As phishing attacks can be carried out via text message, social media, phone or email, we have teamed up with the National Cyber Security Centre to offer you advice on how to keep your business safe. The first blog in the series looks at two-step verification to keep your data safe.
If you have received an email that you’re not quite sure about, don't use the links or contact details in the email, forward it to the Suspicious Email Reporting Service (SERS) using report@phishing.gov.uk.
What is phishing?
Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website.
Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email. Phishing emails can reach millions of users directly, and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money.
Phishing emails can hit an organisation of any size and type. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data. In a targeted campaign, the attacker may use information about your employees or company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.
Make it difficult for attackers to reach your users
Don't let your email addresses be a resource for attackers.
Attackers 'spoof' trusted emails, making their emails look like they were sent by reputable organisations (such as yours). These spoofed emails can be used to attack your customers or people within your organisation.
How do I do this?
Make it harder for emails from your domains to be spoofed by employing the anti-spoofing controls: Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), and encourage your contacts to do the same.
Reduce the information available to attackers
Attackers use publicly available information about your organisation and users to make their phishing (and particularly spear phishing) messages more convincing. This is often gleaned from your website and social media accounts (information known as a 'digital footprint').
How do I do this?
Consider what visitors to your website need to know, and what detail is unnecessary (but could be useful for attackers)? This is particularly important for high profile members of your organisation, as this information could be used to craft personalised whaling attacks (a type of spear phishing that targets a big phish, such as a board member who has access to valuable assets).
Help your staff understand how sharing their personal information can affect them and your organisation, and develop this into a clear digital footprint policy for all users. The Centre for the Protection of National Infrastructure’s (CPNI) Digital Footprint Campaign contains a range of useful materials (including posters and booklets).
Be aware of what your partners, contractors and suppliers give away about your organisation online.
Filter or block incoming phishing emails
Filtering or blocking a phishing email before it reaches your users not only reduces the probability of a phishing incident; it also reduces the amount of time users need to spend checking and reporting emails. Your filtering/blocking service might be a cloud-based email provider's built-in service or a bespoke service for your own email server.
How do I do this?
Check all incoming emails for spam, phishing and malware. Suspected phishing emails should be filtered or blocked before they reach your user. Ideally, this should be done on the server, but it can also be done on end-user devices (ie in the mail client).
For inbound emails, anti-spoofing policies of the sender's domain should be honoured. If the sender has a DMARC policy in place with a policy of quarantine or reject, then you should do as requested if validation checks fail.
If you use a cloud-based email provider, ensure that their filtering/blocking service is sufficient for your needs and that it is switched on by default for all your users. If you host your own email server, ensure that a proven filtering/blocking service is in place. This can be implemented locally and/or purchased as a cloud-based service. Again, ensure that it is switched on by default for all your users.
Filtering services usually send emails to spam/junk folders, while blocking services ensures that they never reach your user. The rules determining blocking or filtering need to be fine-tuned for your organisation's needs. If you filter all suspicious emails to spam/junk folders, users will have to manage a large number of emails, adding to their workload and leaving open the possibility of a click. However, if you block all suspicious emails, some legitimate emails could get lost. You may have to change the rules over time to ensure the best compromise, and to respond to your business's changing needs and ways of working.
Filtering email on end-user devices can offer an additional layer of defence against malicious emails. However, this should not compensate for ineffective server-based measures, that could block a large number of incoming phishing emails entirely.
Email can be filtered or blocked using a variety of techniques including IP addresses, domain names, email address white/black list, public spam and open relay black lists, attachment types, and malware detection.