How does a Phishing Attack work?
As already mentioned, Phishing attacks typically arrive in your inbox via email, but can be delivered using a number of methods including social media, SMS message, phone call etc. Let’s focus on the email type. As you can see in the previous examples, the email is cleverly crafted to influence or trap the recipient into performing some wrong action on behalf of the perpetrator. The individuals or organisations who send out phishing emails typically want to gain from their attack. That gain is normally financial. However, they don’t go straight for the jugular. That would be too obvious! This is where the trap comes into play.
Often the email will appear to come from someone you know, or an organisation you trust such as your bank, an e-commerce site or just an individual or company who you deal with who have also been compromised by a phishing attack. As it appears to come from someone you know, inadvertently, the user trusts the sender.
The content of the email or an attachment will lead the user into divulging some critical information such as the password to their email account or some other service. This is done by luring the user to a site to perform some ‘legitimate’ task, such as
- Re-activating your email account
- Signing a document or agreement you are expecting
- Checking the status of an order or delivery
- Downloading an invoice or proof of delivery
- and many other tasks you may perform regularly
Of course, when you click the suggested link to get to the site to sign in to perform the task at hand, even though the site may look genuine, when you log on with your details, the log on process fails. In fact, you were not logging onto anything, you were just handing over the keys to your email, or your e-commerce account etc.
Once an attacker has control of the account in question, they can perform a whole host of negative actions. For example:
- In your e-commerce account, they can purchase a raft of goods using your stored card details
- In your email, they can contact you customers to tell them that you have changed your bank details. This leads to your customers paying invoices to a bank account that is not yours.
- They can send more phishing emails to others in your contact list. These messages come from you!
- They can lure a company user into divulging company IP or other key information
- In the case of a more targeted phishing attack, they can use a VIP’s email account to instruct the financial department to make immediate payments to fictitious suppliers!
How can I tell a Phishing email from a genuine one?
This is a good question, because sometimes they appear to come from people you know, either through careful crafting of the email header, or because the sender’s inbox has been hijacked by the criminals.
The first thing to look for is the style of the language in the message. Strategies that criminals employ to get the user to act include:
- Urgency – The message may indicate the user needs to act quickly
- Authority – The message may appear to come from someone with authority such as your manger, CFO, CEO etc. Check the senders email address is 100% correct!
- Timely – Some Spear-Phishing attacks (this is a more targeted form of Phishing) know your daily or company habits or routine. Has the email come at a time you might expect it?
- Curiosity – You know what they say about Curiosity. Don’t be enticed to follow the links or instructions. If in doubt, pause, check, ask.
There are also some additional basic questions you should be asking when evaluating any email received. However, before evaluating anything, if you are in doubt about the authenticity of an email, before clicking on anything, ask your technical support for help and advice.
Here are some questions and checks that may assist:
- Do I trust the sender? (Don’t stop at this question if the answer is yes)
- Does the senders email address check out, or does it look slightly different?
- Am I expecting an email from this person, especially on this topic?
- Always be suspicious of links. Hover your mouse over the link to check if it goes to a genuine official web site or not. Often the URLs are crafted to look like a genuine site, so if in doubt… ask!
- Ask yourself, why are they sending me this? If you know nothing about it, delete it. If the message was genuine, the sender will soon get in touch.
- If the message carries a weighty instruction, why not check verbally with the sender before acting on this instruction?
If ever in doubt, just check with your IT Support or the real sender.
Here are some DO NOT’s!
- DO NOT just click any link or open any attachment because the sender says you should. Think before you click.
- DO NOT reply to any email you have suspicions over. Speak to the genuine sender verbally to confirm instructions.
- DO NOT be scared or embarrassed to ask for advice. If in doubt, Ask!
- DO NOT panic if you do click a link or open an attachment and then realise it was not genuine. In these instances, just close your browser, shutdown your computer and ask for IT advice.
How can I protect myself and my business from a Phishing Attack?
