SpiderBlog

How to protect your business against phishing

Written by Bryan Parsons | Sep 2, 2019 4:26:00 AM

There are plenty of phish in the sea 

With more people than ever sharing their personal details online, anyone can be the victim of phishing. Yes, even you!

Cyber-attacks are always a risk to your business, but how do you prevent this? 

With nearly 1.5 million new phishing sites created each month, you need to find the best ways to protect yourself and your business. 

Here is everything you need to know about phishing and how to protect your business from cyber-attacks. It doesn’t have to be hard, it can be like shooting phish in a barrel (we’re not even sorry).

What is phishing?

Phishing is a cyber attack that disguises itself as something the user would want. 

These messages typically use persuasive language to entice users for free or discounted products. From here, the user may enter in some highly confidential information such as financial details which then becomes visible to the attackers. 

A recent study revealed that insurance organisations were at the highest risk of cyber-attacks, stating:  

New proprietary phishing study of six million users shows insurance organisations and not-for-profits lead all other industries with greater than thirty percent of users falling for baseline phishing tests.

Though attacks have a long history since way back in the 1990s during the boom of the internet, there are new inventive ways in which people are obtaining confidential information. 

One example we've noticed a lot of in the SpiderGroup office is the use of scare tactics to get people to click the links, for example the disabling of their email inbox or an overdue invoice that is waiting for payment.

Between October 2015 and March 2016 there had been an enormous 250% rise in incidents of phishing, and 

There are several variations to be aware of. Here are two examples: 

  • Spear phishing is a term that describes when an attack is targeted to one specific organisation in pursuit of sensitive information. It requires a deeper understanding of a business and can have a higher chance of catching someone off guard. 
  • Whaling is a form of phishing that targets senior executives or management, pretending to be another high authority figure to pertain information. Executives are the most common to be the target for phishing attacks. With high profiles made public, it is far easier for them to find information online.

What are the main causes? 

Phishing attacks are dangerous to the security of your company, as they can be disguised in many forms. For many of your employees, their day may consist of working with emails, and so you may need to look at defending your business from within. 

Human error is often seen as the biggest cause of cyber-attacks, with a likelihood of 30% click rate on phishing emails. Users can be susceptible to unsafe links. 

 

What are the consequences? 

Guess how much the average phishing incident will cost a business.

In April 2019, the BBC reported that more companies have reported cyber attacks than last year, going from 40% to 55%. The cost per minute for cybercrimes in 2018 came to £2.3m - per minute

Think that’s a big price to pay? Well it gets even worse. 

Even once the immediate problem has blown over, there is still a chance that the reputation of the business will not recover. According to the Ponemon Institute, 31% of consumers would discontinue the relationship with an organisation if they had previously had a data breach. This will cause severe long-term damages to a business’ reputation.

Once an attacker has infiltrated your security, it is possible that you may also lose the rights to certain intellectual property rights, and other aspects of your business over time. 

In the Government's 2019 Cyber Security Breaches report, nearly half of UK businesses reported at least one breach or attack every month. They found that 21% of breaches had prevented staff from doing their work, yet only 33% of businesses had a cyber security policy in place.  

Signs of phishing

It might be easy to dismiss phishing as something that can be easily avoided, but it can be extremely realistic and convincing. Looking out for signs such as the tone of voice, spelling, and grammar can help you work out how safe a site can be. 

Whilst some will immediately distrust a professional source if it is littered with mistakes, there are still many people who will fail to notice anything wrong. These people have a higher chance of being scammed, as they are more likely to provide their details. The writers state, "Anybody who doesn't fall off their chair laughing is exactly who they want to talk to." So basically, try not to be that person. 

Attackers can mimic the aesthetic of a site so much that the same phrasing, typefaces, logos, and signatures are used for more of a legitimate appearance. Before you click a link, really look to see whether the site or email is secure before divulging information.

Emails that use terms such as “immediate action” are usually a good sign of a scam. Anything that sounds urgent will likely fall under this bracket, so you need to pay attention to the language used. 

In 2017, Gmail tweeted explaining that there had been emails circulating that could potentially contain malicious hardware. This shows that any business can be the target of a large-scale attack.

