In a typical phishing attack, scammers send fake emails to thousands of people, asking for sensitive information (such as bank details), or containing links to bad websites. They might try to trick you into sending money, steal your details to sell on, or they may have political or ideological motives for accessing your business’s information.
Phishing emails are getting harder to spot, and some will still get past even the most observant users. Whatever your business, however big or small it is, you will receive phishing attacks at some point. As well as tips on how to spot phishing attacks, this article includes guidance on how to protect your organisation even when someone does click that dodgy link.
Tip 1: Configure accounts to reduce the impact of successful attacks
You should configure your accounts in advance using the principle of 'least privilege'. This means using the lowest level of user rights required to perform your job, so if you are the victim of a phishing attack, the potential damage is reduced. If you need to use an Administrator account (for example to install software or hardware) you should not use this for day-to-day tasks like checking emails. An attacker having unauthorised access to an Administrator account can be far more damaging than accessing a standard user account.
To further reduce the damage that can be done by malware or loss of login details, ensure that you don’t browse the web or check emails from an account with Administrator privileges. An Administrator account is a user account that allows you to make changes that will affect other users. Administrators can change security settings, install software and hardware, and access all files on the computer. So an attacker having unauthorised access to an Administrator account can be far more damaging than accessing a standard user account.
Use two-factor authentication (2FA) on your important accounts such as email. This means that even if an attacker knows your passwords, they still won’t be able to access that account.
Tip 2: Think about how you operate
Consider ways that someone might target your businessIf you have anyone else working with you, or using your business accounts, make sure they know the normal ways of working (especially regarding interaction with other organisations), so that they're better equipped to spot requests that are out of the ordinary.
Common tricks include sending an invoice for a service that you haven't used, so when the attachment is opened, malware is automatically installed (without your knowledge) on your computer. Another is to trick you into transferring money or information by sending emails that look authentic. Think about your usual working practices and how you can help make these tricks less likely to succeed. For example:
Ask yourself whether someone impersonating an important individual (a customer or supplier) via email should be challenged (or have their identity verified another way) before action is taken.
Do you understand your regular business relationships? Scammers will often send phishing emails from large organisations (such as banks) in the hope that some of the email recipients will have a connection to that company. If you get an email from an organisation you don't do business with, treat it with suspicion.
Think about how you can encourage and support questioning suspicious or just unusual requests – even if they appear to be from important individuals. Having the confidence to ask ‘is this genuine?’ can be the difference between staying safe, or a costly mishap.
You might also consider looking at how your outgoing communications appear to suppliers and customers. For example, do you send unsolicited emails asking for money or passwords? Will your emails get mistaken for phishing emails, or leave people vulnerable to an attack that's been designed to look like an email from you? Consider telling your suppliers or customers what they should look out for (such as 'we will never ask for your password', or 'our bank details will not change at any point').
Tip 3: Check for the obvious signs of phishing
Expecting to always be able to identify and delete all phishing emails is an impossible request and would have a massively detrimental effect on business productivity. If a message or call makes you suspicious, stop, break the contact, and consider the language it uses. Scams often feature one or more of these tell-tale signs.
Authority – Is the message claiming to be from someone official? For example, your bank, doctor, solicitor, or government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.
Urgency – Are you told you have a limited time to respond (such as 'within 24 hours' or 'immediately')? Criminals often threaten you with fines or other negative consequences.
Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
Scarcity – Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.
Current events – Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.
Email filtering services attempt to send phishing emails to spam/junk folders. However, the rules determining this filtering need to be fine-tuned for your business needs. If these rules are too open and suspicious emails are not sent to spam/junk folders, then users will have to manage a large number of emails, adding to their workload and leaving open the possibility of a click. However, if your rules are too strict, some legitimate emails could get lost. You may have to change the rules over time to ensure the best compromise.
Tip 4: Report all attacks
Ask for help if you think that you might have been a victim of phishing, especially if you've not raised it before. It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
If you believe that your business has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. Action Fraud is the UK’s national fraud and cybercrime reporting centre. If you are in Scotland contact Police Scotland on 101.
Tip 5: Check your digital footprint
Attackers use publicly available information about your business and staff to make their phishing messages more convincing. This is often gleaned from your website and social media accounts (information known as a 'digital footprint').
Understand the impact of information shared on your business's website and social media pages. What do visitors to your website need to know, and what detail is unnecessary (but could be useful for attackers)?
Be aware of what your partners, contractors and suppliers give away about your organisation online.
Help your staff understand how sharing their personal information can affect them and your organisation. This is not about expecting people to remove all traces of themselves from the Internet. Instead support them as they manage their digital footprint, shaping their profile so that it works for them and the organisation.
National Protective Security Authority (NPSA) contains a range of useful materials (including posters and booklets) to help organisations work with employees to minimise online security risks.