There are well-known threats to data security when it comes to operating in the digital sphere. Your internal networks can be vulnerable to viruses, malware, ransomware and theft. There is no doubt that anti-virus software and other structurally protective measures provide solid shielding for your data. Did you know there is one weakness in your cyber security defences that software cannot protect against? It might surprise you, but you and your staff are more likely to invite a hacker into your network than any other method of security breach. Malicious actors have become proficient at fooling employees into downloading virus-laden documents and files through their email accounts. When breaches are created through false and deceptive email attacks they are known as ‘phishing emails’ – a play on words that reflects the attempt to hook an unsuspecting employee and fool them into opening a gateway into secure networks.
This article will talk about the different types of phishing emails that are out there, and how to work with your staff to identify them before they become problematic for your business’ cyber security.
Different types of phishing emails
There are three common varieties of phishing email to look out for. If your business is targeted by a dedicated team of hackers, they will seek to gain access to an employee’s email account. They may aim for an account from the management team. Hackers can scour social media and networking platforms for chatter about recent business or team events. They will combine this information and the authentic email address to write internal emails to staff. The emails may direct staff to transfer money to specific bank accounts or request confidential data or login details. Even if it would be unusual for an employee to receive communications like this, often the social references and authority of management are enough to reduce doubt.
The second type of phishing email is less targeted but is effective because they are sent to thousands of email addresses every day. Hackers only need a very small amount of people to act on the information inside for a profit to be made. In these cases, emails are made to imitate legitimate organisations like money transfer companies, delivery services or account management updates. The emails will invite readers to click through to a website to update details or confirm payment. Unfortunately, the websites are fraudulent and capture any details to use to gain access and steal money or information.
A third variation of phishing email can be a combination of the two forms above. Sometimes, hackers will load virus software into Word documents (using the Macros function) or compressed files. Often these files will be named innocuously such as ‘invoice’ or ‘resume’. Unfortunately, once the file is opened the virus software can become active inside the networks. Depending on the intention of the hackers, this may not become apparent for some time.
Identify phishing emails
Your staff will need to learn how to identify phishing emails. There are some common markers to watch out for, such as,
- Impersonal greeting such as Hello or Dear without any first name included,
- Spelling errors or grammatical mistakes (multi-million-dollar companies can afford to proof-read their communications),
- Delivery notification when no delivery is expected,
- A lack of properly branded formatting or logos, or lack of consistency from previous emails,
- A misspelled email address (think [email protected] instead of [email protected]),
- Unsolicited invoices or other files that are out of context from typical correspondence.
If a link is followed, the fraudulent website may mimic a real brand but will often prompt users to input sensitive account data without signing in and may not have other links on the page that would take users to other parts of the legitimate website.
Prevent damage
Let staff know what to do if they think they have received a phishing email, and what to do if they’ve acted on the information inside.
- Go directly to the company’s website from a separate tab to verify any attempt at contact,
- Phone or visit the supposed sender of intra-company emails to verify requests in person,
- Do not click on any links or files,
- Forward to the IT department and to the imitated company’s fraud team immediately
- Follow the IT team’s instructions about what to do with the email, and
- If the links have been followed or documents downloaded, contact IT immediately to alert them of the possible threat.
Structural protections
There is little an IT team can do to prevent phishing emails activating threats to your business. Because human behaviour is the main risk factor, the best you can do is invest in educating your staff about the risks and the signs to watch out for. That said, there are a few structural changes you can put in place to help reduce the risk of hacking and viruses being downloaded to your systems.
Force password updates regularly. Many people use common passwords across personal and company accounts. Frequent updates reduce the risk of a single personal breach becoming a company issue.
Be aware that phishing emails can also impact mobile devices. Users are frequently distracted and may not vet emails as closely, and the smaller screen may obscure smaller errors or other red flags in formatting. Ensure anti-virus protection and password security is firm on all company devices.
Disable macros in Word documents. There will be little or no impact on functionality for staff but will close the back door on virus activations.
Tighten email protocols. Use your email client’s security settings to display all email addresses in full and to expose hidden links. You may also be able to disable automatic downloads of documents.
Computers in the City, your cyber security partner
Computers in the City is London’s longest standing IT partner. With over 20 years’ experience, we can assist you to meet your IT support, digital security and cloud computing needs. Let us help you develop the cyber security culture in your business. We’re proud to be local, offering 24-hour support in straightforward language that takes the stress out of IT support.