Protecting Your Business Against Phishing Attacks
This article will help by providing some answers to these questions:
- Why should I read this?
- What is a Phishing Attack?
- Who are vulnerable to Phishing Attacks?
- How does a Phishing Attack work?
- How can I tell a Phishing email from a genuine one?
- How can I protect myself and my business from a Phishing Attack?
Why should I read this?
Here at PS Tech, we have seen a significant rise in the number of successful Phishing attacks, and they are increasing in frequency and effectiveness. Criminals are actively using this kind of attack to gain access to systems, impersonate senior management and divert money into their own bank accounts. Protecting your business against this type of crime is as important as locking your front door.
Why listen to us? PS Tech supports many small and medium sized businesses with their day to day IT Support needs, along with networks and infrastructure, advising on best practice and strategies to make the most of the technologies available. At the same time, we balance those recommendations with advice to clients on protecting their data and in turn their business from the many types of threat currently being exploited.
We see Phishing attacks causing damage to individuals and businesses. From the embarrassment of being duped by a scammer, to the loss of money or data, and even worse, the damage to reputation, Phishing is a real threat and is increasing in volume. Statistically, the more Phishing attacks there are, the more profitable it will become and the more this type of attack will be used.
Worried? Don’t be. Common sense and a will to beat the scammers will offer you the best protection before you even spend a penny or start digging into the technical solutions. Read on to see what you can do to protect your business against Phishing attacks.
What is a phishing attack?
We’ve all seen the dodgy email from our bank, that doesn’t quite look right, or contains spelling errors. These early attempts at stealing your information are now becoming a thing of the past. Phishing attack emails are now far more sophisticated and look very genuine.
When we use the word attack, don’t think a Phishing attack is accompanied with a loud explosion or sirens. These are very subtle in nature, friendly invitations, attractive offers, time sensitive requests and so on. They look like normal communications you expect on a day to day basis.
The most common form of Phishing is an attempt to obtain sensitive information such as login credentials or credit card details. Most often this is an email, claiming to be from a trusted source and with a strong call to action. Clicking on the link takes you to a fake website where you are asked to login. However, rather than logging in, you are giving your details to a fraudster.
Phishing attacks may also come in the form of a text message from ‘your bank’ requesting personal details. They may be a phone call from a large company you know or trust asking for access to your computer or for some personal information. Here in the UK, recent examples include callers pretending to be BT, TalkTalk, Microsoft, Symantec and so on.
These Phishing attacks are cleverly crafted by criminals (let’s face it, that is what they are) using social engineering to manipulate a user into doing the wrong thing, potentially costing you a lot of money.
Who are vulnerable to Phishing Attacks?
In short, everyone. You may feel you have nothing to hide, or why would a criminal target me? Let’s face it, Criminals don’t care who you are, they only care about what they can take from you or how to use you to facilitate further attacks on others. Everyone is vulnerable to a Phishing Attack, some more so than others.
Some recent examples we have seen that have been, or almost been successful, include:
Example 1 – Stealing money
An email arrives from a known sender containing a PDF document that needs signing. The user opens the document which contains a link to sign into Microsoft Office 365 to sign the document. The user clicks the link and the Microsoft Office 365 sign-in page appears…. At least, that is what it looks like. The user attempts to sign in but their password is shown as incorrect.
What in fact has happened, is that the user has inadvertently given away their Office 365 email account password. The criminals now have access to the email account and send out to your hundreds of contacts the same email you received with the same PDF containing the dodgy link.
What else do they do once they have access to your email account? They analyse your email, your business, your contacts. Who has access to money? Who makes decisions? Who can instruct money transfers?
If they successfully attack a VIP such as a Director, the CEO etc (this is called a spear-phishing attack), they may use their email account and ask the finance team to immediately transfer money to a fake supplier. They may also email key clients from the VIP’s email account and tell them that you have changed your bank details. We have seen businesses loose hundreds of thousands of pounds due to such messages because money from clients settling invoices was paid to the criminals bank and not their own.
They also create email rules so that you never see the messages they send, or the replies received. And there they are… in your email account, constantly reading what goes back and forth.
Read on to see how you can protect yourself against such an attack.
Example 2 – Extortion and Blackmail
An email arrives from someone you do not know. It claims they know your password to certain online services you use or social media accounts, and they quote it in the email. How did they know that!? You gasp. They then claim to have some incriminating footage of you from your web cam that they will send to all of your contacts if you do not send them thousands of dollars’ worth of bitcoin. Surely this must be genuine, they know your password??
