According to a recent report, 90% of all data breaches can be traced back to phishing attacks. Despite how common they are, however, few businesses know how to effectively protect themselves from this damaging cybercrime.
With the average cost of a successful phishing attack now costing a medium sized business $1.6million, it’s vital that you know how to identify a phishing scam and educate your employees about the risks they pose.
What is a phishing scam?
Phishing is a type of cybercrime in which an individual is contacted by someone who has adopted the guise of a respected institution, organization or individual in order to lure the target into giving confidential information – including passwords, banking details and personally identifiable information – to the hackers.
This information will then be used to access the accounts of the target, often leading to significant financial loss. When targeting businesses, phishing scams can also lead to the loss of sensitive company information, such as revenue figures.
Phishing scams were traditionally only carried out via email. However, in recent years there has been a significant rise in the number of phishing scams being carried out via text message (smishing) and phone calls (vishing).
Additionally, the occurrence of spear phishing – personalized phishing attacks which deliberately target a select target – has risen dramatically.
From messages ostensibly from your bank asking you to update your account information, to those supposedly from your employer asking you to a sign an important document, the prompts used in phishing attacks are both varied and often difficult to identify.
Phishing Scams & Ransomware
As well as gaining invaluable confidential information from the target, phishing scams can also be used to impart ransomware on to your device.
Ransomware is a specific form of malware that encrypts your data, meaning you can no longer access your files and information. The cyber criminals will then demand the payment of a “ransom” for these files to be decrypted, though paying the ransom is definitely not recommended.
According to a 2016 report by PhishMe, 93% of all phishing emails contained ransomware. As the cyber attack on the NHS showed in 2017, ransomware has the capacity to bring even the largest of organizations to a standstill.
Ransomware is most often spread by attachments located in the fraudulent emails. Once opened, these files will then begin to download the ransomware directly on to the device. With the risks associated with phishing scams being so high, it’s essential that you know how to identify a phishing scam.
Four steps to identifying a phishing email
1. Spelling and grammar mistakes
One of the easiest ways of knowing whether the message you’ve received is legitimate is by reading it closely. If you get an email from your bank asking you to update personal details, it is unlikely that they would contain spelling and grammar mistakes.
It’s worth remembering that even though the hackers may have adopted the display name of the genuine person or organization, that does not guarantee that it’s definitely from them. By adopting complex subdomains, the sender can often mask themselves so that they appear to be someone they’re not.
Similarly, if you receive an email that’s supposedly from a colleague at an unusual time that contains unusually poor spelling, then be cautious and check first with the sender before clicking on any links contained within the email.
2. Unwarranted sense of urgency
Hackers will often try to use a sense of urgency to make you miss the more obvious telltale signs that it’s a fake. A particularly common way of doing this is by suggesting that your account has been hacked and needs to be reset.
Another common way of creating a sense of urgency is by promising time-specific promotions, prizes or rewards. By doing so, they intend to lure you into providing information without properly checking the links, attachments and files contained within the email or text.
3. Threatening messages
Another popular way cyber criminals attempt to get you to give away your personal information or download malicious attachments is by directly threatening you.
A common sextortion scam involves a hacker stating that they have recorded you watching pornographic material online and will send it to your contacts if a payment is not made directly to them.
In one variation of this scam, the hackers attached a file which they proclaimed was proof of the video. Once this file is downloaded, it imparts ransomware on to your computer, locking all of your data – despite them never having any incriminating videos at all.
4. Strange attachments
If you ever receive an email from someone that you don’t know, don’t open any attachments contained within it. This is made more obvious if the file attached has an unusual name.
This is the same if the message contains a URL. Make sure to hover your mouse over the URL and make sure that it is in fact leading to the correct page. It’s also important to make sure that the URL has a SSL certificate and begins with HTTPS.
How to protect against phishing scams
Even though the messages sent by the cybercriminals will often give away their true intentions, some may be so well crafted that simply looking out for the above tell-tale signs may not be enough.
Luckily, there’s several options that you have that can help you bolster your chances of staying protected from phishing scams.
1. Email filters
Using an email filter alone won’t guarantee that you don’t receive any malicious emails, but it certainly helps. Some email providers have more effective spam and junk mail filters, so it’s worth researching before choosing which email service you want to use.
If you are particularly concerned about the dangers of phishing emails, you can disable all hyperlinks on your email settings. Though this will prevent the messages from incorporating any dangerous links, it also means that you won’t be able to receive links from legitimate senders.
2. Antivirus software
Having up-to-date antivirus software isn’t just important to protect your business from phishing attacks, they’ll help protect from all sorts of dangerous threats. Some antivirus software even comes equipped with anti-phishing capabilities which will scan the attachments of emails to check whether they are dangerous or not.
Make sure that you regularly scan your device too, as many phishing scams can go unnoticed without regularly checking your device.
A Virtual Private Network (VPN) is an important piece of software for maintaining security while online, particularly if you use public WiFi connections to access sensitive information.
Never log in to your bank account or access sensitive company information while on an unsecured network. Doing so not only puts you at risk from phishing attacks but also man-in-the-middle attacks and other malicious practices.
4. Educate your employees
Educating your employees is arguably the most important step in the whole process. Although you may recognize the signs of a fraudulent email, if your colleagues don’t then your network is at risk.
A good way of ensuring that your entire workforce understands the risks and knows how to identify a phishing scam is by running simulated phishing tests. Doing so allows you to be confident that everyone in your office recognizes the risks.
Ultimately, human error is the biggest risk to your company’s data integrity and without adequate training, your company is likely to remain one of the thousands that falls victim to phishing scams each year.