We’ve all gotten those emails before. Congratulations! You’ve won a £100,000 voucher to Argos. Click here in the next three hours to claim your reward! We want to believe them. They just might be real. And that is exactly the mentality cyber criminals are taking advantage of.
These kinds of scam emails are known as phishing attacks- and they are everywhere. According to Verizon’s 2020 Data Breach Investigations Report released this week, they made up nearly a quarter (22%) of all cyber breaches this year.
We’ve seen an even greater rise in these over the past three months as hackers preyed on widespread anxiety by impersonating official sources like the US Center for Disease Control, the World Health Organisation, and various government offices offering ‘updates’ and ‘alerts’ around the virus.
Phishing attacks fall into two broad categories. They are usually trying to persuade you to click on a link which will lead to a spoof site and require you to enter personal data (credit card details, personal or bank information, etc), or to download malware onto your device (either through a link or an attachment).
Many of these phishing emails can be extremely convincing. Even EasyJet fell victim this week. So how can you protect your business, your employees, and ultimately your customers against them?
Training employees how to recognise the warning signs of phishing emails is the best way to prevent these kinds of attacks and might be the best solution for smaller businesses.
While there are a few great pieces anti-phishing software out there that use email filtering to detect and flag suspicious email addresses and malicious links or attachments, the most convincing phishing attacks often slip through the net of even sophisticated software.
Something smells fishy here: spotting the signs of a scam
Copywriters at big companies spend a lot of time on their A few tell-tale signs include:
- Generic greetings – Dear user..
- Urgent deadlines and calls to action – Click now or your home insurance will expire!!
- Grammatical mistakes and spelling errors – Plese download the attached file to keep Your Account open. If it doesn’t seem professional, it probably isn’t.
- News that is too good to be true – We’ve found a cure for the corona virus. Click here to order your safety kit.
Check the email address
Be sure to check the email address as well as the name of the sender. Although phishing scams often use the name of someone you know or a company you work with, the email address won’t match up. If it’s from @gmail.com address, for example, it’s probably not a legitimate organisation.
Question their professionalism
Remember that real brands will never ask you for personal details over email or force you to their website.
Think before you act
Above all, just take a moment to pause before you interact with any email. Before you click or download anything, reflect for a second by asking: do I know this person? Have I actually ever bought anything from this brand? How does the World Health Organisation have my work email address? Why can’t Karen from Accounting spell correctly?
An ounce of prevention is worth a pound of cure
As attacks become more sophisticated, it’s almost inevitable that you or someone you know will fall victim at some point. But following basic cyber hygiene can help reduce the harm of these attacks.
A simple way to mitigate against phishing attacks that steal credentials is to enable two-factor authentication on your accounts right now. Two-factor authentication means that when you log in you need both a password and a second form of confirmation (like a text to your mobile, for example).
Having this extra layer of security means that even with your username and password, the hacker will not be able to access employee accounts.
If an employee or business realises they have been breached, they should immediately take action by changing their personal password or disconnecting their device from the network and alerting employees in the rest of the company.
People can help prevent the spread of these large-scale attacks by immediately reporting suspicious messages to Suspicious Email Reporting Service (SERS): firstname.lastname@example.org which support’s the government’s Active Cyber Defence programme.
Consider getting certified under the UK government’s Cyber Essentials scheme to ensure that you have all the standards in place to both protect against attack and reduce their impact on your business and your customers.