One of the most common attack vectors last year were phishing attacks, aimed to exploit humans. Google detected over 2 million phishing sites to lure victims into entering sensitive data. Whilst this is just one variant, cyber criminals are using multiple types of phishing attacks to target businesses.
We sat down with one of our Cyber Security experts, Brandon Linford, to discuss the various types of attacks and what best practices can be applied to protect businesses.
1. How would you describe phishing?
Phishing is a cyber crime in which criminals target victims by contacting them through email, telephone or text message. Someone poses as a legitimate company to lure and trap individuals into providing sensitive data. This can be personally identifiable information, passwords and banking/credit card details.
The information is then used to access important accounts which can result in identity theft, data theft, ransom and blackmail attacks, sabotage, and devastating financial losses.
2. What phishing attacks should businesses look out for? And how they can respond and prevent?
Email based phishing attack
There are many phishing attacks, but let’s start with the most common one. This type of attack is more traditional and reaches us through an email. Essentially, the attacker impersonates a company or employee. They may use an email address similar to the official one, copying their logo, text etc.
The attacker typically attempts to make the victim believe that they are facing an important message. Usually, alert phrases are used to grab the users attention in order to access a malicious link.
Think before you click! When you’re on trusted sites, of course it’s okay to click on links. However, clicking on links that appear in random emails and instant messages, isn’t such a smart move. If you’re unsure on any links, hover over them before you click on the link. Ask yourself this question, does the link go to where it’s supposed to/expected to?
Keep in mind that phishing emails are made to look like they are from a legitimate company and when you click the link to the website, it may look just like the original website. Look out for how the sender addresses the email to you, the email may begin with asking you to fill in the information, but it probably won’t contain your name. It’s quite common for attackers to start their emails off with “Dear customer”, so stay vigilant if you do happen to come across an email like this! If you’re having second thoughts, pop a message to the original sender to save yourself the disaster of clicking on a potentially threatening link.
Smishing attacks are similar to email based phishing attacks, but in this case, they are sent by text (SMS). The victim receives a text message on their mobile and is usually from a bank or some platform that they use online.
This, again, is likely contain links designed to trick us into visiting a page that hackers use to extract information from us. This has increased considerably in recent years and is a problem that affects both private users and companies.
Don’t tap any links. Most text phishing attempts include links or URL’s. Before clicking on any of them, re-read the message. It might look genuine, but is it what it looks like? Or is there a spelling mistake? Some scams are designed to spread dangerous malware, so avoid clicking on the link!
Whilst vishing is similar to phishing, a cybercriminal contacts you by phone instead of email. They usually impersonate someone in a position of authority.
This could be a caller pretending to be from a company’s IT or finance department and even government companies. In the U.K for example, you may recall the HMRC scams. Attackers have been executing this by using automated phone calls to scam victims into payments. They could also impersonate an executive, a business partner, or claim to be from a software company such as Microsoft. The idea behind the call is to fraudulently convince you to provide sensitive information or take an action in an attempt to compromise company systems or even personally steal from you.
Be careful and vigilant of any callers asking you to share login information over the phone. The best way to protect yourself when asked to provide account information or personally identifiable information, is to simply refuse to hand over the details and hang up immediately.
Remember that security departments won’t get in touch with you to request any changes to your logins or passwords. Again, if you happen to find yourself in this situation, recognise that is a scam, hang up the phone, and notify the company.
Spear Phishing is another technique that hackers use, but this time it’s more personal compared the other attacks. It can be an e-mail, for example, but this will be directly addressed to the user. Attackers use this method as using the victim’s name, means better chance of them opening email.
One more way for cyber criminals to succeed is by targeting top ranking members of a company. E.g. CEO, CFO, COO or CTO.
If this were to happen, and the email involves any personal or monetary information, always call the person that sent this email to confirm if it was them.
Malware based phishing
In this case, the hackers attach an email attachment or downloadable file, designed to infect your computer once clicked on. This is a common and extremely effective way for hackers to launch large scale cyber attacks.
To combat this, you should have an advanced EDR product and keep the software on your personal computer up to date, including windows updates.
3. Can you tell us more on phishing protection best practices?
Phishing protection is made up of various security solutions and security awareness training.
One of these solutions include a solid Endpoint Detection and Response (EDR), like Securyx. While Endpoint Protection focuses on prevention, EDR detects and analyses threats designed to bypass first line defences.
