This content was last updated 11 September 20
Scams come in all shapes and sizes, from dodgy emails to fake sites, SMS or Whatsapp, there are lots of attacks and these are growing with frequency.
Phishing attacks are the most common method used to breach organisations today and count for over 80% of successful attacks. All businesses, regardless of their size, will store information that is of value to cyber criminals, such as customer details or payment information.
With more small businesses now operating in the digital space as a result of the coronavirus pandemic, we saw a significant spike in COVID-19 related cyber-crime, showing just how important it is to be vigilant.
What is a phishing scam?
Email phishing is a method used by cyber criminals to access valuable information, such as usernames and passwords or account details. The emails are often sent at random to thousands of people at a time.
The email claims to come from a reputable company such as your bank or credit card company, or even FSB. The most commonly imitated brands include Apple, Netflix, HMRC and WhatsApp.
However, the scams can be more targeted, too. Spear phishing is where someone acts as a trusted sender, like one of your clients or suppliers, in order to get you to divulge confidential information or transfer funds and invoice fraud is seen with increasing regularity. Whilst this requires more research on their part, you and your employees are far more likely to send such information, or process payments, to someone that you trust.
How phishing scams work
The emails try to trick people into panicking and visiting a bogus website, usually by claiming they need to “verify” or “update” your details, or “reactivate” an account.
Senders will typically ask users to click a link to a website designed to harvest credentials, or open an attachment – usually malware – that can infect devices.
Sometimes a phishing email doesn’t include a link, but could come in the form of an unexpected invoice, perhaps threatening legal action if you don’t pay up immediately or alternatively more positive emails with the promise that you are due a tax rebate.
Phishing attacks are an all too common threat, and can cause security breaches and data leaks for businesses, no matter how small. In 2019, 31% of small businesses identified cyber security breaches or attacks.
How to avoid phishing scams
Sensitive information can often be compromised in an attack, including personal data, bank details and passwords. Staying GDPR compliant means it’s important to be aware of how you can protect data.
Unfortunately, you can’t stop phishing emails from landing in your inbox, but you can learn how to spot suspicious activity and be prepared to deal with a spam email safely.
The most important question to ask yourself is: was I expecting this email? If the answer is no, then think before you click.
Be wary of emails that:
- are unsolicited and supposedly come from a reputable organisation, such as a bank or credit card company.
- don’t use your proper name, but instead have a vague greeting such as “Dear customer” or “Dear Sir/Madam”.
- request your personal information such as username, password or bank details – recognised brands will never do this.
- have addresses which doesn’t match the actual website of the organisation – hover over the sender’s display name to see what the address actually is.
- use words like ‘urgent’, ‘important’ and ‘attention’ – a popular tactic is to create a sense of urgency or panic.
- are poorly written. Emails from official organisations are usually proofread several times before they are sent and rarely contain typos or grammatical errors. If you see any errors, it’s likely that you’re being phished.
- ask you to log in through a link - reputable organisations will also never send links to their login pages.
While phishing attacks are now more prevalent than ever, there are plenty of ways you can reduce your organisation’s risk and potential exposure to attack.
User education is vital. Teach your team how to spot fake emails and make sure they’re aware of the processes that are in place in your cyber security policy.
Employees who don’t know how to spot a phishing attempt could put your organisation at serious risk.
If your business employs multiple staff it may be worth investing in an email monitoring service to scan all inbound links and attachments and quarantine suspicious emails before they reach their intended target.
Install and regularly update anti-virus protection across all of your organisation’s devices, including computers, tablets and mobile phones.
Patch it up
Always patch software when new updates become available. Ideally, all software across all devices should be set to update automatically.
Micro-manage your passwords
Using the same or similar passwords across a range of services can make it easy for hackers to access all of your accounts following a single breach. Use a password manager and create strong and varied passwords (using a mixture of letters, numbers and symbols) for each individual account.
Watch our on-demand cyber security webinar for more tips on how you can protect your business from scams.
How to report phishing scams
If you’re unfortunate enough to have been fooled by a phishing attempt, remember, you’re not the only one. Please feel free to contact the cyber helpline who will be happy to provide you with advice and recommendations to identify your level of risk.
It’s important that you identify what information has been stolen or if a virus has been installed as soon as possible. If you’ve given out personal information, such as banking information or credit card details, contact the relevant companies immediately and let them know what has happened.
FSB Cyber Protection are here to help you with support and advice if your business has been breached.
You can also contact Action Fraud, the UK’s national fraud and cyber-crime reporting centre. It provides a central point of contact for information about fraud and cyber-crime and can help you report fraud if you’ve fallen victim.