How to Prevent Phishing Attacks and Protect Your Organisation

Henry Bevan, June 12, 2020

Unfortunately, 2020 has seen a rise in phishing attacks and email scams. And there are fears hackers will prey on the vulnerable further.

Phishing attacks are one of the most common IT security challenges, and preventing phishing attacks is difficult because hackers have a lot of opportunities to enter your network.

Hackers can turn an email, a social media post, a phone call or any form of communication into a network breach. Your passwords, company credit card details and other sensitive data is at risk.

An organisation can do a lot to protect its network. ITEC’s IT Support experts have gotten together and created this quick guide on how you can identify, avoid and prevent phishing attacks.

Identify, Avoid, Prevent and Report Phishing Attacks

Identifying a Phishing Attack

Before you can prevent phishing, you must be able to identify the scam. You must be able to know what a phishing attack is, and what form it takes.

What is a Phishing Attack?

Phishing def. The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers

Cyber-criminals use phishing to steal important data, documents and sensitive information from schools, businesses and charities. Most of the time, hackers use the technique to spread malware.

However, sometimes they will use the stolen data to commit identity theft, fraud, or to cripple computer systems. Phishing attacks have even looted national secrets.

What Does a Phishing Attack Look Like?

A phishing email or social media post will look reputable, and will probably be "sent" from an official source like the HRMC, Google or a trusted third party. In fact, hackers posing as the tax man is the most common, and oldest, email scam. All phishing scams could look like:

  • Emails claiming you’re eligible for a tax refund and that you should click the link or visit a certain website to claim
  • Text messages from the HMRC asking for your professional or personal bank details
  • WhatsApp or social media messages from the HMRC
  • A fake invoice from a third-party supplier. The email will likely start with a generic “Hi Dear”
  • Phone calls threatening legal action
  • Unsolicited downloads appearing your inbox
  • Emails that ask you to click a link to update your account details
  • Emails claiming there’s a problem with your account or that it’s on hold
  • Free offers

Avoiding a Phishing Attack

According to the National Cyber Security Centre (NCSC), one of the most common causes of a breach is naive and careless browsing.

You’re going to be targeted, and avoiding a phishing attack is hard. Dodging hackers will require you to educate your users about how to identify an email scam.

Hosting a phishing simulation is a great way to replicate the potential consequences of malware, but it often blames users for any potential breach. Staff are discouraged from reporting any actual attacks. You must create a culture that encourages staff to flag and report phishing attempts.

What You Can Do:

  • Ensure all staff are aware of the threat of phishing and what departments hackers will target. Customer-facing departments get more unsolicited emails, but the finance department is a more attractive target
  • Make sure staff can identify the differences between a genuine email and a phishing email scam
  • Spotting a genuine phishing attempt can be hard, so help them identify common spear phishing techniques like urgency or authority cues pressuring users to act
  • Get finance to double check any invoices with the department that spent the money. If they’re surprised by the invoice or not aware of the company, bin that email
  • Reduce the amount of information hackers can easily access. Hackers are likely to create a list of phishing targets from publicly available sources, for example, your company website

However, clicking URLs and opening emails is a vital part of the modern workplace. Over-emphasising the importance of training and placing all emphasis on staff members will not stop phishing breaches. You need to install the right technology to back you up.

Preventing a Phishing Attack

If a piece of malware breaks into your network, the best way to prevent any damage is to protect.

Managed IT Service providers have computer software that fortifies your business and protects your users. From deep routed learning to firewall protection, you can have a multi-layered approach to preventing phishing attacks.

Now you’re aware of current hacking techniques, you can build the right defenses, including filtering and blocking spoof emails.

What You Can Do:

  • Get computer security software
  • Keep that software updated with patches. For mobiles, turn on automatic updates
  • Enable multi-factor authentication -- pair a passcode with a fingerprint scan
  • Backup your data and make sure the backups are stored on a different network
  • Install filtering and blocking software to prevent hackers from reaching your teammates. Filtering SPAM, malware or phishing reduces the probability of an incident, and blocking is an effective server-level measure that stops emails even entering the staff inboxes.

Handling a Phishing Attack

Detecting every phishing email is hard, and sometimes the odd one might slip through the cracks. You can limit any potential damage by having the right technology and procedures in place.

As malware hides in phishing emails or the website they link to, having updated & supported devices and good endpoint security options can stop malware before it latches onto your network.

If something does sneak through your defenses, you need to protect your devices, your users and your data.

What You Can Do:

  • Make sure you’re running supported software. For example, as Microsoft no longer supports Windows 7, hackers can bypass the defenses on any computer running this operating system
  • Install specialist software to stop browser-borne attacks. Most browsers will block known phishing websites and URLs. However, specialist software will prevent phishing by stopping links opening at all
  • Enable two-step authentication to protect your sensitive data. Password protection isn’t enough, and pairing a password with biometrics (fingerprint scan or facial recognition), you stop hackers
  • Remove or suspend accounts no longer being used by a staff member who has left the organisation or is on long-term leave
  • Review your password policy and inform staff of any changes
  • Keep track of any attempt to hack your network that users don’t notice. Updated security logging systems, either ‘off the shelf’ or bespoke from your Managed IT Service Provider, are an effective way to monitor your system’s safety

Responding to a Phishing Attack

With a security logging system in place, you’re better positioned to respond to an email scam. You’ll be able to detect an incident quickly and prevent lasting damage with an incident response plan.

What Can You Do:

  • Guarantee every member of staff who can access your network knows the correct procedures. What must they do if their password is compromised? Who’s in charge of removing malware? How will they remove the malware?
  • Practice your incident response plan before an incident occurs. Treat phishing like a fire alarm test, regularly check in with users to see if they know what they’re doing

Customer Story: Maen Karne

When hackers attacked Maen Karne in 2017, ITEC got everything up and running again even though it wasn’t part of the agreement at the time.

Reliance on a one-man-band IT operation left the Maen Karne vulnerable. ITEC trained the concrete specialists staff on their chosen IT software, and put a series of improvements in place. Maen Karne is now safeguarded from future attacks.

“ITEC’s response to the malware attack typifies the service we have experienced from them… they did not seek to profit unduly from our experience.”
Ross Facey, Director, Maen Karne

Read Customer Story

If you’re looking to prevent phishing attacks and protect your organisation from email scams, contact ITEC today.

leave a comment