Phishing attacks are now considered to be the most disruptive type of cyber-attack that organisations face according to Cyber Security Breaches Survey 2021. One in every 3,722 emails in the UK is now a phishing attempt, according to software company Symantec, so it’s highly likely you’ve received one yourself.
What is a phishing attack?
Where a criminal impersonates a familiar and trusted sender through a legitimate looking email sent to targeted individuals, which usually asks the recipient(s) to divulge sensitive information or to make a financial deposit.
Does this sound familiar?
You receive an email from your bank saying your business account has been locked and a large payment is waiting and all you need to do is click the link to reset access.
The bank is the same as your own (your details were taken from an old data breach) and the payment matches a customer (the same brilliant one you thanked on social media). The link will then take you to a fake banking website and when you enter your details, the criminals will take them and access your real account.
Another favourite is the fake email from your boss. Cyber thieves can easily find names on a company website and if that person has an open social media account and posts about meeting a client or detailing where they will be, this can also be leveraged to launch a convincing attack. When an email lands from them saying, ‘I need this done today – I am out of the office but transfer £10,000 to [client name’s] account now.” Do you think you or your colleagues would you stop to question its validity?
So where do they get their information from?
- Social media posts – both personal and professional
- Website details – the names and positions of people within the company
- Companies House information
- Previous data breaches – this is very common. Criminals will get hold of personal data and then use that information to compel you to download an attachment or click a link: ‘Dear John, your password THEREDDOG has been compromised. Please click here to reset your password now.’
To help you tackle cyber-attacks such as spear phishing, we have compiled a list of recommendations below:
- Staff awareness training – ensure your staff know what phishing is and the common things to watch out for. The ECRC offers this training as a stand-alone service or through core membership, corporate and individual internet investigations provide an affordable way to understand what could be used in spear phishing and how to mitigate this. In the meantime, why not take two minutes to read our phishing blog?
- Consider technical implementations which will alert you to the sender’s veracity. Click on the link to learn more about phishing attacks and how you can defend your business.
- Always be cautious of any email which has urgency together with payment requests or downloads