top of page

Can I have Phish with that?

The food and retail sector is having a hard time at the moment, with rising prices seemingly everywhere and the pandemic altering our shopping behaviours, no one is sure whether it will be boom or bust. But one thing is certain, cyber criminals will take any opportunity to attack.

Photo of a sales rep with their laptop

By far the most common way is via phishing.

According to Proofpoint’s 2022 State of the Phish,

91% of UK survey respondents said their organisation faced bulk phishing attacks in 2021.

And retailers, with the use of personalisation and payment details are a lucrative target.

What is Phishing?

Business person picking a mask

Criminals pretend to be a legitimate person or organisation to get you to do something. This might be clicking a link, visiting a website, or opening the attachment. Whatever they want you to do the result is likely to be the same, access to your system for them. And with bulk phishing they only need one person to do what they want, and the network could be theirs.

But there are things which you can do to stop an inadvertent click turning into a disaster.


Recently one of our partners had a user who “clicked the link”.

They were sent an email with an attachment which they opened.

The attachment auto-saved malware onto the network (the user didn’t have to do anything).

But because the user didn’t have permissions to install the programme, it just sat there, not able to do anything. Until the Anti-Virus scanned it.

Interestingly, the anti-virus (AV) has a slightly higher permission level to the user, and this caused the virus to start doing its job, but it was quarantined by the AV almost immediately with little impact on the company.

This could have been drastically different had the user had admin permissions or if the company didn’t have any anti-virus. It is also a good demonstration that it is not just users who have permissions, programmes do to.

Fiona Bail, the Head of cyber and innovation at the ECRC, is asking companies,

“How would your company’s defences stand up if the same thing happened in your business?”

Who can help?

The ECRC is a not-for-profit police-led company with the aim of helping small and medium businesses put fundamental cyber resilience controls in place. In the same way that you can have a on-premises business security assessment from a crime prevention officer, the ECRC wants to help you put the locks and alarms on company’s digital assets.

And companies can join for FREE, no strings or obligations attached.

If you’re not sure why you should join us, have a chat with us first or download our Essential Retail Cyber Guide for 2022. It has the key threats and top tips for small retailers.

Policing led – business focused

The Eastern Cyber Resilience Centre


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page