Mailboxes can often get flooded with spam emails, not only does this affect employee productivity, but it also poses a threat to your security. You can protect your employees by implementing an email spam filter to mitigate any potential threats. By doing so, you’ll gain a secure email gateway, and put a stop to any incoming malware. Typically your security plan should include a sturdy firewall, anti-spam and anti-malware. All of these technologies combined will help protect your systems from being compromised. To facilitate this, you can look into a Managed Security Service.
I’d also recommend investing in a product like KnowBe4 to equip your staff with security awareness training. Combined with a library of training content and simulated phishing attacks, the platform can test if the training you are providing is effectively working.
Having good cyber hygiene safeguards you in the event you are breached and makes preventing or recovering from a cyber attack a lot easier.
Here’s some basic hygiene tips you can apply to your business:
- Make sure you keep an inventory of the company’s hardware and software on your network.
- Educate your employees on how to practice good cyber behavior – this might include:
- Encouraging good password management.
- Encouraging the use of complex passwords.
- Identifying which devices employees can connect to the network.
- Limit the number of employees who have administrative privileges.
- Regularly back up your data and keep multiple copies. Consider using a secure cloud solution, and keeping the data on-site.
- Identify any vulnerable applications that aren’t currently being used and disable them.
- Establish some form of incident response plan.
- Implement some controls to protect and recover data if a breach occurs.
- Conduct cyber threat and vulnerability monitoring.
- Consider investing in SOC services (Security Operations Centre) to monitor your security.
Training your staff on cyberattacks is extremely important as they are your first line of defence against an attack. Having staff that can identify an attack and report it, will greatly reduce your chances of a successful attack.
Security is never a one-and-done solution, threat vectors are always evolving and are getting more complex. You should always be mindful of good hygiene practice's and provide your team with appropriate training on a regular basis.
Stay educated on phishing scams
As a cyber security expert, I follow many forums and sign up to weekly threat emails. My go-to forums that I check daily consist of Cisco Talos, CSO, Threatpost, Info security, Securityweekly.com and Dark reading. If you’re looking to keep up with the latest on the cyber security landscape, add these to your list!
4. How can businesses protect their employees against phishing scams and what measures can they take?
Protect your bank accounts
If you haven't created separate bank and credit card accounts for your personal life and business, do so now. This will make sure that if hackers get their hands on one account, they won't be able to access another account of yours. Look into the security systems your bank uses for online banking to be sure that features like automatic logout are available.
When it comes to handling bills, manage this all online to avoid papers with sensitive information lying around in the office. You never know when vulnerable information can fall into the wrong pair of hands!
Safeguard your computer systems
Hackers are experts at cracking computer systems. To protect your company data, look to invest in a sturdy firewall and an advanced antivirus software. There are several well-regarded cyber-security vendors. Find the product that best addresses your needs.
Keep in mind to set up strict protocols that require employees to create passwords that are difficult to decipher. I recommend having employees change their passwords every 60–90 days and set password requirements to help ensure they generate strong passwords.
I would also advise to back up your data on a regular basis and consider storing it offsite. If an incident were to affect your system, you'll be able to restore the files you need with minimal downtime.
Carry out employee background checks
If you’re looking to grow your team, take the necessary steps to not only find a qualified candidate, but a trustworthy one too. Don’t rely entirely on references and work history, instead, invest time into a thorough background check.
If this is something you’re considering, there are companies who can provide this survey for you. During your recruitment process, you can run a final background check on any candidates you’ve shortlisted, before making your decision. I highly recommend that before taking this approach, you get proper permission to run checks.
Create a secure entry
Always keep a secure entry system in place to keep unwanted visitors out. Consider looking into key-card systems, some even provide time-stamp records to let you know your employee’s entry and exit times.
Be mindful of your management too. What I mean by this is to give certain people limited access to key areas. A server room is a great example. You can choose to only let IT managers inside with the key card system.
Remember that security measures aren’t all fool proof. You need to be prepared so even if you’re taking precautions, insurance is highly recommended to keep you covered.
If you’re worried about potential threats to your business, and you’re looking for a more robust cyber security service, get in touch with one of our experts today. Alternatively, you can reach us at+44 (0)207 605 7890 or email email@example.com.