fbpx

How to avoid phishing scams on Facebook Messenger for Business

Phishing scams facebook messenger

Almost since its birth, Facebook has been an important tool for small businesses. It’s a low-cost way to sell your services, interact with customers and build a community around your business.

However, wherever small businesses gather in any number, so too do cybercriminals, like predators at a Savanna watering hole. Facebook for Business is no different. Over the past few years, the social media app’s messaging service has become a regular launchpad for phishing campaigns. And, unfortunately, the problem is only getting worse, with social media account takeovers increasing by over 1,000% in the past year

However, this doesn’t mean you need to avoid the app altogether (as we said, it’s a useful tool). With the right knowledge, you can get back to communicating confidently. So, here’s everything you need to know about Facebook Messenger scams – what they look like, the consequences of a breach, and how to combat them.

What does a Facebook Messenger phishing scam look like?

Like most phishing attacks, Facebook Messenger scams typically rely on social engineering. But, there are a few different approaches out there.

Complete cyber confidence doesn't have to break the bank. Download our guide to protecting your business on a budget to find out more.

The classic Facebook scam

First of all, there is what we call the ‘classic’ Facebook messenger scam. This is a well-worn approach but don’t let that fool you. ‘Well worn’ doesn’t mean ineffective even if it lacks sophistication. A surprising number of businesses still get caught out by this tactic.

Scammers will usually pretend to be potential potential customers or partners and try to trick you into giving them sensitive information. It could be a prospective ‘partner’ who just needs some financial data before they can commit or it could be a customer who’s seemingly desperate for you to check out their website (don’t click the link!). 

The Facebook support team scam

Recently, we’ve seen a far more insidious scam on the platform. Scammers have begun posing as Facebook support or security teams.

This scam typically starts with a message claiming your business page is at risk of being banned or disabled due to violations. The message will seem urgent and official, often using Facebook branding and logos. There will be a link provided to supposedly "verify your account" or appeal violations. Unsurprisingly, this link doesn’t unlock your account or clear your business’s name, it’ll usually lead straight to a bogus site that’ll infect your device with malware.

Another potential avenue for this kind of scam is to claim your business needs to ‘top up’ the funds paid for ant on-site advertising you might be running. Once again, this will lead you to a spoofed Facebook page where you’ll be requested to enter sensitive financial details. If you’re unfortunate, like us, you might have received a flood of these messages in recent months, they usually look something like this:

Facebook messenger scam

What are the consequences of a successful scam?

The consequences of falling prey to one of these scams vary, depending on what the cybercriminals managed to persuade the victim to do. However, some of the most common outcomes include:

- Losing control of your business’s social media page to hackers who then use it to post malicious content or launch further scams

- Financial loss, either through the initial scam or a subsequent ransomware attack

- Compromised sensitive personal or proprietary data 

- Reputational damage from all of the above

All in all, being hit with a successful Facebook Messenger scam is something your business desperately needs to avoid. Let’s look at how…

How can you avoid falling victim?

Although the method of attack might be new, Facebook Messenger scams are still a form of phishing. This means that many of the principles that can be used to combat other types of phishing scams can be applied here.

1. Keep Facebook's policies in mind

Remember that Facebook will never message you proactively about account issues. Any unexpected warnings about your page being banned are very likely scams.

2. Check the URL

Verify that any links come from an official facebook.com or facebookmail.com domain. If you’re unsure, you can hover over links to preview the URL before clicking.

3. Look for errors

Watch for poor grammar, spelling errors, and other typos. Scammers are rarely gifted writers and you’ll often find telltale slip-ups in their messages.

4. Verify who the sender is

Check out who a potential partner or customer is claiming to be before you engage with them or share any information over Messenger. A quick search of their name on LinkedIn and a check of the company website or its Facebook Business page should be enough to raise any red flags. And, if in doubt, don’t engage. 

5. Use MFA

Turn on multi-factor authentication (MFA) for your Facebook and Facebook Business accounts. This will make it much harder for a cybercriminal to gain access to your account even if they do steal your login credentials.

6. Don't trust unusual requests 

Don’t trust any request for your login credentials, password, or MFA code that comes through Messenger. Facebook will never ask for that information through chat.

7. Prioritise privacy 

Keep your Facebook Business page set to the highest privacy and security settings. This alone should help keep you off most scammers' radar.

8. Report anything fishy

Finally, report any suspicious activity to Facebook. Any examples you can provide are crucial to improving the platform's security and rooting out malicious users.

As with all phishing attempts, Facebook Messenger for Business scams aren’t particularly sophisticated and can be avoided with a little vigilance. Follow the steps laid out above and you’ll be able to do business using Facebook safely and securely. 

Want to know more about the threats facing small businesses and how to guard against them? Check out our guide to protecting your business on a budget.

Cost of living CTA 2

What are the most common types of cybercrime?

What are the most common types of cybercrime?

It’s easy to feel overwhelmed by the threat of cybercrime. Last year, cybercriminals stole more than £4 billion from businesses in the UK, which is 63% more than in 2021

And unfortunately, small and medium-sized businesses are three times more likely to be targeted than larger companies. They’re generally less equipped to deal with attacks and absorb the associated costs, so 60% are forced to close within six months of an attack.

These numbers, the rising cost of living, and predictions that the UK economy will shrink is a perfect storm for businesses. And with an ever-growing threat, there's an ever-shrinking contingency fund.

But don’t let this get the better of you. It’s important to understand the most common types of cybercrime and take action to mitigate the risk of an attack.

What are the most common types of cybercrime?

1. Hacking

Hackers break into your computers and networks to access data. This unauthorised access can be via brute force to guess your passwords or software like spyware. 

Example

T-Mobile suffered an attack which affected 37 million customer accounts. The hacker stole personal data, like names, birth dates, and phone numbers, through an application programming interface (API) for a month before being detected and stopped. 

Confused about Cyber Insurance? Check out our new guide for everything you need to know.

2. Phishing

Phishing is a type of social engineering attack often used to steal data, such as login details or credit card numbers. Criminals ask recipients to share sensitive information via email or by visiting fake websites that look legitimate but aren’t. A recent State of Phishing report revealed that there were 250 million phishing attacks in 2022. Fortunately, there are some simple ways to avoid an attack.

Example

Developers at DropBox were recently targeted by a phishing campaign that successfully accessed some code stored in GitHub, an internal hosting service for software development and version control. The criminal impersonated another platform and sent emails encouraging developers to log in so they could steal their credentials. Most emails were quarantined by DropBox security systems, but some made it through, and one employee entered their details. The threat actor stole data including API keys and a few thousand names and email addresses of DropBox employees, customers, and leads.

3. Malicious software

Malicious software, or malware, is a type of computer program designed to steal data or damage computers and computer networks. This includes viruses, trojans and worms. Ransomware is also a type of malware, and this kind of attack is on the rise. In 2022, ransomware accounted for 25% of all data breaches. One way attackers can successfully steal data is through unpatched systems with known vulnerabilities.

Example

The Guardian newspaper suffered a ransomware attack in December 2022. It was likely triggered by a phishing email that meant the attacker could access the internal network. Its IT infrastructure was affected but publishing and printing continued with staff being sent to work from home. No customer data was stolen, but the attacker accessed staff data in the incident. 

4. Distributed denial of service (DDoS)

A DDoS attack is designed to stop legitimate users of a website or service from accessing them. An attacker will overload the website with traffic so that it cannot cope or accommodate any more visitors. A hacker will call on hacktivist groups to help them do this or infect innocent users with malware so the hacker can force devices to contribute to the attack.  

Example

A Google Cloud Armor customer recently faced the biggest DDoS attack on record. At its height, there were 46 million requests per second and the attack lasted for just over an hour. Fortunately, Google was able to block the attack.

What can you do to protect your business?

Budgets are certainly stretched at the moment, but the last thing you should skimp on is cybersecurity. Fortunately, there are some straightforward and reasonably priced ways to protect your business from the most common threats. For example, getting a Cyber Essentials or Cyber Essentials Plus accreditation reduces your cyber risk by 98.5%.

The certifications are designed by the UK government and give businesses a standardised level of protection. There are five security controls to help you address cybersecurity effectively. These are:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Security update management

Its easy-to-follow steps make it simple to secure your business against the most harmful threats. And it costs a fraction of what it would to deal with an attack. You’ll get a great return on investment (ROI) and peace of mind, so it’s a reliable way to protect your business for the future.

Cyber insurance trends 2023

What is smishing?

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there's a new threat in town. 'Smishing'.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here's everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 

Hi,

Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they're unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity

7 key takeaways from the DCMS Cybersecurity Breaches Survey 2022

Each year, the Department for Culture, Media and Sport releases its Cybersecurity Breaches Survey. It’s fast become one of the most influential cybersecurity reports around, driving government policy and the National Cyber Strategy.

The Cybersecurity Breaches Survey covers everything from threats to the processes businesses use to protect themselves and takes in everything from schools to start-ups. However, it’s also a very long report, with lots of tables, graphs and references – not something that’s easily digestible during your lunch hour.

So, to save you the trouble, we’ve pulled together the key takeaways for SMEs.

1. The number of cyberattacks stays stable

It’s no secret that during the first year of the COVID-19 pandemic the number of attacks on UK businesses skyrocketed. DCMS figures from 2020 show that 46% of UK businesses reported a cyberattack, up from 32% the previous year.

However, the number declined in 2021 to 39% and it’s stayed stable at the same figure this year. That might sound like great news, but there are some caveats. First of all, 39% is still too many; that’s more than a third of all UK businesses being attacked in any given year.

On top of this, there’s a chance that the figures, while accurate, don’t tell the whole story. As the report states, the better your cyber defences, the more likely you are to detect and report an attack. This suggests that smaller organisations and those with less sophisticated defences might be underreporting attacks.

2. Phishing remains the most common type of attack 

One of the most important findings of the Cybersecurity Breaches Survey is just how common social engineering attacks, particularly phishing scams, have become. 83% of all organisations surveyed said they’d experienced some form of phishing attack in the last 12 months. And this was followed, some way behind, by impersonation-style social engineering attacks with 67%.

What does this tell us?

Well, it tells us that cybercriminals have hit upon a formula that works for targeting businesses big and small. But that’s not all. It also teaches us that security training for staff has never been more important. With most cybercriminals using some form of social engineering attack, your people need to be able to spot the signs and recognise threats when they see them.

3. Few businesses are taking the supply-chain threat seriously

We’ve covered the risk posed by supply chains at length (if you haven’t already, read this). According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself.

Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it.

Despite this, only 13% of businesses assessed the risks posed by their immediate suppliers. In fact, few considered cybersecurity an important factor in the procurement process. 

4. Getting hacked costs a lot

This might not come as surprise but a successful cyber breach can really hit your business in the pocket. The average cost of a breach across businesses of all sizes is £4,200, with a figure of £3,080 for SMEs. The news is even worse if you’re a medium or large-sized business. The average figure for firms of this size stands at an eye-watering £19,400.


It’s worth noting that only one in five businesses suffer any negative consequences as a result of a breach. But, with 31% of businesses reporting that they’re attacked at least once a week, the chances of being part of that one in five is high.

5. Most small businesses don’t have a cybersecurity strategy

To be clear, the lack of a formal cybersecurity policy isn’t just a problem for small businesses; just 23% of all businesses have one. Nevertheless, the trend is much more severe among smaller businesses. While 57% of large firms have a formal strategy, just 20% of micro firms and 37% of small firms have one.

And it’s not just an overarching strategy that’s missing. Most businesses don’t have a clear plan in place for what to do if the worst happens. Just 19% of businesses surveyed said they had a formal incident response plan. 

This makes for worrying reading. It suggests that, in those crucial first few minutes and hours after an incident, too many businesses aren’t dealing with the threat in an organised way, handing a huge advantage to the bad guys. 

6. Ransomware confusion reigns

One of the worst questions any business has to answer is what to do in the event of a successful ransomware attack. Do you pay out? Or do you play hardball with the ransomers?

Although it’s a tricky question, it’s crucial to have a policy one way or another. However, one in five businesses (19%) stated they weren’t sure what they would do. On top of this, many small businesses still believe that ransomware isn’t a threat, either because they are ‘too small’ or have ‘nothing of value’ to steal.

7. Cyber Essentials uptake is still low

Unless this is your first CyberSmart blog, you’ll know we talk about Cyber Essentials certification constantly. It’s the single most important thing a small business can do to improve its cybersecurity.

But, unfortunately, the uptake of Cyber Essentials is still very low. Only 6% of businesses have the Cyber Essentials certification and just 1% have Cyber Essentials Plus. Unfortunately, this is likely a problem of awareness. Although every business could benefit from taking the certification, too few are aware of its existence. This needs to change, and fast.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity.

CTA button

How does the internet encourage cybercrime?

Cybercrime

There’s no disputing that cybercrime is on the rise. According to data from RiskIQ, $2,900,000 is lost to criminals every minute and companies pay out an average of $25 dollars every 60 seconds due to breaches. So it's hardly surprising cybercrime is set to cost the world $10.5 trillion annually by 2025.

But what is it about the internet that encourages cybercrime? In the second part of our series on cyberpsychology, we delve into how the internet nurtures cybercrime and why we often fall for scams we wouldn’t in the physical world.

Let’s start with the bad guys.

How does the internet enable cybercriminals? 

We’re not always aware of it, but all of us can be guilty of losing our inhibitions online. The internet can encourage us to be more confident and open. However, it can also have toxic side effects.

Some of us are more likely to be manipulative and deceptive online as we are less concerned about our peer's judgement. When interacting with each other using technology, communication has limited physical features. Often we can’t see or hear the person we’re talking to, offering perfect conditions for misleading messages and false identities.

$2,900,000 is lost to cybercriminals every minute

Online interactions can seem less tangible than our offline lives. And, because the online world feels less 'real', harmful behaviour can also feel more acceptable. Without the victim’s physical presence, attackers feel distant and detached from their target and are less afraid of being caught. This makes lying and misleading behaviour much easier. Criminals also feel safer due to the anonymity offered by the internet and the lack of regulation of online behaviour.  

Criminology theory suggests that the three key ingredients for more crime are a motivated attacker, a suitable target and a lack of ways to protect them. Let’s apply this framework to cyberspace. The motivation for cybercriminals is the belief they’re unlikely to be punished for cybercrime. The target can be just about anyone, such is the range of available victims. And, the lack of protection is provided by the way we conduct ourselves online. 

How do cybercriminals use the internet against us?  

There is a wide variety of methods cybercriminals use to ensnare victims. For example, phishing attacks create a sense of urgency and exploit it. It could be by creating a bogus 'emergency' in which the cybercriminals poses as a friend in need of help. Or, it could be something less altruistic, like the chance to win prizes.

Criminals can also mislead us by presenting themselves as an authority or trustworthy institution –  sometimes even using familiar names and logos. This could trigger us to be less critical when facing a request and respond out of habit, familiarity, or respect for authorityTo give an example, during the COVID-19 pandemic we’ve seen a huge increase in bogus vaccination emails. The threat has become so widespread that the NCSC has launched an awareness campaign, encouraging anyone who’s been targeted to use its scam reporting services.

Online communication can often appear hyperpersonal. And this is especially true if we don't know the person we're communicating with. Online interactions can make us idealise the person behind the avatar or email address. Without a physical appearance, body language or other non-verbal cues, we struggle to determine someone's intentions. The result is we often default to our better nature and develop a sense of having a close relationship very quickly. 

This can lead to us disclosing personal details without actually knowing the person we’re communicating with. Cybercriminals know this and are quick to exploit it. 

The situation is made worse by the ready availability of personal information on the internet. Take social media, for example. Through a person’s profile, you can often see friends or connections lists, recent locations, their interests, and any events they’ve been part of. This information is a great resource for attackers in making communication more targeted and personal. 

What can cyberpsychology do to help us improve our cybersecurity? 

Although it might sound like a slightly dusty academic concept, cyberpsychology has plenty of practical uses. For one, it can help us better understand our vulnerabilities online. And knowing that we're prone to hyperpersonal communication and letting our guard down is the first step towards correcting that behaviour. 

It also helps us understand the methods cybercriminals use to trick us and the behaviours that make us an easy target. This understanding can make us think more critically the next time we’re faced with a potential scam. What's more, it gives us the tools to avoid falling for scams in the first place and better strategies for protecting ourselves. After all, to defeat your enemies you must first understand them. 

Knowledge of how and why cybercriminals target us is important. However, knowledge alone isn't enough to protect your business.  You also need an understanding of the fundamentals of good cybersecurity. Fortunately, this isn’t nearly as difficult as it sounds. A great place to start is by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of good cyber hygiene. It doesn’t require any cyber expertise and can help protect your business against 98.5% of the most common cyber threats.

CTA button

Don’t take the bait: tips for avoiding a phishing attack

Phishing scams

We’ve all gotten those emails before. Congratulations! You’ve won a £100,000 voucher from Argos. Click here in the next three hours to claim your reward!  We want to believe them. They just might be real. And that is exactly the mentality cybercriminals are taking advantage of. 

These kinds of scam emails are known as phishing attacks- and they are everywhere. According to Verizon’s 2020 Data Breach Investigations Report released this week, they made up nearly a quarter (22%) of all cyber breaches this year. 

We've seen an even greater rise in these over the past three months as hackers preyed on widespread anxiety by impersonating official sources like the US Center for Disease Control, the World Health Organisation, and various government offices offering 'updates' and 'alerts' around the virus.

Phishing attacks fall into two broad categories. They are usually trying to persuade you to click on a link that will lead to a spoof site and require you to enter personal data (credit card details, personal or bank information, etc), or to download malware onto your device (either through a link or an attachment).

Many of these phishing emails can be extremely convincing. Even EasyJet fell victim this week. So how can you protect your business, your employees, and ultimately your customers against them?

Training employees how to recognise the warning signs of phishing emails is the best way to prevent these kinds of attacks and might be the best solution for smaller businesses.

While there are a few great pieces of anti-phishing software out there that use email filtering to detect and flag suspicious email addresses and malicious links or attachments, the most convincing phishing attacks often slip through the net of even sophisticated software.

Something smells fishy here: spotting the signs of a scam

Read carefully

Copywriters at big companies spend a lot of time crafting emails and there's often a noticeable lack of quality with phishing scams. A few tell-tale signs include:

  • Generic greetings - Dear user..
  • Urgent deadlines and calls to action - Click now or your home insurance will expire!!
  • Grammatical mistakes and spelling errors - Plese download the attached file to keep Your Account open. If it doesn’t seem professional, it probably isn’t.
  • News that is too good to be true - We've found a cure for the coronavirus. Click here to order your safety kit.

Check the email address

Be sure to check the email address as well as the name of the sender. Although phishing scams often use the name of someone you know or a company you work with, the email address won’t match up. If it's from @gmail.com address, for example, it's probably not a legitimate organisation.

A recent phishing attempt. Note the sender's email address - @pinkcontract.com

Question their professionalism

Remember that real brands will never ask you for personal details over email or force you to their website.

Think before you act

Above all, just take a moment to pause before you interact with any email. Before you click or download anything, reflect for a second by asking: do I know this person? Have I actually ever bought anything from this brand? How does the World Health Organisation have my work email address? Why can't Karen from Accounting spell correctly?

An ounce of prevention is worth a pound of cure

As attacks become more sophisticated, it’s almost inevitable that you or someone you know will fall victim at some point. But following basic cyber hygiene can help reduce the harm of these attacks. 

A simple way to mitigate against phishing attacks that steal credentials is to enable two-factor authentication on your accounts right now. Two-factor authentication means that when you log in you need both a password and a second form of confirmation (like a text to your mobile, for example).

Having this extra layer of security means that even with your username and password, the hacker will not be able to access employee accounts.

If an employee or business realises they have been breached, they should immediately take action by changing their personal password or disconnecting their device from the network and alerting employees in the rest of the company.

People can help prevent the spread of these large-scale attacks by immediately reporting suspicious messages to Suspicious Email Reporting Service (SERS): report@phishing.gov.uk which support's the government's Active Cyber Defence programme.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button