Read on to see how they know your password, and what you should be doing instead of paying the blackmail amount.
Also we explain simply how you can protect yourself and your business.
Feel free to contact us for help and advice or follow our social links to keep up to date with the latest.
How does a Phishing Attack work?
As already mentioned, Phishing attacks typically arrive in your inbox via email, but can be delivered using a number of methods including social media, SMS message, phone call etc. Let’s focus on the email type. As you can see in the previous examples, the email is cleverly crafted to influence or trap the recipient into performing some wrong action on behalf of the perpetrator. The individuals or organisations who send out phishing emails typically want to gain from their attack. That gain is normally financial. However, they don’t go straight for the jugular. That would be too obvious! This is where the trap comes into play.
Often the email will appear to come from someone you know, or an organisation you trust such as your bank, an e-commerce site or just an individual or company who you deal with who have also been compromised by a phishing attack. As it appears to come from someone you know, inadvertently, the user trusts the sender.
The content of the email or an attachment will lead the user into divulging some critical information such as the password to their email account or some other service. This is done by luring the user to a site to perform some ‘legitimate’ task, such as
- Re-activating your email account
- Signing a document or agreement you are expecting
- Checking the status of an order or delivery
- Downloading an invoice or proof of delivery
- and many other tasks you may perform regularly
Of course, when you click the suggested link to get to the site to sign in to perform the task at hand, even though the site may look genuine, when you log on with your details, the log on process fails. In fact, you were not logging onto anything, you were just handing over the keys to your email, or your e-commerce account etc.
Once an attacker has control of the account in question, they can perform a whole host of negative actions. For example:
- In your e-commerce account, they can purchase a raft of goods using your stored card details
- In your email, they can contact you customers to tell them that you have changed your bank details. This leads to your customers paying invoices to a bank account that is not yours.
- They can send more phishing emails to others in your contact list. These messages come from you!
- They can lure a company user into divulging company IP or other key information
- In the case of a more targeted phishing attack, they can use a VIP’s email account to instruct the financial department to make immediate payments to fictitious suppliers!
How can I tell a Phishing email from a genuine one?
This is a good question, because sometimes they appear to come from people you know, either through careful crafting of the email header, or because the sender’s inbox has been hijacked by the criminals.
The first thing to look for is the style of the language in the message. Strategies that criminals employ to get the user to act include:
- Urgency – The message may indicate the user needs to act quickly
- Authority – The message may appear to come from someone with authority such as your manger, CFO, CEO etc. Check the senders email address is 100% correct!
- Timely – Some Spear-Phishing attacks (this is a more targeted form of Phishing) know your daily or company habits or routine. Has the email come at a time you might expect it?
- Curiosity – You know what they say about Curiosity. Don’t be enticed to follow the links or instructions. If in doubt, pause, check, ask.
There are also some additional basic questions you should be asking when evaluating any email received. However, before evaluating anything, if you are in doubt about the authenticity of an email, before clicking on anything, ask your technical support for help and advice.
Here are some questions and checks that may assist:
- Do I trust the sender? (Don’t stop at this question if the answer is yes)
- Does the senders email address check out, or does it look slightly different?
- Am I expecting an email from this person, especially on this topic?
- Always be suspicious of links. Hover your mouse over the link to check if it goes to a genuine official web site or not. Often the URLs are crafted to look like a genuine site, so if in doubt… ask!
- Ask yourself, why are they sending me this? If you know nothing about it, delete it. If the message was genuine, the sender will soon get in touch.
- If the message carries a weighty instruction, why not check verbally with the sender before acting on this instruction?
If ever in doubt, just check with your IT Support or the real sender.
Here are some DO NOT’s!
- DO NOT just click any link or open any attachment because the sender says you should. Think before you click.
- DO NOT reply to any email you have suspicions over. Speak to the genuine sender verbally to confirm instructions.
- DO NOT be scared or embarrassed to ask for advice. If in doubt, Ask!
- DO NOT panic if you do click a link or open an attachment and then realise it was not genuine. In these instances, just close your browser, shutdown your computer and ask for IT advice.
How can I protect myself and my business from a Phishing Attack?
