As any IT support partner worth their salt will tell you, don’t be fooled by the innocent sounding name phishing. It’s called a phishing attack for a reason. That’s because the scammers send out a baited hook (usually a deceptive e-mail or a link to a malicious website) in the hope that you or one of your colleagues bite. Phishing is an increasingly sophisticated attempt to gather personal or financial information from individuals, businesses or other organisations by masquerading as contacts you might trust. And although the first incidence of phishing dates back to the 1990s, it’s still one of the most widespread and pernicious threats. The trouble is that the Coronavirus pandemic and the massive upswing in the numbers of us working from home (WFH) that has resulted from it, have caused a matching upswing in the number of phishing attacks reported. So, as a leading provider of IT support in the UK, in this blog post we’re going to take a closer look at phishing attacks and how you can prevent them.
Phishing attacks – how to prevent them is always better than having to cure them
According to a 2019 report by Verizon, nearly a third of all data breaches involve phishing attacks, which is why knowing how to prevent them is vital. Phishing attacks have been used against every kind of individual and organisation from celebrities to politicians, government bodies to leading businesses like PayPal and Apple. What’s worse, a successful phishing attack can cost your London-based small to medium-sized business dear in terms of money, time, inconvenience, business disruption and reputational damage.
Understanding the threat
Phishing is the fraudulent attempt to obtain sensitive information or data (such as usernames, passwords or bank account details) from you, via an e-mail or link to a website that purports to come from a trustworthy and legitimate source, whether that’s a colleague or another organisation such as your bank. Although they are typically carried out by e-mail, they can also come at you through instant or text messaging.
Why it’s so easy to get phished
As an expert and experienced remote IT support team, we know how ludicrously easy it is to find ‘phishing kits’ on the ‘dark web’ for cyber criminals. Even those with minimal technical skills can use them to launch phishing campaigns.
The scammers simply install the kit on a server and send out e-mails to invite you (and usually lots of others) to respond with private or sensitive information.
Many phishing kits enable attackers to ‘spoof’ even the most trusted technology brands like Microsoft, Facebook, PayPal and Dropbox.
One upside of phishing kits is that they allow the ‘good guy’ security teams to find, analyse and track them, as well as who is using them and where they are
Knowing the common types of phishing attack
The common phishing attack denominator is an e-mail, which looks like it comes from someone or some organisation you’d normally trust. This will usually ask you to click on a link in the e-mail or download a document attached to it.
As the managed IT services partner of many small to medium-sized businesses, we know a phishing campaign will nearly always attempt to get you to:
- Hand over sensitive information
This type of phishing attack will be all about getting you to hand over important data — often a username and password – that the attacker can use to breach your systems or accounts; which is why they’ll often appear like messages from a major bank. They’ll then take you to a malicious site designed to resemble your bank’s webpage with the aim of getting you to enter your username and password, giving the attacker access to your account.
- Download malware
These types of phishing e-mails aim to get you to infect your own computer with malware, with messages that appear to come from, say, colleagues or teams within your organisation, like the HR department.
For instance, you could be sent an attachment that purports to be a job seeker’s CV. These attachments are often .zip files or Microsoft Office documents with malicious embedded code called ransomware. A study back in 2017 suggested that over 90% of phishing e-mails contained ransomware attachments.
Scammers send e-mails on a massive scale in the hope that they get lucky with at least a handful of recipients who become their victims.
Phishing for a specific target
Attackers often hone their message to catch specific individuals and these threats are known as:
- Spear phishing
Cybercriminals identify targets using information they’ve found on sites like LinkedIn, for example. Then use fake addresses to send e-mails that plausibly look like they’ve come from co-workers.
A good example of a spear phishing attack is when the hacker e-mails the finance department and pretends to be the victim’s line manager requesting a large bank transfer on short notice.
This is where a spear phishing attack is aimed at the very big fish in business — CEOs or other high-value targets, for example.
Company board members are often the target of such scammers because they have a plenty of authority within a business but maybe not be in the office full-time and so use their personal e-mail address for business-related correspondence. Also, they often don’t have the usual human (i.e secretary) or technical (i.e firewall and antivirus software) defences to count on.
Why phishing has increased since the Covid-19 pandemic
As one of the leading providers of work from home IT support we know how any kind of crisis is a boon to cybercriminals. That’s because they rely on uncertainty, anxiety, deception and creating a sense of urgency to succeed in their phishing campaigns. The Covid-19 pandemic has, therefore, presented the scammers and hackers with the ideal environment to strike.
During such a crisis there’s a hunger for information, guidance and direction from employers, governments and other relevant authorities, which makes any e-mail that appears to be from one of these ‘trusted’ sources safe to open. But one careless click can infect your device and network or compromise your account.
This kind of ‘crisis’ problem is exacerbated by more of us working from home, where our IT may well be outside the usual in-house technical protections.
How to prevent phishing attacks
The most vulnerable chink in your cybersecurity armour is human error. Even as a remote IT support partner who implements the most sophisticated technical protection for customers, we know it’s still people who are most likely to carelessly or accidentally click on a malicious link in an e-mail or on a document attached to it.
So, the best way to protect your business, IT infrastructure, data, IP, confidential customer information, financial wellbeing, compliance with the latest data protection regulations (such as GDPR) and your hard earned reputation is through staff training and education.
Therefore, please make sure your team always undertakes these steps when they’re presented with e-mails, texts or any other message they’re unsure about:
- Stop, think and double check. Call or e-mail the originator of the message for confirmation. No colleague or contact, no matter how senior, will mind the extra precaution.
- Check the format of any e-mail and spelling of any URL in a link before they click or enter sensitive information. Spammers often make basic spelling or grammatical errors, as English is not always their first language.
- Watch out for URL re-directs, where they’re subtly sent to a different website with identical design. They should hover over any links before clicking on them, to make sure they go where they say they should.
- ’Sandbox’ any suspicious inbound e-mail to isolate it before checking its safety.
And NEVER post personal information, like birthdays, holiday plans or – heaven forbid – addresses or phone numbers, publicly on social media.
As the owner or leader of a small to medium-sized business, you should regularly update your team’s cybersecurity education and training because the threats continue to change and evolve.
You can also penetration test your organisation’s IT to find weak spots and reward good behaviour, perhaps by showcasing a ‘Catch of the Day’ if one of your team spots and stops a phishing e-mail. Both are perfect ways to enhance your team’s cybersecurity training.
More defensive steps you can take
Make it part of your organisation’s regular routine.
Always make those irritating updates to your devices, applications and network as soon as you receive them.
Limit who in your team (and contractors, freelancers etc) has access to what technology and data.
Track the credentials of all employees, contractors and third parties who have access to your systems, to ensure their identity, expertise and experience are as claimed.
Prevent your people installing software or running unauthorised code on your devices without proper authorisation.
Filter your organisation’s web browsing traffic via a URL filtering tool to prevent connections to dangerous sites.
The online world brings many cybersecurity threats to your enterprise, particularly from phishing attacks; and especially for your remote workers. Don’t worry though, the technology professionals here at Work From Home IT Support have smart, effective solutions available to keep your business, remote workers and data safe and secure.
At WFH IT Support we provide innovative cybersecurity solutions across the UK such as Microsoft 365 or Google Workspace.
The WFH IT Support service is powered and delivered by the totality services team, which has earned two consecutive Feefo Gold Trusted Service Awards, Five Star ratings from both Trustpilot and Google, a 98% client retention rate and certification to the renowned Cyber Essentials and ISO 27001 standards.
So please don’t hesitate to get in touch for a confidential, no obligation chat about our IT support plans and your cybersecurity requirements.