Don’t Let your Business Information End up in a Phishing Net

 

Phishing attacks continue to make headlines, with as many as 3 billion phishing emails being sent every day, according to experts. As companies and governments try hard to clamp down on ransomware, speculation is that criminals have turned back to phishing to try to defraud Internet users. The result is that the number of phishing scams soared in 2018 and has shown no signs of slowing down in 2019.

With that many attacks flying around, the precise details vary almost infinitely, but the basic story is always the same: Users are tricked into revealing sensitive information, opening harmful attachments or clicking damaging links by emails disguised as trusted companies or contacts. In just the last few weeks we’ve seen a range of attacks making headlines:

  • Academies and other educational institutions losing money to scammers after being tricked into handing over bank account details
  • A prolific spam campaign aimed at businesses that tries to spread Trojan malware through a fake invoice attachment
  • A scam targeting Netflix users, attempting to get them to reveal account information.

From hospitality to house building, no industry is safe. Worse still, it may not be your business that’s the target. Criminals could be using your name to try to defraud your customers.

Taking protection

internet security and data protection concept, blockchain and cybersecurity

For those looking to secure their business against phishing, the guidance put out by the government’s National Cyber Security Centre last year remains an excellent place to start.

As this says, one of the reasons why phishing is so successful is that it’s not always easy to detect. Even general attacks are often carefully crafted to appeal, engage and win over sceptical recipients. Targeted campaigns, with attackers mining online information on employees or companies to tailor their emails to recipients – so called “spear phishing” – can be even harder to spot.

The NCSC recognises this and does a good job of explaining why it can’t just be up to your staff to detect and stop these attacks. It’s all very well asking people to be attentive to an email’s source and cautious about opening attachments or links, but employees have jobs to do. They cannot put every email under the microscope without massively undermining their productivity.

Education and user awareness are important, then, but no panacea – any more than hardware or software solutions, such as IP filters that attempt to detect and block suspicious emails.

Defence in depth

phishing - fish hook with a credit card on white computer keyboard

Instead, the NCSC suggests a multi-layered approach and its one that we at Intersys encourage both internally and with our clients.

  • Make it difficult for attackers to reach your users; use filtering software to weed out phishing emails, protect your domain from being spoofed, and limit the information you make publically available.
  • Help users identify and report suspected phishing emails – train them to spot scams and educate them about the consequences attacks can have. There should be a focus on providing a supportive environment where employees are given the confidence to spot scams and ask for guidance instead of facing pressure to identify new threats every single time. Also make processes resistant to phishing, ensuring important email requests are verified by phone, post or in person.
  • Protect your organisation from the effects of undetected phishing emails, using technological solutions to protect devices against malware and users from malicious websites.
  • Respond quickly to incidents, with a clear and effective process for reporting incidents and an incident response plan ready.

It’s the latter two steps that make perhaps the most important point: The scale of the problem and ubiquity of phishing scams means that no organisation can really hope to entirely eliminate the risk. Sooner or later, something will slip through – an employee will click on the link, open that attachment or hand over sensitive information. Total security is, as always, illusory.

Our approach to phishing awareness

At Intersys our approach to phishing training is very much focussed on creating a positive and supportive training environment and it’s something we encourage our clients to propagate as well. Using tools such as KnowBe4, we continue to offer rewards to employees when they spot ‘real’ phishing emails. This approach is in line with NCSC guidance where it’s been acknowledged that a blame culture (still rife within many organisations) where employees are wrongly penalised for not spotting every single phishing attempt, provides little value and can instead lead to a host of other problems.

With phishing, you can’t always prevent people getting hooked. With the right defences, though, you can prevent attackers reeling in a big catch.

If you think you may need some additional help protecting your organisation from phishing, take a look at our comprehensive IT and Cyber Security Support Services.