There are several strategies that should be employed by any business. Advice from the NCSC for high level strategies for businesses include:
- Make it difficult for attackers to reach your users
- Help users identify and report suspected phishing emails
- Protect your organisation from the effects of undetected phishing emails
- Respond quickly to incidents
Here at PS Tech we like to keep things simple to start with. So, some simple things you can employ as individuals and as businesses include:
Never use the same password for more than one service
Many people re-use the same password or a variant of the same password for everything. That is a very bad idea. As you saw in our earlier blackmail example, the criminal, hacker, fraudster, has access to your many accounts with that one password. That password was obtained from a large-scale hack of an organisation in the past. Some well publicised hacks from the past include Yahoo!, TalkTalk, LinkedIn, Dixons CarPhone, Sony and so on. Even though some of these hacks happened a long time ago, people don’t change their passwords regularly, so they are still valid for other systems even today.
Use a Password Manager
Password Managers can create unique and strong passwords. They then store those passwords, meaning you don’t have to remember them all. They employ encryption to store those passwords. You just need to remember the master password used to secure all your other passwords. Make sure that is unique too! There are some good free and pay-for products out there. Do some research online or ask your IT Support partner for further advice.
Use 2-Factor or Multi-Factor Authentication
2Fwhat?? 2-Factor authentication is an additional password that needs to be entered when signing into an online service. For instance, Microsoft Office 365 enables users to use their mobile device to receive a text message or a code via an app. Once the user enters their email address and password, a 2nd one-time password is sent to the mobile device that needs to be entered before access to the account is granted. It is inconvenient, but it is a superb level of additional free security. As the criminals will not have access to the mobile device, they cannot sign-in. As a minimum ensure your Admin users, decision makers and people with access to money have this enabled. Ideally everyone should.
Use an Enterprise-Grade Anti-Virus (Endpoint Security) product
All your computers, desktops, laptops and servers should have a quality endpoint security product installed and configured. Relying on the integrated protection of your operating system is not an adequate protection against the many different types of threat currently out there.
PS Tech offer a number of products that provide best-in-class protection, based on your need and budget. At the end of this article are some solutions that provide excellent protection to our clients. If you would like to know more, please get in touch.
Communicate your processes
In our earlier example, criminals duped clients into changing the bank account where they paid invoices to. How would you feel if your clients were paying your invoices to someone else, and then they claim that this is your fault because one of your email addresses was used to communicate new bank details? We have seen just this. A simple suggestion to cover your bases is to communicate to your contacts that you will never send critical information or changes just by email. They will be confirmed or followed up verbally or in writing in the post. Of course, there are other processes that you may need to review to ensure they cannot be misused, and someone loses out.
Train, Train, Train
Train your users on how to identify phishing emails, understanding the risk phishing emails present and what to do, either if something has been clicked, or who to ask for advice if they are not sure about an email. Do not punish users or have a culture that forces users to keep security events ‘quiet’.
Ensure your IT systems are patched and kept up to date. This will ensure the chances of malware infecting your system due to the actions of a user are kept to a minimum. Not patching your systems is like leaving the front door wide open and placing a neon sign above, just in case no-one saw the open door. Most well publicised malware, phishing and ransomware attacks are successful because the systems were not patched. Also employ a replacement strategy for all of your IT hardware. Eventually it reaches end of life, and it is no longer patch-able, or there may be other reliability or capacity concerns.
Backup your data
This really should be the number 1 tip. Any business who does not back up their data is walking a very dangerous tight-rope. A Phishing attack could see your data deleted, permanently. Don’t just back up the obvious either. Ensure your cloud services are included in your backup strategy. Just because data is in the cloud, doesn’t mean it is safe and easily recovered. Most cloud providers protect themselves with very limited retention policies and recovery time guarantees.
Remove Admin Rights
Yes, that’s right, remove the rights to install software and make system changes for everyone, and we mean everyone, including the boss. You lead from the top, so senior management should follow the same rules they create for everyone else. You can create special accounts for administering or making changes to your IT systems, just only use them for specific tasks, and at all other times use ‘Standard’ accounts.
Partner with a trusted IT Support provider
Their advice and experience are invaluable. Don’t use a friend of a friend. He will get sick of out of hours calls and favours, and he won’t always respond when you need him most. Plus, avoid ad-hoc use of multiple companies which is potentially a GDPR failure. Speak to PS Tech today about our plans for supporting business IT systems and users.
