Finance companies are a lucrative target for cybercriminals and the most common attack method is through the employees via phishing in all its many guises.
The 2022 Cyber Security Breaches Survey found that 83% of cyber attacks on UK businesses were identified as phishing and with 63% of businesses saying that phishing attacks were the most disruptive cyber attack, all companies and employees need to be aware of this threat.
And its no wonder why finance companies are at risk; they hold the data that cyber criminals want the most, banking and personal data to enable them to get paid.
What is phishing?
Simply it’s a way to trick you into doing something. This could be providing your secret details such as your password or 2FA credentials, visiting a dodgy website or downloading a malware infested item.
There are lots of different terms for phishing, but you don’t really need to know them, you need to know two things. The attackers want you to do something, and that contact can be through any communication method, email, text, social media, QR codes, phone calls maybe even a casual conversation with a stranger.
Playing the odds or a targeted attack?
There are criminal groups who work on an odds basis; “If I send out 1 million emails, someone is bound to do what I want eventually”. These phishing attacks are usually quite generic and may be pretty easy to spot. Targeted attacks are much harder and can be extremely sophisticated with detailed information that you would think only the genuine person or company should know.
Where do they get information about me and/or company?
There is a wealth of places that information can be found on companies and their employees.
Where do they look?
What can they get?
Previous data breaches/ other criminals
Name, date of birth, IP address, home address, usernames, passwords, financial details
Key personnel (CEO, MD), company structure, key partner companies, email addresses, telephone numbers, latest news, address
Social media channels
Connections, photos, family, personal life details such as holidays and hobbies, pet names
Companies House information, press releases, out of work activities, latest news
What should I do?
Companies need to put in place a layered approached to phishing.
Make it harder for attacks to get to employees
Employ anti-spoofing (DMARK, SPF, DKIM) – you can check how if your settings are correct at the NCSC's Email Security Check
Understand what information is published that could be used to create targeted attacks. You might want to have a look at what a corporate internet investigation might highlight and haveibeenpwned.com to check what information in data breaches is already released about you and your employees
Filter or block incoming phishing emails using your email provider or specific service
Make employees less likely to fall for the phish and know how to report them
Regular training and discussion around phishing attacks. The ECRC can provide staff awareness training bespoke to your company and practices.
Have a clear guide about what staff should do if they receive a phish
Protect your company from undetected attacks
Consider technical defences – anti-malware, blocking extensions, disabling macros
Use a proxy service to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns
Set up 2FA/MFA wherever possible – this way that even if the password and username are compromised in a phishing attack the attacker still shouldn’t be able to get access to the system as they won’t have the 2nd verification factor – warning – attackers are now looking at how to phish the authentication code as well
Use a password manager or a single sign on method. Due to the autofill component, then user will get used to not having to fill in their password and may be more likely to question it when they must
Be able to respond quickly to attacks
Use a security logging system to pick up on those incidents that your users are not aware of. If you don’t have a logging system in place the NCSC has a free tool which enables companies to set up their own basic capability called logging made easy.
Have an incident plan ready and test it. It is almost guaranteed that one day a phishing email will slip in so what will you do about it. If you don’t already know make sure that you go away and think about it.
Further guidance and support
The ECRC is a police-led, not for profit organisation which companies can join for free.
Our core membership provides:
Threat alerts both regionally and nationally
Signposting to free tools and resources from both Policing and the NCSC
Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience