Phishing Attack


What is Phishing?

Phishing is a type of cyber-crime that uses social engineering to trick victims into giving criminals access to sensitive information or installing malicious software.
Typically, the cyber-criminal will impersonate a trusted person within a legitimate company to dupe their victim into thinking they are responding to someone that should be trusted.
Most of the time this is done by malicious email that appears to come from a known sender, but this can be done via instant message or text message.


How bad can it be?

A phishing attack is a serious risk to your business if it is successful. Attacks can install malware, disrupt systems or steal intellectual property or money. And you don’t need to be a large corporation to be affected, phishing email attacks can strike organisations of any size. In 2019, there were several attacks against people using 365 (a blog on the evolution of phishing from Microsoft explains more).
After a phishing attack, there is not just the cost of the loss of data, and the time spent change passwords. There’s also the damage to your reputation and loss of client trust, especially if their data has been compromised in the attack.

Can I prevent a phishing attack?

The first form of defence is your staff. Making them aware of the common features of a phishing attack, how to report any concerns, and on-going training will help bolster your defences.
Your business should also have good technical security controls in place. In fact, if you are following Cyber Essentials 5 step guide then you will have these technical controls should be there already.  All of these are covered within Cyber Essentials, here are the five controls you should have in place:

  1. Use a Firewall to secure your internet connection
  2. Use secure configuration for your devices and software
  3. Control who has access to your data and services
  4. Protect yourself from viruses and other malware.
  5. Keep your devices and software up to date

What should my staff look out for?

There are several common features of a phishing attack and knowing what to look out for can help prevent someone from accidentally opening infected email attachments or links to malicious websites.
1. Unusual sender: it might be someone you don’t know, or the contents of the email might seem out of the ordinary, unexpected or suspicious.
2. Sense of urgency: a suggestion that you must react quickly to an email request or that something bad might happen, like your account being locked.
3. Too good to be true: lucrative offers, unbelievable prizes, unexpected rewards, remember if it seems too good to be true, it probably is.
4. Attachments: attachments you’re not expecting or just don’t make sense
5. Hyperlinks: links might not always be what they appear. Hovering over a link will show the destination url (the real url you are being sent to). Be sure to check links carefully, especially for misspellings.

How do I defend against a phishing attack?

As a business you will need to have a multi layered defence that will combine staff training and technical controls.
As we said before, training your staff to recognise common features of a phishing attack will help. Its also important that there is a simple mechanism for all staff to report any concerns and that they know how to do this. More importantly, if someone has fallen victim to a phishing attack, they should be encouraged to report this as soon as possible.
You should have ongoing training for staff, and you should look to build a security aware culture within your business so everyone can play their part in protecting your business and its information assets.
Finally, the 5 technical controls of Cyber Essentials will help mitigate an attack. If you’re not sure what these are, or how to implement them, then get in touch. In2secure are a Certified Body for Cyber Essentials and can assist you with any security issues you may have.

Cyber Essentials

In2secure are a Certified Body for Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber security. We’ve completed the assessment ourselves and help other businesses who want to get certified in Cyber Essentials.