What is a phishing attack?
A phishing attack is a fraudulent communication often used to trick the user into entering sensitive information. Phishing attacks are now far more sophisticated and look very genuine.
When we use the word attack, don’t think a phishing attack is accompanied with a loud explosion or sirens. These are very subtle in nature, friendly invitations, attractive offers, time sensitive requests and so on. They look like normal communications you expect on a day to day basis.
The most common form of phishing is an attempt to obtain sensitive information such as login credentials or credit card details. Most often this is an email, claiming to be from a trusted source and with a strong call to action. Clicking on the link takes you to a fake website where you are asked to login. However, rather than logging in, you are giving your details to a fraudster.
Phishing attacks may also come in the form of a text message from ‘your bank’ requesting personal details. They may be a phone call from a large company you know or trust asking for access to your computer or for some personal information.
In 2021 research shows that PayPal was the most spoofed business when it came to financial phishing emails. 37.8% of all the phishing emails sent were hackers pretending to be PayPal.
How does a phishing attack work?
The content of an email or attachment will lead the user into divulging some critical information such as the password to their email account or some other service. This is done by luring the user to a site to perform some ‘legitimate’ task, such as:
- Re-activating your email account
- Signing a document or agreement you are expecting
- Checking the status of an order or delivery
- Downloading an invoice or proof of delivery
- and many other tasks you may perform regularly
Of course, when you click the suggested link to get to the site to sign in to perform the task at hand, even though the site may look genuine, when you log on with your details, the log on process fails. In fact, you were not logging onto anything, you were just handing over the keys to your email, or your e-commerce account etc.
Once an attacker has control of the account in question, they can perform a whole host of negative actions. For example:
- In your e-commerce account, they can purchase a raft of goods using your stored card details
- In your email, they can contact you customers to tell them that you have changed your bank details. This leads to your customers paying invoices to a bank account that is not yours.
- They can send more phishing emails to others in your contact list. These messages come from you!
- They can lure a company user into divulging company IP or other key information
- In the case of a more targeted phishing attack, they can use a VIP’s email account to instruct the financial department to make immediate payments to fictitious suppliers!
Who are vulnerable to phishing attacks?
In short, everyone. You may feel, why would a criminal target me? Let’s face it, criminals don’t care who you are, they only care about what they can take from you or how to use you to facilitate further attacks on others. Everyone is vulnerable to a phishing attack, some more so than others.
How can I tell a phishing email from a genuine one?
Remember, a message may appear to come from people you know, either through careful crafting of the email header, or because the sender’s inbox has been hijacked by the criminals.
Here are some questions and checks that may assist:
- The first thing to look for is the style of the language in the message. Are there grammatical errors? Is the message trying to get you to act quickly?
- Does the email address you by name?
- Does the layout look different to a genuine email from that company?
- Do I trust the sender? Is the senders email address 100% correct?
- Don’t be enticed to follow the links. Hover over them and check the URL destination.
- Am I expecting an email from this person, especially on this topic?
- Ask yourself, why are they sending me this? If you know nothing about it, delete it. If the message was genuine, the sender will soon get in touch.
- If the message carries a weighty instruction, why not check verbally with the sender before acting on this instruction?
If ever in doubt about the authenticity, just check with your IT support or the real sender.
Here are some DO NOT’s!
- DO NOT just click any link or open any attachment because the sender says you should. Think before you click.
- DO NOT reply to any email you have suspicions over. Speak to the genuine sender verbally to confirm instructions.
- DO NOT be scared or embarrassed to ask for advice. If in doubt, Ask!
- DO NOT panic if you do click a link or open an attachment and then realise it was not genuine. In these instances, just close your browser, shutdown your computer and ask for IT advice.
How can I protect myself and my business from a phishing attack?
There are several strategies that should be employed by any business. Advice from the NCSC for high level strategies for businesses include:
- Make it difficult for attackers to reach your users
- Help users identify and report suspected phishing emails
- Protect your organisation from the effects of undetected phishing emails
- Respond quickly to incidents
Some simple things you can employ as individuals and as businesses include:
- Never use the same password for more than one service - Many people re-use the same password or a variant of it for everything. That is a very bad idea. People also don’t change their passwords regularly, so if a hacker obtained your password they can access multiple accounts and the password will continue to work for them until changed (if ever).
- Use a password manager - Password managers can create unique and strong passwords. They then store those passwords, meaning you don’t have to remember them all. They employ encryption to store those passwords. You just need to remember the master password used to secure all your other passwords. Make sure that is unique too!
- Use 2-Factor or Multi-Factor authentication - 2-Factor authentication is an additional password that needs to be entered when signing into an online service. For instance, Microsoft Office 365 enables users to use their mobile device to receive a text message or a code via an app. Once the user enters their email address and password, a 2nd one-time password is sent to the mobile device that needs to be entered before access to the account is granted. It is inconvenient, but it is a superb level of additional free security. As the criminals will not have access to the mobile device, they cannot sign-in. As a minimum ensure your admin users, decision makers and people with access to money have this enabled. Ideally everyone should.
- Use an enterprise-grade anti-virus (endpoint security) product - All your computers, desktops, laptops and servers should have a quality endpoint security product installed and configured. Relying on the integrated protection of your operating system is not an adequate protection against the many different types of threat currently out there.
