What every business owner needs to know about phishing

What every business owner needs to know about phishing.

Keep your data and team safe

?It's likely you've heard of phishing and know you should stay away from it.?Are you aware of what phishing attacks really are and how they work?

?It's normal to not know the specifics about phishing. And that's okay. But the key to protecting your business from phishing attacks is to know exactly how they work and what red flags to look out for.

?To help you do just that, we have created this guide.

?Phishing - what does it mean?

?Cyber criminals bait unsuspecting victims into biting, just like you'd lure a fish to a hook with a big juicy maggot.

?A virtual bait usually takes the form of an email, and when the victim clicks on it, they are at risk of getting infected with malware on all of their devices.

?There are also cases in which victims are enticed to give away login credentials, which can result in the theft of financial information and data.

?It isn't just that phishing is inconvenient, but also the amount of time, money, and stress that has to be invested to repair the damage caused by phishing.

?It's important to understand that you want to avoid phishing attacks.

?It's also important to know that phishing doesn't always come in the form of an email. But more on that later.

?To help you understand just how?big?phishing attacks have become, here are some scary stats…

?·???????Last year 83% of organizations reported experiencing phishing attacks – that’s up 28% from 2020

?·???????It’s expected there will be an additional 6 billion attacks this year

?·???????A third of phishing emails are opened

·???????Around 90% of data breaches occur as a result of phishing

?·???????1 in 99 emails is a phishing attack. 25% of these slip through the security filters in your Microsoft 365 inbox

?·???????60% of successful phishing attacks result in lost data

?·???????52% result in a compromise of login credentials

?·???????47% of phishing attacks lead to ransomware, where your data is encrypted and held hostage until you pay a ransom fee

How does a phishing attack look?

A phishing email will drop into your inbox like any normal email.

?Often,?it’ll look?like it’s been sent from a legitimate?sender,?so you don’t suspect anything is wrong.

?You should be careful when it pretends to be from a popular company, like Amazon or PayPal.

?But in some?cases,?the attacker will have learnt information about you, such as the services you subscribe to, and the email becomes all the more believable?–?and?riskier.

?At a glance, the email won’t look suspicious. Everything?is?as it’s supposed to?be, so it’s?likely?you?won’t?question the contents… especially as it’s often?an urgent request for you to?act, which can be distracting in itself.

?There are several ways that this urgent request can work: it could ask you to open an attached file, or it might ask you to confirm details of a recent purchase.

?If you do this, your device may become infected with malware. And if it's connected to a network, the malware could spread to other devices.

?The other common approach is to ask you to click a link, which may take you to a fake site pretending to be a service you use, and when you login, you give the criminals your login credentials.

?It's not always an email that's used to carry out phishing attacks, is it?

?Sadly no. That would make things easier?for?those of us in?defense.?A phishing attack can take many different forms. These are?some?of the most common ones…

?Vishing: Like a phishing attack but done over the phone. Someone will call and pretend to be a person or company you know, or a representative of them. They’ll ask you to take an action, such as giving?them remote access to your device, or visiting a website.

?Pop-up phishing: Clue’s in the name. This is phishing via a pop-up. It may say there’s a problem with your device’s security and ask you to click a button to download a file, or call a number to get it fixed.

?Evil twin phishing: A?fake?Wi-Fi?network is set up to look like the real deal. When you log in, the?cyber criminal?steals your data.

?Angler phishing?: Social media posts which are created to encourage people to access an online account or click a link which downloads malware.

?Smishing: Like a phishing email, but over SMS straight to your phone.

?Spoofing: A?website that’s created to look like the real thing, but isn’t. Once you log in, you’ve given away your credentials (spoofing can be used?alongside?other forms of phishing attacks too).

?Domain spoofing: This is where you click a link that looks to be the genuine web address, except it’s been faked. Again, once you?act?on that site your details have been stolen or you?have?downloaded?malware.

?Oh, and there are different forms of phishing emails to beware?of?too…

?Spear phishing: These are sent to specific people who have been researched to some degree, so that the information in the email is more relevant and therefore?more?believable.

?Whaling: These phishing emails target people in executive positions within a business, who are likely to have?greater?access to sensitive areas of the network.

?Clone phishing: Copies an email you’ve already received and adds a message?such as?‘resending this…’ but includes a malware link for you to click.

?Man in the Middle attack: A?cyber?criminal?jumps in the middle of an?existing?email thread and takes over the other side of the conversation. They already have your trust and can ask you to take a specific action.

?That's enough for now, let's move on.

??Who’s at risk?

?This threat should be taken seriously by everyone in your organization (especially you, as the boss. See whaling, above).

?We can't ignore this because "it won't target us because we're too small or obscure."

?Throughout the day, cyber criminals use automated tools to target businesses of all sizes.

?You don’t read about small businesses being affected, as those stories don’t end up in the news.

Do you have examples of well-known phishing attacks?

?Some?of the biggest companies in the world have been fooled by phishing scams.

?As a result of an extensive phishing campaign carried out by cyber criminals between 2013 and 2015, Facebook and Google lost $100 million.

?Facebook and Google paid the invoices pretending they were from Quanta, the same Taiwanese vendor used by both companies.

?Facebook and Google recovered just under half of what was stolen after the scam was discovered.

?In 2014, Sony Pictures was the victim of a phishing attack that wasn't about money. The attackers were believed to have a connection to North Korea and targeted Sony for refusing to pull a movie mocking Kim Jong Un.

?Using fake emails, cyber criminals stole huge amounts of information from Sony's network, including email conversations about employees, scripts, and personal information.

?They even gained access to Sony's offices by impersonating IT staff and installing malware on Sony's computers.

?Sony spent $35 million on IT repairs as a result of the attack.

??How can we stay protected?

?Educating yourself about phishing is the key to protecting yourself from this type of cybercrime.

ETraining in cyber security awareness should be provided to everyone in your business on a regular basis.

It's essential that everyone knows the risks and red flags when using any device.

?A phishing attempt may be involved, or it may be related to one of the many other cyber-threats that businesses like yours face every day.

?Phishing attacks have a number of warning signs that you and your team should be aware of:

?·???????Misspelled words, websites, or email addresses

·???????Oddly named attachments

·???????Who the email is addressed to

·???????Poor grammar and punctuation

·???????An unusual layout to the email

?If you hover your cursor over the sender's name in an email, or over the URL, you'll see the actual email address used.

?Log in to your accounts directly through the website you always use, not via a link in an email.

?Make sure you check every email you receive, even if it's from a friend or colleague you know well.

?Use different login details across different online accounts so cyber criminals don't try your credentials on other sites once they've stolen them.

Make sure your passwords are long and randomly generated using a password manager.

?DO implement multi-factor authentication across applications?(where you use a second device to prove it’s?really?you logging in).

?It's a good idea to set up a dedicated email address for sending invoices. If you don't advertise the address, it's less likely that you'll be targeted by phishing emails.

?It is also possible to implement codewords with clients or suppliers if they send you an email regarding payments. If the email doesn't contain the codeword, you know not to process the transaction. Don't use e-mail to send the codewords, but instead contact your suppliers to let them know about the scheme.

?To conclude, make sure your policies reflect your stance on financial transactions and how to handle them. For example, you might decide that all transactions must be confirmed over the phone.

?You can see there's a lot more to phishing than you thought. As attacks evolve, it's more important than ever to take them seriously.

?If you?want?more information, or you need help protecting your business, get in touch.

Call 281 656 1099?email [email protected]