The stats don’t lie. Phishing attacks account for 49% of cybercrime, making them by far the biggest threat to your company’s cyber security. And even the big players aren’t safe – Google Docs users were hit by a large-scale phishing scam just this year. With 66% of small businesses reporting that they’ve suffered from a digital security breach, phishing is a threat that must be taken very seriously by companies large and small.
What are phishing attacks, and why is it so dangerous?
As cyber security experts know only too well, phishing is a scam that can both utilize requests for sensitive or valuable online data, such as user credentials or payment details, and also get malicious software installed on an employees workstation that will give an attacker access to an internal network, all from apparently trusted organizations.
We sign in and out of trusted services and receive emails as employees on a daily basis, so it’s no great surprise that many users don’t always check their legitimacy – and this is exactly why phishing attacks are so often successful. By mimicking recognized brands or emails from fellow employees, phishers are easily able to fool some users into believing that they’re safe, when in fact they’re giving away personal data and network access that can be used against them – or in many cases, the company where they work.
While for an individual, falling prey to a phishing scam can be inconvenient, perhaps even infuriating, it can have devastating consequences for a company. Losing payment information can result in significant financial losses as can the results of an attacker having access and eventual full reign of an internal network, and login details falling into the wrong hands can result in a loss of sensitive or valuable data, or even customers’ personal information – which can result in huge legal costs, significant outlay for disaster recovery and business continuity, and a PR nightmare that could well be impossible to recover from.
How can you protect your company from phishing attacks?
There are two scenarios you might need to keep yourself safe from – staff falling for a phishing email, and your customers getting caught out by phishers who persuade them that they’re signing into your services when in fact they’re giving away their login data.
The latter generally applies to high-profile companies with large user bases – like Google Docs, whose users were recently caught out by an intricate phishing scam that used their existing email contacts to trick them into giving away their login details. If you fall into this category, you can warn customers about the risks of phishing, inform them of what your communications will look like and which data you will and will not request from them, identify attempted scams early so you can minimize damage, and freeze accounts that may have already been compromised.
This article focuses on how to protect yourself from breaches caused by employees being unaware of the dangers of phishing or giving away valuable company data because they’re not paying attention. Here are 3 tips for you to avoid these kinds of incidents, which can happen in the blink of an eye but affect your company on a catastrophic level:
1. Train your staff on the dangers of phishing
Employees are one of the most common cyber security risks for companies, because all it takes for a breach to occur is one careless or uninformed action. It’s vital that staff are aware of the most common forms of attack and how to avoid falling for them. Phishing emails and fake web pages may contain out-of-date branding or poor grammar and spelling, so this is always worth watching out for. Additionally, the addresses used for phishing emails or web will never belong to the service provider being imitated. A great place to start is the cyber security training website by GovUK, this provides an abundance of information for various departments and businesses of all sizes.
2. Be aware of the different types of phishing scam
Phishing comes in various forms, and part of staying safe involves knowing what to look out for. The most common method is an email with an enticing subject header posing as a recognized service provider asking users to click on a link and enter their login details. Some email campaigns are more targeted, using individuals’ personal information or existing email contacts, as in the Google Docs example. This is known as “spearing”. It’s also possible to fall victim to phishing scams using a click-through to a fake web page or ‘malvertisements’ containing a link that then downloads malware capable of accessing sensitive data.
3. Make sure your systems are protected
Basic good cyber security practice to secure your systems will go a long way in eliminating the risk of phishing attacks. This means:
Having strong email spam filters
Keeping your antivirus software up to date
Blocking websites that are known to be fraudulent
Keeping your operating systems and web browsers updated
Implementing strong egress filtering to ensure any outbound connections cannot be made
Adding Multi-Factor Authentication (MFA) so that even if an attacker gains access to credentials they cannot be used to gain VPN access
Staying informed on the latest tricks being used by phishers and educating employees of these tricks
Ensuring that staff are regularly changing their passwords for the services they use
Take the threat of phishing attacks seriously
Phishing and other cybercrime can often seem like a remote possibility, but the figures show that it’s a very real danger for organizations of all sizes. It’s easy to sit back and adopt the attitude that it won’t happen to you – but you may well regret it if you do. Not only are you likely to be the target of an attack sooner or later, but when it does happen it could cause irrefutable damage. Neglecting your cyber security simply isn’t worth the risk.