Phishing attacks are very common, and are getting harder to spot. Scammers create thousands of fake emails at a time, trying to trick people into sharing their bank details or other personal information, sending money, or clicking links to bad websites. By sending out thousands of emails, which is cheap and easy to do, they hope that at least a few people will take the bait and click a link or share their details.
And people actually do. The emails are cunningly crafted to appear genuine and to play on people’s emotions. People who are busy, stressed, anxious, fearful, angry (and so on), may not be in the same well-trained and observant state as someone who has just taken an anti-phishing training course.
Phishing works, which is why it is so common, and is the biggest cause of security breaches. What’s more, this kind of con doesn’t just happen over email; it can be a voice call or a text message (SMS).
So, what can you do to help secure your organisation?
- Train your staff to recognise and report phishing attempts, or to report any emails or websites that they think might be suspicious (even if they’ve already clicked, or visited). But given the sophistication of the attacks, some are likely to get through, no matter how well-trained your staff are, so you’ll need some measures to reduce the amount of damage that can be done.
- Configure your staff accounts so that each person can only do what they need to do, to perform their jobs. That way, if they become the victim of a phishing attack, the damage that can be done is limited.
- Similarly, make sure that Administrator accounts are only used to do admin tasks, not to check email or browse the web. Admin accounts can change security settings, install software, and access any file. So, an attacker with access to an admin account could cause a lot of damage.
- Set up two-factor authentication (2FA) on important accounts, so that even if an attacker gets your password, they won’t be able to get in.
- Make sure that staff feel comfortable with questioning unusual requests, even if they seem to come from somebody senior, or look official. Some phishing emails impersonate senior staff, some pretend to be from customers, suppliers, or banks.
- Consider what information is shared publicly about your organisation and staff online. This information is often used to make phishing emails look more convincing.
- Report suspicious emails to firstname.lastname@example.org. The Suspicious Email Reporting Service (SERS), analyses the emails and takes down malicious sites where they can. They’ve taken down 119,000 malicious sites as a result of 7.7 million reports so far.
- Finally, if your organisation has been the victim of a scam, report it through the Action Fraud website, run by the UK’s national fraud and cyber-crime reporting centre.
To find out more and hear from our experts, contact Click and Protect here or call 0113 7336250.
Read the previous post in the Foundations series: Backups
Read the next post in the Foundations series: Malware protection