What every business owner needs to know about phishing

What every business owner needs to know about phishing

What every business owner needs to know about phishing.

Keep your data and team safe

 It's likely you've heard of phishing and know you should stay away from it. Are you aware of what phishing attacks really are and how they work?

 It's normal to not know the specifics about phishing. And that's okay. But the key to protecting your business from phishing attacks is to know exactly how they work and what red flags to look out for.

 To help you do just that, we have created this guide.

 Phishing - what does it mean?

 Cyber criminals bait unsuspecting victims into biting, just like you'd lure a fish to a hook with a big juicy maggot.

 A virtual bait usually takes the form of an email, and when the victim clicks on it, they are at risk of getting infected with malware on all of their devices.

 There are also cases in which victims are enticed to give away login credentials, which can result in the theft of financial information and data.

 It isn't just that phishing is inconvenient, but also the amount of time, money, and stress that has to be invested to repair the damage caused by phishing.

 It's important to understand that you want to avoid phishing attacks.

 It's also important to know that phishing doesn't always come in the form of an email. But more on that later.

 To help you understand just how big phishing attacks have become, here are some scary stats…

 ·       Last year 83% of organizations reported experiencing phishing attacks – that’s up 28% from 2020

 ·       It’s expected there will be an additional 6 billion attacks this year

 ·       A third of phishing emails are opened

·       Around 90% of data breaches occur as a result of phishing

 ·       1 in 99 emails is a phishing attack. 25% of these slip through the security filters in your Microsoft 365 inbox

 ·       60% of successful phishing attacks result in lost data

 ·       52% result in a compromise of login credentials

 ·       47% of phishing attacks lead to ransomware, where your data is encrypted and held hostage until you pay a ransom fee

How does a phishing attack look?

A phishing email will drop into your inbox like any normal email.

 Often, it’ll look like it’s been sent from a legitimate sender, so you don’t suspect anything is wrong.

 You should be careful when it pretends to be from a popular company, like Amazon or PayPal.

 But in some cases, the attacker will have learnt information about you, such as the services you subscribe to, and the email becomes all the more believable – and riskier.

 At a glance, the email won’t look suspicious. Everything is as it’s supposed to be, so it’s likely you won’t question the contents… especially as it’s often an urgent request for you to act, which can be distracting in itself.

 There are several ways that this urgent request can work: it could ask you to open an attached file, or it might ask you to confirm details of a recent purchase.

 If you do this, your device may become infected with malware. And if it's connected to a network, the malware could spread to other devices.

 The other common approach is to ask you to click a link, which may take you to a fake site pretending to be a service you use, and when you login, you give the criminals your login credentials.

 It's not always an email that's used to carry out phishing attacks, is it?

 Sadly no. That would make things easier for those of us in defense. A phishing attack can take many different forms. These are some of the most common ones…

 Vishing: Like a phishing attack but done over the phone. Someone will call and pretend to be a person or company you know, or a representative of them. They’ll ask you to take an action, such as giving them remote access to your device, or visiting a website.

 Pop-up phishing: Clue’s in the name. This is phishing via a pop-up. It may say there’s a problem with your device’s security and ask you to click a button to download a file, or call a number to get it fixed.

 Evil twin phishing: A fake Wi-Fi network is set up to look like the real deal. When you log in, the cyber criminal steals your data.

 Angler phishing : Social media posts which are created to encourage people to access an online account or click a link which downloads malware.

 Smishing: Like a phishing email, but over SMS straight to your phone.

 Spoofing: A website that’s created to look like the real thing, but isn’t. Once you log in, you’ve given away your credentials (spoofing can be used alongside other forms of phishing attacks too).

 Domain spoofing: This is where you click a link that looks to be the genuine web address, except it’s been faked. Again, once you act on that site your details have been stolen or you have downloaded malware.

 Oh, and there are different forms of phishing emails to beware of too…

 Spear phishing: These are sent to specific people who have been researched to some degree, so that the information in the email is more relevant and therefore more believable.

 Whaling: These phishing emails target people in executive positions within a business, who are likely to have greater access to sensitive areas of the network.

 Clone phishing: Copies an email you’ve already received and adds a message such as ‘resending this…’ but includes a malware link for you to click.

 Man in the Middle attack: A cyber criminal jumps in the middle of an existing email thread and takes over the other side of the conversation. They already have your trust and can ask you to take a specific action.

 That's enough for now, let's move on.

  Who’s at risk?

 This threat should be taken seriously by everyone in your organization (especially you, as the boss. See whaling, above).

 We can't ignore this because "it won't target us because we're too small or obscure."

 Throughout the day, cyber criminals use automated tools to target businesses of all sizes.

 You don’t read about small businesses being affected, as those stories don’t end up in the news.

Do you have examples of well-known phishing attacks?

 Some of the biggest companies in the world have been fooled by phishing scams.

 As a result of an extensive phishing campaign carried out by cyber criminals between 2013 and 2015, Facebook and Google lost $100 million.

 Facebook and Google paid the invoices pretending they were from Quanta, the same Taiwanese vendor used by both companies.

 Facebook and Google recovered just under half of what was stolen after the scam was discovered.

 In 2014, Sony Pictures was the victim of a phishing attack that wasn't about money. The attackers were believed to have a connection to North Korea and targeted Sony for refusing to pull a movie mocking Kim Jong Un.

 Using fake emails, cyber criminals stole huge amounts of information from Sony's network, including email conversations about employees, scripts, and personal information.

 They even gained access to Sony's offices by impersonating IT staff and installing malware on Sony's computers.

 Sony spent $35 million on IT repairs as a result of the attack.

  How can we stay protected?

 Educating yourself about phishing is the key to protecting yourself from this type of cybercrime.

ETraining in cyber security awareness should be provided to everyone in your business on a regular basis.

It's essential that everyone knows the risks and red flags when using any device.

 A phishing attempt may be involved, or it may be related to one of the many other cyber-threats that businesses like yours face every day.

 Phishing attacks have a number of warning signs that you and your team should be aware of:

 ·       Misspelled words, websites, or email addresses

·       Oddly named attachments

·       Who the email is addressed to

·       Poor grammar and punctuation

·       An unusual layout to the email

 If you hover your cursor over the sender's name in an email, or over the URL, you'll see the actual email address used.

 Log in to your accounts directly through the website you always use, not via a link in an email.

 Make sure you check every email you receive, even if it's from a friend or colleague you know well.

 Use different login details across different online accounts so cyber criminals don't try your credentials on other sites once they've stolen them.

Make sure your passwords are long and randomly generated using a password manager.

 DO implement multi-factor authentication across applications (where you use a second device to prove it’s really you logging in).

 It's a good idea to set up a dedicated email address for sending invoices. If you don't advertise the address, it's less likely that you'll be targeted by phishing emails.

 It is also possible to implement codewords with clients or suppliers if they send you an email regarding payments. If the email doesn't contain the codeword, you know not to process the transaction. Don't use e-mail to send the codewords, but instead contact your suppliers to let them know about the scheme.

 To conclude, make sure your policies reflect your stance on financial transactions and how to handle them. For example, you might decide that all transactions must be confirmed over the phone.

 You can see there's a lot more to phishing than you thought. As attacks evolve, it's more important than ever to take them seriously.

 If you want more information, or you need help protecting your business, get in touch.

Call 281 656 1099 email rsheel@cmitsolutions.com

To view or add a comment, sign in

More articles by Rashmi Sheel

Insights from the community

Others also viewed

Explore topics