Traditional Phishing Methods
Expecting staff to identify every phishing attempt is a near-impossible task. It would also have a negative effect on productivity. However, many phishing emails come with traditionally obvious warning signs:
- Poor spelling, grammar and punctuation. Poor quality graphics you wouldn’t associate with a reputable organisation.
- Check the sender’s name and email address. Does it look genuine, or is it trying to impersonate someone you know.
- The email does not refer to you by name, but rather as or ‘friend’, or ‘colleague’.
- Banks or other official institutions should never ask you for personal information in an email.
- Be wary of requests which create a sense of urgency and include threatening undertones. Emails asking you to act immediately or claiming that accounts will be closed if you don’t take action should be viewed suspiciously.
- Be cautious of scanning QR codes sent by email. This is a common method employed to trick users into visiting malicious websites.
- If the offer sounds too good to be true, it probably is.
4. Use Email Filtering Services and Phishing Training & Awareness
Anti-spam software aims to send phishing emails directly to spam or junk folders. The rules determining this filtering should be refined for your company’s needs. If the rules are too relaxed, suspicious emails will be delivered directly into inboxes and users are left to filter their own messages. It’s infinitely possible that a user with a heavy workload might click on a cleverly disguised malicious link or attachment. Conversely, if rules are too strict, genuine emails could easily go astray. In all likelihood, the right balance will be achieved over a period of time.
Security awareness training is also recommended for staff, with a module that simulates email phishing attempts to test their understanding.
5. Make your Organisation Difficult to Target
Scammers use publicly available information about an organisation and its staff to make their phishing content more convincing. This information is often found on your website and social media accounts and is known as an individual’s digital footprint.
It’s important to understand the impact of the information shared on your organisation’s website and social media pages and to review your privacy settings. Plus be aware of what your partners, contractors and suppliers give away about your organisation online.
Already Clicked?
If a member of your team thinks they may have been a victim of phishing, ensure they are encouraged to ask for help. If you suspect a successful phishing attack has taken place, it’s important to scan for Malware and change passwords as soon as possible.
Reprimanding staff for being wrong-footed will discourage them from reporting possible attacks in future. If people are in constant fear of making a mistake, they could spend excessive time and energy examining every single email they receive, neither of which are healthy for your business.
If you believe that your organisation has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website.
How We Can Help at Comprendo
If you’re looking for a way to check that all your cyber security bases are covered, then consider becoming Cyber Essentials certified. The Cyber Essentials scheme protects businesses against the most common cyber-attacks and is widely recognised as the baseline level of cyber security for organisations of all sizes.
If you’d like to find out more about becoming Cyber Essentials certified, or if you’d like information on our email filtering services and security training, then we’d be very happy to help.
We offer a free 2-hour Consultation where we can assess your Cyber Security needs and discuss any areas of concern.
Please contact our friendly IT support team:
>> Tel 0345 527 4394 I Email info@comprendo.co.uk
At Comprendo, we provide customer-focused IT services, solutions and support to businesses throughout North and West Yorkshire, Lancashire and beyond, including Leeds, Bradford, Harrogate, York, Preston and Manchester. Looking to outsource your IT or review your cyber security? We look forward to hearing from you.