These simple tips should be the foundation of your strategy to protect your business from a successful Phishing attack. There are some more advanced things you can investigate that will further improve the defences:
- Employ email anti-spoofing techniques, SPF, DKIM and DMARC. Ask your partner companies to do the same. Make sure the configuration of these technologies meets your needs as they are not simply an on or off setting.
- Block or filter incoming spam emails, emails with malware and phishing emails. Utilise filtering solutions by your email provider, understand their features and if necessary use a third-party solution to provide an additional layer if the risks are deemed high.
- Analyse your digital footprint, and those of your users, contractors, customers and suppliers. Is there more information about your business on your web site, social media etc, than there needs to be? Is this giving attackers an advantage?
- Follow best practice to ‘lock down’ your applications to reduce the probability of malware successfully running. As an example, disable macro’s in Microsoft Office (this is set by default, but can be overridden).
- Design your network (file shares, user groups, server access etc.) to reduce the impact of successful attack.
- Use a DNS service that stops web site addresses that are known to host malicious content from being resolved. There are several services that are free to use, and there is also one for Public Sector organisations funded by the NCSC.
- Enable 2FA (Two Factor Authentication, or Multi Factor Authentication) on systems that offer this function. This prevents an attacker from accessing a user’s account by just having a stolen password. Also employ additional authentication technology where appropriate such as Biometrics or Smartcards.
- Have a process to disable or remove accounts in systems that are no longer needed, such as when someone leaves the business, or you migrate to a new service.
- Implement a password policy to ensure users can change their passwords, and that they are complex enough with restrictions. The NCSC advises that if you are using 2FA, the need to change passwords is reduced.
The NCSC provide a detailed breakdown of how each of these topics can be implemented here:
How can PS Tech help?
PS Tech can provide help and assistance with any of these suggestions mentioned above. In particular, we offer Endpoint Security Solutions and Support Plans to ensure you get the right advice, along with responsive and proactive support from our team here in the UK.
Endpoint Security Solutions
The most popular solution we offer to small and medium sized businesses is the Sophos Security range of products. The cloud managed Sophos Central suite of tools offers best-in-class protection for all of your computers, servers and mobile devices. Protection includes real-time file protection, web protection, real-time anti-ransomware protection, and the ability to manage device security including managing apps and peripherals. On top of that, a Device Encryption solution ensures your Windows computers data are encrypted and remain so.
An alternate solution which may prove more attractive to those on a smaller budget is our Monthly Managed Anti-Virus solution based on the reputable BitDefender security engine. This has a low monthly cost payable for each device protected.
With our support plans we can monitor and proactively deal with threats that appear on your network with either of these two solutions.
Every business and individual should backup their data. The best form of backup is a 2nd copy of your data taken automatically and held off-site. File Sharing/Synching apps such as Dropbox, OneDrive, SharePoint etc, are not a backup. In fact, if you use cloud services such as these, you should back them up properly too.
PS Tech offer a number of cost effective and flexible backup solutions. These include:
- Pro Backup Home – a low cost automatic backup solution for your home computers to backup data to the cloud securely
- Pro Backup Business – a flexible and low-cost automatic backup solution for all of your business computers and servers
- Pro Backup Server – a highly configurable backup solution for your Windows and Mac Servers
- Pro Backup 365 – a cloud to cloud backup solution for data held in your Office 365 or GSuite environments
All our backup solutions are GDPR compliant and available on monthly or annual plans. Do not delay! Speak to one of our team today about the best option to ensure you do not lose data as a result of a mistake, a phishing attack, ransomware attack or some other form of data loss.
If you are looking for an IT Support partner to provide your business with proactive IT Support, then look no further. Many words describe our service, including friendly, cost effective, professional and proactive. But more importantly we do live up to these descriptions. We have different plans that can be tailored to your needs and budget. Once you have a plan in place, PS Tech will perform constant monitoring of your systems, patching them and backing up your data securely. Plus, with our Monthly Support Plans, users get unlimited remote support, with discounted on-site visits available if needed. It doesn’t cost the earth, and we know you will be impressed by the professionalism of our team and processes. Please contact us to discuss joining the hundreds of other companies who rely on us for the day to day IT Support needs.
If you found this article useful, please follow us on our Social Media feeds to stay in touch. Depending on your choice of platform, you can find us at:
Speak to us about any of the suggestions or inferred products above.
Above all, be careful and stay safe.