Call us on: 02920 887 362
Insights /

The Business Owners’ Guide to Phishing Attacks

What is Phishing?

Phishing attacks are a type of social engineering-based cyber attack. The aim of a phishing attack is to trick users into providing their login details, typically through a fake login page, which then gives hackers access to the real account.

Types of Phishing attacks

Phishing attacks are given different names based on the method of attack or how the targets are approached.

Spear phishing

Typical phishing attacks may adopt a more ‘spray and pray’ approach, for example sending a scam email to a high volume of people, so if even a small percentage of recipients fall for the scam the attackers will still have collected a lot of login details.

Spear phishing, in contrast, focuses on high value individuals, like business owners, and crafts messages specifically for them. This is much more time consuming, but will result in a far more believable message. This is one of the many reasons you should be careful about what personal information you share publicly.

When spear phishing is aimed at particularly high level targets, like the CEO of a large organisation, it can be termed ‘Whaling’.

Vishing and Smishing

Vishing and Smishing are amalgamations of ‘voice phishing’ and ‘SMS phishing’ respectively. They share the same objectives as a normal phishing attack, but use alternate contact methods to extract information. Hackers may pose as a bank or trusted organisation over the phone, or may even try to impersonate family members via text message.

What are the impacts of a phishing attack

Phishing aims to get access to sensitive data, and use this data to make money. There are a number of ways hackers can exploit your data for financial gain, but this may come at  great cost to your organisation.

Operational Impact

Depending on the data attackers are able to access, they might be able to impact the operations of your business; locking you out of vital services or preventing communications flowing smoothly.

Loss of intellectual property (IP)

The impact of the loss or theft of details of a new innovative product of service your company has been working on should be obvious to everyone. It isn’t just company secrets that attackers could find valuable though. By taking your IP hackers may find it easier to impersonate you. This may lead to…

Reputational impact

Consumers and businesses are becoming increasingly aware of the need for data security, and there’s no worse breach of trust than a company compromising their customer’s data.

Of course, as customers lose trust in an organisation, they begin to look elsewhere, directly impacting your sales.

How can I combat Phishing attacks?

There are a number of ways you can reduce the risks a phishing attack poses to your business.

Network Security

The best method of preventing phishing attacks is stop them getting to users in the first place. Firewalls and email security software can be used to identify phishing attacks and other suspicious emails.

Train staff to recognise phishing attacks

Firewalls can’t protect 100% of devices 100% of the time. But no matter the method of communication, phishing attacks often share common characteristics that your staff can be trained to spot.

These include:

Unexpected

Is the email asking you to log into a service you haven’t used for a long time, or make payments to a new account? Any unexpected email could be a scam, especially if the request is…

Urgent

Attackers are hoping that by asking you to act quickly, you’ll not have enough time to consider whether their request is genuine or not.

Suspicious URLs

Always check the URLs of the links you click on by hovering your mouse over it. Sometimes the link will look like gibberish, making it easy to identify as spam. It might be a bit more sophisticated, using subdomains to impersonate a well-known site.

For example: login.microsoft.com is on a Microsoft site, as it contains ‘microsoft.com’. In contrast, microsoft.login.com may not belong to Microsoft, as the domain it falls under is ‘login.com’.

Shortened links

Shortened links make it harder to identify suspicious URLs, increasing the chances that the communication is a dangerous. Note, however that some email security like Mimecast will replace URLS with their own. While this makes it impossible to assess URLs yourself, it also means the URLs will be checked for safety before allowing users to access them.

If you think a communication may be genuine, use another contact method to get in touch with the sender to confirm the validity of the original message.

Read more about identifyin suspicious URLs.

Mitigation

Sometimes users get click-happy, sometimes hackers just get lucky, and an attack gets through.  But if you have robust security measures in place, you can minimise the damage they can do.

Enforce 2 factor authentication

Two factor authentication (2FA) provides added protection to your accounts When 2FA is switched on, it means that you need to provide extra information when logging in to an account on a new device for the first time. Typically this involves a code being sent to your mobile phone.

Without the code, hackers won’t be able to access your account, even with your login details. Even so, if you’re aware your details have been compromised, it’s best to update them just in case.

Password management

Changing compromised login details can be made much easier via the use of a Password management system. These systems offer a central place to store all your passwords, and can act as a checklist of what passwords need to be changed in the event of a breach.

Adopt a Zero Trust approach to network security

A longstanding approach to network security has been the ‘castle-and-moat’ model. In this model, the network is made very hard to infiltrate, but once inside users can move freely through it. In contrast, Zero Trust assumes that every user is a potential hacker, using a variety of methods to re-authenticate users.

Talk to the experts

Doing your research is a good place to start, but cyber security is fast moving, and keeping on top of the latest developments is a full time job. Even a quick consultation with an expert can help put you on the right track.

To speak with us about your cyber security, send us a message or give us a call.

You might also be interested in:

A Quick Intro to Patching

What is patching? And why do IT people talk about it so much?

When should you outsource your IT?

The short answer, and the one you’d expect from an IT support provider, is as soon as you can. But there’s a bit more to it than that.

Excellence on Ice