- Communicate your processes - Communicate to your contacts that you will never send critical information or changes just by email. They will be confirmed or followed up verbally or in writing in the post. Of course, there are other processes that you may need to review to ensure they cannot be misused, and someone loses out.
- Train, train, train - Train your users on how to identify phishing emails, understanding the risk phishing emails present and what to do, either if something has been clicked, or who to ask for advice if they are not sure about an email. Do not punish users or have a culture that forces users to keep security events ‘quiet’.
- Patching - Keep your IT systems patched and up to date. This will ensure the chances of malware infecting your system due to the actions of a user are kept to a minimum. Not patching your systems is like leaving the front door wide open and placing a neon sign above, just in case no-one saw the open door. Most well publicised malware, phishing and ransomware attacks are successful because the systems were not patched. Also employ a replacement strategy for all of your IT hardware. Eventually it reaches end of life, and it is no longer patch-able, or there may be other reliability or capacity concerns.
- Backup your data - This really should be the number 1 tip. Any business who does not back up their data is walking a very dangerous tight-rope. A phishing attack could see your data deleted, permanently. Don’t just back up the obvious either. Ensure your cloud services are included in your backup strategy. Just because data is in the cloud, doesn’t mean it is safe and easily recovered. Keep an offline backup as well. Most cloud providers protect themselves with very limited retention policies and recovery time guarantees.
- Remove admin rights - Yes, that’s right, remove the rights to install software and make system changes for everyone, and we mean everyone, including the boss. You lead from the top, so senior management should follow the same rules they create for everyone else. You can create special accounts for administering or making changes to your IT systems, just only use them for specific tasks, and at all other times use ‘standard’ accounts.
- Partner with a trusted IT support provider - Their advice and experience are invaluable. Don’t use a friend of a friend. He will get sick of out of hours calls and favours, and he won’t always respond when you need him most. Plus, avoid ad-hoc use of multiple companies which is potentially a GDPR failure.
These simple tips should be the foundation of your strategy to protect your business from a successful phishing attack. There are some more advanced things you can investigate that will further improve your business defences:
- Block or filter incoming spam emails, emails with malware and phishing emails. Utilise filtering solutions by your email provider, understand their features and if necessary use a third-party solution to provide an additional layer if the risks are deemed high.
- Analyse your digital footprint, and those of your users, contractors, customers and suppliers. Is there more information about your business on your web site, social media etc, than there needs to be? Is this giving attackers an advantage?
- Follow best practice to ‘lock down’ your applications to reduce the probability of malware successfully running. As an example, disable macro’s in Microsoft Office (this is set by default, but can be overridden).
- Design your network (file shares, user groups, server access etc.) to reduce the impact of successful attack.
- Use a DNS service that stops web site addresses that are known to host malicious content from being resolved. There are several services that are free to use, and there is also one for public sector organisations funded by the NCSC.
- Employ additional authentication technology where appropriate such as Biometrics or Smartcards on top of the standard 2FA.
- Have a process to disable or remove accounts in systems that are no longer needed, such as when someone leaves the business, or you migrate to a new service.
- Implement a password policy to ensure users can change their passwords, and that they are complex enough with restrictions. The NCSC advises that if you are using 2FA, the need to change passwords is reduced.
The NCSC provide a detailed breakdown of how each of these topics can be implemented here: https://www.ncsc.gov.uk/phishing
How can PS Tech help?
PS Tech can provide help and assistance with any of these suggestions mentioned above. In particular, we offer endpoint security solutions and support plans to ensure you get the right advice, along with responsive and proactive support from our team here in the UK.
Endpoint security solutions
The most popular cyber security solution we offer to small and medium sized businesses is the Sophos Security range of products. The cloud managed Sophos Central suite of tools offers best-in-class protection for all of your computers, servers and mobile devices. Protection includes real-time file protection, web protection, real-time anti-ransomware protection, and the ability to manage device security including managing apps and peripherals. On top of that, a device encryption solution ensures your Windows computers data are encrypted and remain so.
An alternative solution which may prove more attractive to those on a smaller budget is our monthly managed anti-virus solution based on the reputable BitDefender security engine. This has a low monthly cost payable for each device protected.
With our support plans we can monitor and proactively deal with threats that appear on your network with either of these two solutions.
Every business and individual should backup their data. The best form of backup is a 2nd copy of your data taken automatically and held off-site. File sharing/synching apps such as Dropbox, OneDrive, SharePoint etc. are not a backup. In fact, if you use cloud services such as these, you should back them up properly too.
PS Tech offer a number of cost effective and flexible backup solutions. All our backup solutions are GDPR compliant and available on monthly or annual plans. Do not delay! Speak to one of our team today about the best option to ensure you do not lose data as a result of a mistake, a phishing attack, ransomware attack or some other form of data loss.
If you are looking for an IT support partner to provide your business with proactive IT support, then look no further. Many words describe our service, including friendly, cost effective, professional and proactive. But more importantly we do live up to these descriptions. We have different plans that can be tailored to your needs and budget. Once you have a plan in place, PS Tech will perform constant monitoring of your systems, patching them and backing up your data securely. Plus, with our monthly support plans, users get unlimited remote support. It doesn’t cost the earth, and we know you will be impressed by the professionalism of our team and processes. Please contact us to discuss joining the hundreds of other companies who rely on us for their day to day IT support needs.
If you found this article useful, please follow us on social media to stay in touch. And please contact us if you would like to speak about any of the suggestions or inferred products above.
Above all, be careful and stay safe.