There are several strategies that should be employed by any business. Advice from the NCSC for high level strategies for businesses include:
- Make it difficult for attackers to reach your users
- Help users identify and report suspected phishing emails
- Protect your organisation from the effects of undetected phishing emails
- Respond quickly to incidents
Here at PS Tech we like to keep things simple to start with. So, some simple things you can employ as individuals and as businesses include:
Never use the same password for more than one service
Many people re-use the same password or a variant of the same password for everything. That is a very bad idea. As you saw in our earlier blackmail example, the criminal, hacker, fraudster, has access to your many accounts with that one password. That password was obtained from a large-scale hack of an organisation in the past. Some well publicised hacks from the past include Yahoo!, TalkTalk, LinkedIn, Dixons CarPhone, Sony and so on. Even though some of these hacks happened a long time ago, people don’t change their passwords regularly, so they are still valid for other systems even today.
Use a Password Manager
Password Managers can create unique and strong passwords. They then store those passwords, meaning you don’t have to remember them all. They employ encryption to store those passwords. You just need to remember the master password used to secure all your other passwords. Make sure that is unique too! There are some good free and pay-for products out there. Do some research online or ask your IT Support partner for further advice.
Use 2-Factor or Multi-Factor Authentication
2Fwhat?? 2-Factor authentication is an additional password that needs to be entered when signing into an online service. For instance, Microsoft Office 365 enables users to use their mobile device to receive a text message or a code via an app. Once the user enters their email address and password, a 2nd one-time password is sent to the mobile device that needs to be entered before access to the account is granted. It is inconvenient, but it is a superb level of additional free security. As the criminals will not have access to the mobile device, they cannot sign-in. As a minimum ensure your Admin users, decision makers and people with access to money have this enabled. Ideally everyone should.
Use an Enterprise-Grade Anti-Virus (Endpoint Security) product
All your computers, desktops, laptops and servers should have a quality endpoint security product installed and configured. Relying on the integrated protection of your operating system is not an adequate protection against the many different types of threat currently out there.
PS Tech offer a number of products that provide best-in-class protection, based on your need and budget. At the end of this article are some solutions that provide excellent protection to our clients. If you would like to know more, please get in touch.
Communicate your processes
In our earlier example, criminals duped clients into changing the bank account where they paid invoices to. How would you feel if your clients were paying your invoices to someone else, and then they claim that this is your fault because one of your email addresses was used to communicate new bank details? We have seen just this. A simple suggestion to cover your bases is to communicate to your contacts that you will never send critical information or changes just by email. They will be confirmed or followed up verbally or in writing in the post. Of course, there are other processes that you may need to review to ensure they cannot be misused, and someone loses out.
Train, Train, Train
Train your users on how to identify phishing emails, understanding the risk phishing emails present and what to do, either if something has been clicked, or who to ask for advice if they are not sure about an email. Do not punish users or have a culture that forces users to keep security events ‘quiet’.
Ensure your IT systems are patched and kept up to date. This will ensure the chances of malware infecting your system due to the actions of a user are kept to a minimum. Not patching your systems is like leaving the front door wide open and placing a neon sign above, just in case no-one saw the open door. Most well publicised malware, phishing and ransomware attacks are successful because the systems were not patched. Also employ a replacement strategy for all of your IT hardware. Eventually it reaches end of life, and it is no longer patch-able, or there may be other reliability or capacity concerns.
Backup your data
This really should be the number 1 tip. Any business who does not back up their data is walking a very dangerous tight-rope. A Phishing attack could see your data deleted, permanently. Don’t just back up the obvious either. Ensure your cloud services are included in your backup strategy. Just because data is in the cloud, doesn’t mean it is safe and easily recovered. Most cloud providers protect themselves with very limited retention policies and recovery time guarantees.
Remove Admin Rights
Yes, that’s right, remove the rights to install software and make system changes for everyone, and we mean everyone, including the boss. You lead from the top, so senior management should follow the same rules they create for everyone else. You can create special accounts for administering or making changes to your IT systems, just only use them for specific tasks, and at all other times use ‘Standard’ accounts.
Partner with a trusted IT Support provider
Their advice and experience are invaluable. Don’t use a friend of a friend. He will get sick of out of hours calls and favours, and he won’t always respond when you need him most. Plus, avoid ad-hoc use of multiple companies which is potentially a GDPR failure. Speak to PS Tech today about our plans for supporting business IT systems and users.
These simple tips should be the foundation of your strategy to protect your business from a successful Phishing attack. There are some more advanced things you can investigate that will further improve the defences:
- Employ email anti-spoofing techniques, SPF, DKIM and DMARC. Ask your partner companies to do the same. Make sure the configuration of these technologies meets your needs as they are not simply an on or off setting.
