No one is safe from phishing… Imagine you receive an email from Microsoft, a company that you recognize and trust. The email claims that you have recently requested for your Outlook account to be deactivated. If you wish to cancel the deactivation you need to click on the link provided and enter your email address and password into what appears to be the Outlook login page. You then see a message stating that your pending deactivation request has been cancelled. Seeing this, you let out a sigh of relief and get on with your day.
Little do you know that you have just been a victim of phishing. Your Outlook account has now been hijacked and will be used by criminals to send more malicious emails in your name. This means your whole company is now at risk of a data breach or virus infection, causing major damage that the business may never recover from.
How does phishing work?
Phishing is a notoriously common type of cybercrime in which the target is contacted by someone posing as a trustworthy person or organization and asked to provide sensitive information such as passwords, personal identifiers, banking, and credit card details. This information is used by criminals to access important accounts and often results in huge financial losses and a damaged reputation.
Although most phishing incidents occur via email, some can also be carried out via texts, voicemails, and phone calls. These fraudulent messages typically contain a call-to-action such as clicking on an embedded link, filling out a form, or downloading a file. Attackers usually set up malicious landing pages that look almost identical to the official web pages of a legitimate brand. Phishing scams have evolved over time and become increasingly harder to detect. Smaller businesses have encountered a rise in spear phishing. This is when an employee receives a malicious email that appears to be from someone they know i.e. a colleague, superior, or third-party business partner. Unsuspecting victims are more likely to give away confidential information to someone they know.
Phishing is a real danger for businesses
You may think that the chances of being a phishing victim yourself are as small as being struck by lightning. You need to think again… research shows that phishing attempts have increased by 65% in the past year. Phishing scams also have an alarming success rate with 97% of people failing to recognize a sophisticated phishing email. Employees open 1 out of 3 phishing emails they receive and 50% of the time this results in the company’s IT system being hacked or infected with a virus.
Small businesses are especially vulnerable to phishing due to the misguided belief that they don’t have much for hackers to steal and the resulting lack of investment in cybersecurity. It’s not surprising that small businesses tend to use outdated technology, inadequate protection software, and poor security practices. In reality, 43% of cyber attacks target small businesses with phishing being among the most common form of attack.
A successful phishing attack is a major blow to all businesses regardless of size. The damage extends beyond the heavy financial losses from legal fees, settlements, and IT system replacements. Companies who were impersonated in phishing attacks against their customers suffer from a ruined reputation. They lose hard-won customers and word-of-mouth destroys their chance of attracting new customers. Studies confirm that 60% of small businesses close down within six months of a cyber-attack such as phishing. Even if they survive, small businesses are expected to spend an average of $879,582 on recovering from the attack.
How can your business be protected against phishing?
That is the million-dollar question and the answer isn’t straightforward. When it comes to protecting your business from phishing, it’s best to take a holistic approach. Not only does your company need to build a robust cybersecurity system, but every employee also needs to learn how to avoid phishing attacks and deal with the aftermath. Outlined below are best practices that all businesses should start implementing today.
1. Employee education and training
It is vital that employees understand how phishing works and how their actions contribute to either causing or preventing an attack. Employees should learn to review incoming emails and messages with a critical eye – check if any embedded links lead to the official domain of a legitimate organization and scan any files for malware and viruses before downloading. Set limitations on the ability of employees to install new software or download large files.
Employees should be clearly aware of company policies regarding how financial transactions are conducted. Any monetary transactions requested by email should receive a human verification via a phone call or in person. This is so employees can avoid transferring funds to a fraudulent source.
It is of equal importance for all in the company to be prepared well in advance if a phishing attack were to happen. Develop a well-defined response plan and use simulation exercises to test whether your company is capable of recovering from an attack quickly and with minimal damage. Much like fire drills, simulations allow employees to get practice in following the correct protocols and to identify any areas that require improvement.
2. Email filtering
Spam filters are the primary barrier of protection from phishing attacks. Filtering solutions use a set of rules to determine which incoming messages end up in the spam folder and which enter the Inbox. Businesses should customize their spam filter settings not only according to the volume and types of emails received but also patterns that are distinct to phishing emails. For example, the most recent phishing attempts typically feature emails sent from a local domain to a local domain, but the reply address of the email is non-local. Your email filter should be blocking these types of emails.
Businesses can also opt for high-end email filters with Advanced Threat Protection for an added level of security. Advanced Threat Protection offers extra filtering capabilities that catch a variety of newly evolved phishing attacks. Unlike standard email filters which rely on signature-based detection, high-end filters use behavior analysis to profile normal business network communications versus abnormal communications to uncover more sophisticated phishing attacks.
Related: Malicious Emails: How to Recognize Them and Stay Protected
3. System maintenance
Outdated email systems and web browsers are an easy entry point for phishing attacks and the malware used to access confidential data. It is commonly advised to run regular antivirus scans and updates to security software, email systems, operating systems, and web browsers. During a program update, important changes are applied to increase the security of applications on your computer.
4. Email Encryption
Important emails containing payment details, personal details, or other sensitive information should be securely encrypted. This ensures that the passwords and unique access rules required to view these emails remain confidential within the company and unviewable to hacked accounts.
5. Data Loss Prevention (DLP)
DLP refers to a system of tools and processes used to ensure sensitive information is not lost, misused, or accessed by unauthorized parties. By using DLP software, emails regarding financial transactions are monitored and any data breaches are detected and blocked immediately.
6. Strong passwords and two or multi-factor authentication
This is one of the simplest ways to increase the security of your business email accounts. Make sure employees are using more than one form of authentication when accessing their email account. Enable two or multi-factor authentication (2FA/MFA) on all email accounts. Set strong passwords that are alphanumeric and include a minimum of eight characters as well as both capitalization and special characters. Passwords should also be changed periodically.
7. Monitor hacker activity
Even if your business is protected from within, your customers may still fall victim to phishing scams that impersonate your brand. To minimize the chances of this happening, your business should monitor websites, forums, blogs, news outlets, social media, and other online platforms for counterfeits of your brand. For example, you may identify fraudulent sites that mimic your company’s official site. From there, you can report the site and get it taken down. Recent advancements in technology have allowed companies to automate this monitoring using machine learning analytics, pattern matching, and computer vision analysis.
Where to from here?
Knowing how to protect your business against phishing and other cybercrimes isn’t the hard part. It’s actioning these security practices that tend to be a major challenge, especially for small businesses. Due to the extensive costs involved in running an in-house IT department, many small businesses choose to outsource IT operations to a Managed Service Provider (MSP) like Insight IT. Our certified engineers specialize in securing your network and email system against cyber threats such as phishing. We take care of the time-consuming and repetitive tasks while you can focus on your work with peace of mind. Go here to find out more about Insight IT and the security services we offer.