Hackers use various methods to access sensitive information. Malware, ransomware, and viruses are some of the more well-known tools and strategies. Increasingly, companies are deploying sophisticated software that protects against these types of attacks. Unfortunately for businesses, there is one cyber-security weakness that no amount of programming can account for: human staff. Employees can be tricked into downloading these harmful viruses through the use of phishing emails. This article will explore what phishing emails are and the damage they can cause to your company. Thankfully there are ways to reduce the risk of falling prey to these attacks, and we’ll cover those, as well.
What are phishing emails?
Phishing emails are designed to deceive recipients and convince them that the emails are from an authentic source. There are two styles of phishing email. The first typically mimics an authentic email from a third party, such as a courier or financial institution. The emails are written to convince the reader to click through to a website with phrases like, ‘click here to verify your payment details’ or ‘confirm your details to authorise delivery’. Once on the counterfeit website, users freely give hackers login and password details, or have malicious software downloaded without their knowledge. This type of phishing email is usually sent en masse, with no personal details included in the content.
The second type of email is more sophisticated, and often takes an extremely targeted form. Hackers invest time in researching a company, and can work to gain login details for an employee’s email account. Once they have this authentic access, targeted emails can be sent to unsuspecting employees. Staff are fooled into discussing confidential or sensitive information, or transferring large sums of money to external accounts. An even more nuanced form of this so-called ‘spear phishing’ is CEO fraud – when C-suite email is hacked, it is used to send demands to low-level employees. The combination of unfamiliarity with the executive’s communication style and the implied appeal to authority can lead to significant data breaches.
In one recent case, an SME was seeking new business premises. An employee received an email, purportedly from the Managing Director, instructing them to transfer a large sum of money to an unknown account. It was assumed to be a rental down payment and was sent immediately. Unfortunately, the email was fraudulent and the money was stolen (the error was identified quickly and the bank was able to step in to reduce the losses).
Why are they so effective?
Phishing emails are effective for a number of reasons. As mentioned above, often genuine accounts are hijacked, or official marketing emails are impersonated, which makes it difficult to discern a duplicitous source. In addition to this, phishing emails
- Can be effective more than once as they can be forwarded within the company,
- Can be used as part of a multi-pronged attack, in concert with other styles of hacking,
- Rely on busy, distracted employees failing to notice discrepancies in email content.
Costs to UK businesses
Statistics indicate that small and medium businesses are suffering greatly from phishing attacks. In general, SMEs are vulnerable because they have fewer IT resources to dedicate to cyber-security measures, compared to larger corporations. This doesn’t just apply to precautions, either. Attempts to recover money or data after a successful phishing attack can be expensive, time consuming and difficult – a recipe for disaster for businesses with a reduced capacity to absorb these costs.
Cyber-attacks were estimated to cost UK businesses an estimated at £29.1 billion in 2016. Phishing emails were reported as the most common type of attack. In 2017 there has been a spike in phishing attempts, both in the UK and further afield. In particular, the recent waves of breaches caused users to download malware and Trojan programs that installed keyloggers, stole passwords, banking and other personal data.
How to identify a phishing email
It’s not always easy to protect your business against phishing emails. Ensure that your anti-virus and cyber-security protocols are up to date as a sensible precaution. The most effective action a small business can make is to train staff to spot malicious emails. Refresh this training regularly so it remains ‘top of mind’ for staff at all times. Encourage staff to:
- Check for spelling errors in official-looking emails,
- Check if personal information is absent when it is usually included (mass-mailed phishing emails are not commonly personalised),
- Look out for sudden changes in familiar email formats from known companies,
- Be consistent – check if the email address used is the one linked to the purported service,
- Think critically – do they remember entering a competition? Are they expecting a delivery? Does their financial institution ever ask for login details via email?
- Confirm through a separate channel – call to confirm details, or login directly through official websites to check claims.
In addition to encouraging staff to think critically about email security, businesses can implement structural and policy changes to reduce the risk of phishing breaches. Automatic scheduled password changes are an example of a structural change. A policy may be that personal passwords must not be used for company accounts. It’s not uncommon for passwords to be recycled – if a personal email account is breached successfully, it can quickly lead to company-wide infiltration.
A word on smart devices
Smart devices are ubiquitous in business. They come with both pros and cons when it comes to phishing attempts. It is challenging to identify falsified emails on smartphones because the screens are smaller, limiting the ability to vet the content accurately. Users are often multi-tasking or distracted, which reduces the level of vigilance applied to inspecting content. The protective element here is that most malware is designed to operate on computers, so will not download or function on smart devices. Be aware that this may change as hackers develop new methods over time.
About Mustard IT, your cyber-security partner
Mustard IT provide the design, build, installation and maintenance of secure IT servers and networks. Our trusted team are experienced able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you.