Unfortunately, 2020 has seen a rise in phishing attacks and email scams. And there are fears hackers will prey on the vulnerable further.
Phishing attacks are one of the most common IT security challenges, and preventing phishing attacks is difficult because hackers have a lot of opportunities to enter your network.
Hackers can turn an email, a social media post, a phone call or any form of communication into a network breach. Your passwords, company credit card details and other sensitive data is at risk.
An organisation can do a lot to protect its network. ITEC’sIT Support experts have gotten together and created this quick guide on how you can identify, avoid and prevent phishing attacks.
Identify, Avoid, Prevent and Report Phishing Attacks
Identifying a Phishing Attack
Before you can prevent phishing, you must be able to identify the scam. You must be able to know what a phishing attack is, and what form it takes.
What is a Phishing Attack?
Phishing def. The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers
Cyber-criminals use phishing to steal important data, documents and sensitive information from schools, businesses and charities. Most of the time, hackers use the technique to spread malware.
However, sometimes they will use the stolen data to commit identity theft, fraud, or to cripple computer systems. Phishing attacks have even looted national secrets.
What Does a Phishing Attack Look Like?
A phishing email or social media post will look reputable, and will probably be "sent" from an official source like the HRMC, Google or a trusted third party. In fact, hackers posing as the tax man is the most common, and oldest, email scam. All phishing scams could look like:
Emails claiming you’re eligible for a tax refund and that you should click the link or visit a certain website to claim
Text messages from the HMRC asking for your professional or personal bank details
WhatsApp or social media messages from the HMRC
A fake invoice from a third-party supplier. The email will likely start with a generic “Hi Dear”
Phone calls threatening legal action
Unsolicited downloads appearing your inbox
Emails that ask you to click a link to update your account details
Emails claiming there’s a problem with your account or that it’s on hold
You’re going to be targeted, and avoiding a phishing attack is hard. Dodging hackers will require you to educate your users about how to identify an email scam.
Hosting a phishing simulation is a great way to replicate the potential consequences of malware, but it often blames users for any potential breach. Staff are discouraged from reporting any actual attacks. You must create a culture that encourages staff to flag and report phishing attempts.
What You Can Do:
Ensure all staff are aware of the threat of phishing and what departments hackers will target. Customer-facing departments get more unsolicited emails, but the finance department is a more attractive target
Make sure staff can identify the differences between a genuine email and a phishing email scam
Spotting a genuine phishing attempt can be hard, so help them identify common spear phishing techniques like urgency or authority cues pressuring users to act
Get finance to double check any invoices with the department that spent the money. If they’re surprised by the invoice or not aware of the company, bin that email
Reduce the amount of information hackers can easily access. Hackers are likely to create a list of phishing targets from publicly available sources, for example, your company website
However, clicking URLs and opening emails is a vital part of the modern workplace. Over-emphasising the importance of training and placing all emphasis on staff members will not stop phishing breaches. You need to install the right technology to back you up.
Preventing a Phishing Attack
If a piece of malware breaks into your network, the best way to prevent any damage is to protect.
Managed IT Service providers have computer software that fortifies your business and protects your users. From deep routed learning to firewall protection, you can have a multi-layered approach to preventing phishing attacks.
Now you’re aware of current hacking techniques, you can build the right defenses, including filtering and blocking spoof emails.
What You Can Do:
Get computer security software
Keep that software updated with patches. For mobiles, turn on automatic updates
Enable multi-factor authentication -- pair a passcode with a fingerprint scan
Install filtering and blocking software to prevent hackers from reaching your teammates. Filtering SPAM, malware or phishing reduces the probability of an incident, and blocking is an effective server-level measure that stops emails even entering the staff inboxes.
Handling a Phishing Attack
Detecting every phishing email is hard, and sometimes the odd one might slip through the cracks. You can limit any potential damage by having the right technology and procedures in place.
As malware hides in phishing emails or the website they link to, having updated & supported devices and good endpoint security options can stop malware before it latches onto your network.
If something does sneak through your defenses, you need to protect your devices, your users and your data.
What You Can Do:
Make sure you’re running supported software. For example, as Microsoft no longer supports Windows 7, hackers can bypass the defenses on any computer running this operating system
Install specialist software to stop browser-borne attacks. Most browsers will block known phishing websites and URLs. However, specialist software will prevent phishing by stopping links opening at all
Enable two-step authentication to protect your sensitive data. Password protection isn’t enough, and pairing a password with biometrics (fingerprint scan or facial recognition), you stop hackers
Remove or suspend accounts no longer being used by a staff member who has left the organisation or is on long-term leave
Review your password policy and inform staff of any changes
Keep track of any attempt to hack your network that users don’t notice. Updated security logging systems, either ‘off the shelf’ or bespoke from your Managed IT Service Provider, are an effective way to monitor your system’s safety
Responding to a Phishing Attack
With a security logging system in place, you’re better positioned to respond to an email scam. You’ll be able to detect an incident quickly and prevent lasting damage with an incident response plan.
What Can You Do:
Guarantee every member of staff who can access your network knows the correct procedures. What must they do if their password is compromised? Who’s in charge of removing malware? How will they remove the malware?
Practice your incident response plan before an incident occurs. Treat phishing like a fire alarm test, regularly check in with users to see if they know what they’re doing
Customer Story: Maen Karne
When hackers attacked Maen Karne in 2017, ITEC got everything up and running again even though it wasn’t part of the agreement at the time.
Reliance on a one-man-band IT operation left the Maen Karne vulnerable. ITEC trained the concrete specialists staff on their chosen IT software, and put a series of improvements in place. Maen Karne is now safeguarded from future attacks.
“ITEC’s response to the malware attack typifies the service we have experienced from them… they did not seek to profit unduly from our experience.”
Ross Facey, Director, Maen Karne
If you’re looking to prevent phishing attacks and protect your organisation from email scams, contact ITEC today.