- Block or filter incoming spam emails, emails with malware and phishing emails. Utilise filtering solutions by your email provider, understand their features and if necessary use a third-party solution to provide an additional layer if the risks are deemed high.
- Analyse your digital footprint, and those of your users, contractors, customers and suppliers. Is there more information about your business on your web site, social media etc, than there needs to be? Is this giving attackers an advantage?
- Follow best practice to ‘lock down’ your applications to reduce the probability of malware successfully running. As an example, disable macro’s in Microsoft Office (this is set by default, but can be overridden).
- Design your network (file shares, user groups, server access etc.) to reduce the impact of successful attack.
- Use a DNS service that stops web site addresses that are known to host malicious content from being resolved. There are several services that are free to use, and there is also one for Public Sector organisations funded by the NCSC.
- Enable 2FA (Two Factor Authentication, or Multi Factor Authentication) on systems that offer this function. This prevents an attacker from accessing a user’s account by just having a stolen password. Also employ additional authentication technology where appropriate such as Biometrics or Smartcards.
- Have a process to disable or remove accounts in systems that are no longer needed, such as when someone leaves the business, or you migrate to a new service.
- Implement a password policy to ensure users can change their passwords, and that they are complex enough with restrictions. The NCSC advises that if you are using 2FA, the need to change passwords is reduced.
The NCSC provide a detailed breakdown of how each of these topics can be implemented here:
How can PS Tech help?
PS Tech can provide help and assistance with any of these suggestions mentioned above. In particular, we offer Endpoint Security Solutions and Support Plans to ensure you get the right advice, along with responsive and proactive support from our team here in the UK.
Endpoint Security Solutions
The most popular solution we offer to small and medium sized businesses is the Sophos Security range of products. The cloud managed Sophos Central suite of tools offers best-in-class protection for all of your computers, servers and mobile devices. Protection includes real-time file protection, web protection, real-time anti-ransomware protection, and the ability to manage device security including managing apps and peripherals. On top of that, a Device Encryption solution ensures your Windows computers data are encrypted and remain so.
An alternate solution which may prove more attractive to those on a smaller budget is our Monthly Managed Anti-Virus solution based on the reputable BitDefender security engine. This has a low monthly cost payable for each device protected.
With our support plans we can monitor and proactively deal with threats that appear on your network with either of these two solutions.
Every business and individual should backup their data. The best form of backup is a 2nd copy of your data taken automatically and held off-site. File Sharing/Synching apps such as Dropbox, OneDrive, SharePoint etc, are not a backup. In fact, if you use cloud services such as these, you should back them up properly too.
PS Tech offer a number of cost effective and flexible backup solutions. These include:
- Pro Backup Home – a low cost automatic backup solution for your home computers to backup data to the cloud securely
- Pro Backup Business – a flexible and low-cost automatic backup solution for all of your business computers and servers
- Pro Backup Server – a highly configurable backup solution for your Windows and Mac Servers
- Pro Backup 365 – a cloud to cloud backup solution for data held in your Office 365 or GSuite environments
All our backup solutions are GDPR compliant and available on monthly or annual plans. Do not delay! Speak to one of our team today about the best option to ensure you do not lose data as a result of a mistake, a phishing attack, ransomware attack or some other form of data loss.
If you are looking for an IT Support partner to provide your business with proactive IT Support, then look no further. Many words describe our service, including friendly, cost effective, professional and proactive. But more importantly we do live up to these descriptions. We have different plans that can be tailored to your needs and budget. Once you have a plan in place, PS Tech will perform constant monitoring of your systems, patching them and backing up your data securely. Plus, with our Monthly Support Plans, users get unlimited remote support, with discounted on-site visits available if needed. It doesn’t cost the earth, and we know you will be impressed by the professionalism of our team and processes. Please contact us to discuss joining the hundreds of other companies who rely on us for the day to day IT Support needs.
If you found this article useful, please follow us on our Social Media feeds to stay in touch. Depending on your choice of platform, you can find us at:
Facebook – https://www.facebook.com/pstechnologyuk
Instagram – https://www.instagram.com/pstech_itsupport
Twitter – https://twitter.com/uk_itsolutions
Speak to us about any of the suggestions or inferred products above.
Above all, be careful and stay safe.