The manufacturing sector is being hard hit with cyber-attacks, with one report stating that 50% of manufacturing companies reported having experienced a data breach or cyberattack in the past year, with 73% of attacks being financially motivated. But it is not just cyber criminals expecting a pay out, corporate espionage is also on the rise.
One of the most common ways that a cyber-attack will start is with a phishing email.
Phishing? What’s that?
Phishing is a type of impersonation attack, whereby attackers pretend to be a trusted entity, such as a customer, a supplier or an employee.
The attacks can be very generic
“hey, you, fancy a free thingy?”
or very targeted
“Mr Alan Burrows of Manufacturing Corp, fancy a free thingy, we know you’ve bought them before?”
and because of the wide ranging, and sometimes very clever social engineering, phishing can be the hardest attack to avoid.
These attacks are not limited to email, they can be in any communication form; SMS, voice, social media, even QR codes.
What does a phishing attacker want?
Access and Information.
Access to your systems and information about you and your company.
Phishing emails will try and get you to click on a link which it likely to take you to a fake login screen for a trusted service, such as google or Microsoft. Once you “log in”, the attackers capture the details you have entered, steal them and then log themselves in.
Or they might send an email with an attachment. Unfortunately, the attachment is likely laced with malware which will infect your systems, potentially causing your production operation to grind to a halt.
How to spot phishing?
Criminals are getting more sophisticated in the campaigns that they are operating, and it can be very difficult to detect, but here are a few things that might help you to spot a phish.
Recognise the tactics. Criminals use these tactics to get you to act – so if you can spot these within an email just think before you act.
Urgency – time related pressure “this has to be done NOW!”
Authority – from CEO / senior member of staff – but is it their style or an unusual request? “Transfer this money on my order”
Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry”
Curiosity – something that exploits our fear of missing out “OMG! Have you seen this?”
You can also look out for:
Grammar and spelling – does it make sense, is it addressed to you or “recipient”?
Email address – look at the full email rather than just the first name that you recognise
Hypertext – review URL before clicking, ensuring you look at the whole of the URL – if you want to know more about what to look for in URLs, have a look at our blog all about just that subject.
What can you do?
Your staff can be the best and worst defence in spotting phishing and taking action, so you need to involve them in protecting your company. If they understand the tactics criminals use, then they will be more likely to spot that risky email. But if the worst happens and they do click a link, they should also be trained about how to report it, so the minimum damage occurs.
Consider having some staff awareness training. Our affordable student services will work with you to provide a bespoke awareness session relevant to you and your company.
Report it - If you think you have received a phishing email, then you need to report it. Your business should have a policy about this, and your staff should understand what they need to do, whether they have fallen victim or just received it.
The NCSC has an add-in which you can use in business versions of Outlook to report phishing emails directly to them so that they can investigate and potentially remove the threat. This could also help to keep phishing in mind when they receive an email, like a little nudge.
Reporting a suspicious website - https://www.ncsc.gov.uk/section/about-this-website/report-scam-website.
Reporting a suspicious email – forward to firstname.lastname@example.org
Reporting a suspicious text message – send to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.
Don’t click on any links that you are suspicious of. Go to the legitimate site and confirm the information there.
Confirm independently - If you received an attachment that you were not expecting, or a change of payment details, confirm the details with the person using a method other than the one in the communication – criminals might be monitoring the email address or have changed a phone number, so it goes to them.
Understand how urls and emails are structured so you know what you are looking for. You can read more about this here.
Further guidance & support
The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.
We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
Policing led – business focussed.