Tips to help you identify the most common phishing attacks
In a typical phishing attack, scammers send fraudulent emails to a large number of people, requesting sensitive information like bank details or including links to malicious websites. They aim to trick you into sending money, steal personal information for resale, or may have specific motives for accessing your organisation's data.
Spotting phishing emails is becoming increasingly more difficult, and some may slip through even the most vigilant users. Regardless of the size or type of your business, phishing attempts are inevitable. This guide provides simple steps to recognize common phishing attacks, but it's important to understand the limitations of user awareness.
Tip 1: Set up your accounts to reduce the impact of potential attacks
Set up your staff’s accounts using the principle of ‘least privilege’. This means giving your staff access to only what they need to perform their job. Doing this means that if they become a victim of a phishing attack, the potential damage is reduced.
You can further reduce the damage that can be done by malware or loss of login details, by ensuring that your staff don’t browse the web or check emails from an account with Administrator privileges. An Administrator account is a user account that allows you to make changes that will affect other users. Administrators can change security settings, install software and hardware, and access all files on the computer. So an attacker having unauthorised access to an Administrator account can be far more damaging than accessing a standard user account.
You should use two factor authentication (2FA) on important accounts such as email. Enabling 2FA on these accounts means that even if an attacker knows the password, they won’t be able to access the account as they will not have the second verification method.
Tip 2: Know your organisation and how it operates
To improve your organisation's security, it is important to ensure that all staff members know your standard operating procedures, especially in their interactions with other organisations. This equips them to identify any unusual requests.
Various tactics used by threat actors include sending invoices for services not rendered, leading to automatic malware installation upon opening the attachment, and tricking staff into transferring funds or information through authentic-looking emails. Think about your usual practices to reduce the success of such attacks:
- Are your staff trained on handling unusual requests and know where to seek assistance?
- Consider confirming the identities of individuals claiming to be important figures via email before taking action.
- Familiarise yourself with your regular business partnerships to avoid falling victim to phishing attempts.
- Encourage your staff to question suspicious requests, reinforcing the importance of verifying authenticity.
Review how your outgoing communications may appear to suppliers and customers. Consider if your emails could be mistaken for phishing attempts and advise recipients on what to watch out for, emails asking for passwords or bank account changes.
Tip 3: Check for the obvious signs of phishing
Expecting all staff to identify and delete every phishing email is an unrealistic demand that could significantly impact business productivity. However, many phishing emails still show common traits of traditional attacks. Look out for the following signs to identify potential phishing attempts:
- Phishing scams often originate from overseas, often there is poor spelling, grammar, and punctuation. Some may attempt to appear official by incorporating logos and graphics. Look at whether the email design aligns with what you would expect from a reputable organisation.
- Pay attention to how the email is addressed. Is it personalised to your name, or does it use generic terms like 'valued customer', 'friend', or 'colleague'? Generic introductions could indicate a phishing scam.
- Be cautious of emails containing urgent requests or threats, such as demanding immediate action or claiming you are a victim of a crime. Phrases like 'send these details within 24 hours' or 'click here immediately' should raise suspicion.
- Beware of emails that appear to be sent by high-ranking individuals in your organisation requesting payments to specific accounts. Look at the sender's name for authenticity to avoid falling for impersonation tactics.
- If an offer seems too good to be true, it likely is. Be cautious of emails promising money or access to exclusive online content.
- Avoid scanning QR codes in emails, as scammer may exploit them to lure you to fraudulent websites.
Email filtering services aim to send phishing emails to spam/junk folders. However, the rules determining this filtering need to be tweaked for your organisation's needs. If these rules are too open and scam emails are not sent to spam/junk folders, then users will have to manage a large number of emails, adding to their workload and leaving them open the possibility of clicking a dodgy link. However, if your rules are too strict, some legitimate emails could get lost. You may have to change the rules over time to ensure the best compromise.
Tip 4: Report all attacks
Ensure that your staff feel comfortable asking for help if they think they have fallen victim to phishing, particularly if they haven't raised the issue before. It's crucial to promptly scan for malware and change passwords if you suspect a successful breach. Avoid penalising employees for falling prey to such attacks, as it may deter them from reporting in the future and lead to excessive time spent scrutinising emails. These actions can ultimately harm your business. If you suspect your organisation has been targeted by online fraud, scams, or extortion, report it through the Action Fraud website, the UK's national fraud and cyber crime reporting centre either via their website or by calling 0300 123 2040.
Tip 5: Check your digital footprint
Cyber criminals create their phishing messages by using publicly available data about your organisation and employees, often gained from your website and social media profiles (referred to as a 'digital footprint').
Recognise the impact of information shared on your organisation's website and social media platforms. Consider what details are necessary for visitors and what could be potentially useful for cyber criminals.
Be aware about the information that your partners, contractors, and suppliers share about your organisation online.
Educate your staff on how sharing personal information can impact them and the organisation. The goal is not to remove their online presence entirely but to assist them in managing their digital footprint effectively, shaping their online profile to benefit both themselves and the organisation.
National Protective Security Authority’s (NPSA) Digital Footprint Campaign provides a variety of helpful resources, such as posters and booklets, to help organisations in collaborating with staff to reduce online security risks.