And if Google can be targeted for phishing, then anyone can be. 

We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.

— Gmail (@gmail) May 3, 2017

5 ways to protect you and your business

1. Keep your team educated

One of the best ways to solve this is to educate your employees. Regularly keeping your workers up to date with the recent scams and malware will lessen the chance of an attack. In one study, it was found that when a workplace kept employers aware, the overall susceptibility dropped to as low as 5%.

2. Send a fake phishing email

Test your own employees by phishing them yourselves. SpiderGroup can help you send a fake phishing email to your employees so you can measure how many of your own employees click on the links, open attachments or enter in personal information.

This way, you can identify the departments or individuals that need some more training when it comes to keeping your business secure.

3. Pay attention to URLs

Spend more time checking links. Cybercriminals are known to use URL shortening services such as Bitly to disguise the harmful content as a legitimate link. 

There are several solutions to this. Use a link lengthener such as Long URL so you can fully see where the link is leading you to before clicking on it. Hovering your cursor over any links that you distrust before opening the URL, will show you the destination without clicking.

Be aware that free hosting providers offer subdomain customisation of the free site. This allows attackers to create legitimate-looking URLS, which could fool unsuspecting users.

You can also copy the address and type it into a search engine to gain more information on the company. Perhaps others have had experience with the link which will give you time to assess whether it is a legitimate company. 

Check to see if the URL says HTTPS, which is not to be mistaken with HTTP as the s means that it is a secure website protected by an SSL certificate. However, those pesky phishers are up to their old tricks again. It was discovered that the number of phishing sites using HTTPS rose again in the first quarter of 2018. This shows that malware is ever developing and changing, and so you will need to keep updated with scams. 

4. Stay vigilant with emails 

Let’s think about this. Emails are the most popular way in which companies attempt to steal your information. 74% of targeted attacks are entered as an email attachment or link. 

To avoid entering important information, it’s wise to fully assess the source before emailing any information over email, even for companies that you trust.

Remember the characteristics of businesses and how they usually communicate with their clientele. For example, organisations such as banks don’t ask for confidential information over email. 

5. Install a reliable firewall

A firewall protects your devices against malicious hardware infecting your computer. It is important to keep it maintained and make sure you are keeping to the latest version. 

Unfortunately, this won’t keep your computer fully safe from harm, with many unable to catch every attack that comes your way. In a study conducted by Spiceworks, they found that 80% of businesses still experienced a security incident despite using firewall and preventative measures. 

What should I do if I have been affected? 

Disconnect your internet 

One of the first things you should do is to disconnect your device from the internet. 

This will remove the attacker’s access from your computer, giving you time to assess the scam and think about the details which you provided. 

Change passwords 

The next step is to change passwords for all relevant accounts, particularly anything which concerns online financial services and payment. This will include changing the security questions and password hints. Keylogger hackers, who can track what is typed on your keyboard, are said to steal around 234,000 valid names and passwords every week.

From here you can also check your account to make sure that your account has not experienced any unusual activity. If so, it may be worth contacting your bank or freezing payments, and to get a new card to avoid future issues. 

Scan computer for viruses 

The final immediate step you should take is to perform an in-depth scan on all devices. This will alert you to any files which have become corrupted. 

Be alert to trojan horse viruses which are most commonly a problem with emails. 

Adopt phishing awareness program

A study conducted by Mcafee surveyed over 19,000 respondents to 144 countries, found only 3% of people were able to correctly identify cyber scamming or phishing emails. This suggests that more training and care needs to be available to avoid employees clicking on the links. 

Training can help employees improve their awareness of the signs and language used in cyber-attacks. This is a long-term solution to prevent future problems with spam.

Like shooting phish in a barrel 

SpiderGroup can help protect you from phishing attacks by increasing your internet security. We offer phishing simulations, which we can send to your employees. We can send the results of how many people click the links within the email, which will allow you to assess the risks within your company. 

SpiderGroup offer IT Support in Bristol to help keep your business safe. Get in touch with our experienced team by calling 0117 933 0570 or fill out our contact form and we will get back to you as soon as we can.

 

updated 2nd September 2019