Phishing scams are still one of the most serious attacks to companies – and they are on the rise. Austen Clark looks at ways organisations can protect themselves
Often indistinguishable from genuine emails, text messages or phone calls, ‘phishing’ scams not only catch out global tech firms like Google and Facebook; they can wreak havoc in organisations of any size.
One reason they work is because most people use email and they exploit weaknesses in human nature – hitting on a link perhaps without much thought to its consequences.
All it takes is one employee to take the bait. In a company with 30 employees, that’s 30 possible attacks.
Phishing gives direct access to the most vulnerable part of any network — the end user — and that’s why cybercriminals love it.
They seek to trick the recipient into believing the message is something they want to read, impersonating retailers or paid services, giving them a reason to ask for your bank details in an email.
They may appear convincing, but don’t let the tricksters get you in a tangle - here’s my best advice to avoid being caught up in a phishing scam.
An email lands in your inbox and it looks like a genuine request from the HMRC, or your bank, and will contain a link to an attachment. It might ask users to update the payment details on their profile or risk their account being suspended.
Never click links or input personal details, particularly debit or credit card information, when prompted to do so by an email, even if you think you know who the sender is.
If in doubt, contact the business cited as the sender through official channels, website, email or phone, seek confirmation that the message is legitimate before you provide personal or financial detail. Don’t simply reply to the email – an option would be to send a fresh email to the sender and check the validity.
Don’t place yourself in a situation where you transfer funds simply ‘because you've had an email conversation with someone’ that hasn't been confirmed outside that line of communication.
Check the email domain of the sender. Often addresses used to send scam emails look dubious, containing numbers or a jumble of letters. Ideally, never click on links in unsolicited emails; instead, hover your mouse over the link to see the plain text URL at the bottom of your browser window.
Genuine communications from established companies, banks or government departments will usually come from a simple address that uses the provider’s domain.
Other giveaway signs are misspellings, poor grammar and poorly presented text in the body of an email which has few logos or weak branding.
Resist the sense of urgency – scammers try to instill a sense of immediacy to push their victims into making mistakes with appeals like, ‘Act now to prevent your account being closed’, threatening to end an agreement if information is not updated. Take time to check it out before acting.
Never send an email with sensitive information to anyone and get into the habit of checking the address of the website – a secure website starts with ‘https’.
Does the email lack the personal touch? Being generally addressed 'Sir/Madam', even though the sender should have your name, is a sign that the email is being sent out to a large batch of recipients in the hopes of tricking just a few.
Keep all systems current with the latest security patches and updates. Security patches are released for popular browsers all the time in response to security loopholes that phishers and other hackers discover and exploit. So don't ignore messages about updating your browsers, as soon as an update is available, download and install it.
Firewalls are like a buffer between you, your computer and outside intruders. A desktop firewall is a type of software, and a network firewall is a type of hardware. Used together, they reduce the odds of hackers infiltrating your computer or your network.
Be wary of pop-up windows – these may look like a legitimate part of a website but they can sometimes be phishing attempts. Most browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one still pops up, click on the small ‘x’ button in the upper corner of the window to remove it from your screen. Some ‘cancel’ button options lead to phishing sites.
Use antivirus software and keep your software up to date. New definitions are added all the time because new scams are also being conjured up all the time. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system.
Security awareness training is the number one way to fight back against phishing, as it raises awareness to reduce human error.
All it takes is one person to be careless and they could become a victim of an online deception. Always be vigilant – and ensure everyone in your organisation is.
To help ensure employees are on their guard, build awareness raising exercises into staff training and offer sessions dedicated to internet security.
Seek out Government-endorsed schemes like Cyber Essentials as gaining accreditation demonstrates to others that your organisation takes cybersecurity seriously.
Phishing is one of the most devious forms of identity theft, so it is important to be aware of that and know how to guard against it.
Be careful about giving out personal information over the Internet. You may be targeted almost anywhere online, so always keep an eye out for anything that appears suspicious – and never feel pressured to give over personal information online.