Recommendations to Protect Your Business From Opportunist Phishing Attacks

As most of us are aware of the physical attacks happening in Ukraine, we should all be mindful of the increasing risks of cyber-attacks. Although there is not much you can do if there is a state-sponsored cyber-attack, there are ways to protect yourselves and businesses from those trying to take advantage of others in this already devastating time.

Although most of us want to help, we need to be aware that there are scammers ready to take advantage of your generosity. Being careful when receiving emails asking for donations, clicking links, etc, or even someone you have corresponded with before telling you to change their payment details – are all things to be aware of. The best way forward is to send any donations to a certified charity through their website, like the Red Cross.

Spear Phishing attacks are already the most likely form of cyber-attack you can face. Cyber Criminals may disguise these attacks as a charity or a company representative (IT manager or CEO) for your employees to give away sensitive data. Spear Phishing attacks target companies and uses your employees as a weakness. Although many of us feel comfortable in thinking we know what a scam would look like, cyber-criminals have become more advanced to make these attacks undetectable. Knowing what to look for in a phishing attack can be a good preventative measure. As a business, it would also be advisable to highlight these points to all members of staff, as 43% of organisations fall victim to a spear-phishing attack. 

Areas to consider when you suspect a phishing attack
1.     Impersonation 

The first thing you should do is to look at the email address of the sender. Many scammers will try and mimic your email addresses from a trusted position such as your bank or a colleague’s email. But these emails have small differences which can be easily missed if not looked at properly for example; using ‘rn’ to replace an ‘m’. If you are unsure of the characters in a responder’s email or name, copy it and put it in a word document. This will highlight any spelling errors. Even with links from the sender, hover over it to see the URL and if any suspicious wording or spelling errors are in there.  

2.     Content

Poor grammar, spelling errors, and just simple mistakes within an email could be a sign of it being a phishing email. Check that the subject line is relevant to both the email and your relationship with the sender. Even, look at the time in which the email was sent (e.g out of office hours). All these points can act as a signpost that this is not a legitimate contact.   

3. Call’s to Action 

There would be no point for a fraudster to do all of this if they did not want something from you, for example, click the link, send money, etc. As more consumers are aware of trending scams, cybercriminals change the way a scam looks. Clicking links with hidden malware, typing your bank details and passwords on what seems to be a legitimate website, buying gift cards on behalf of someone in your company, or downloading an attachment, are all common calls to action that are used. We highly recommend that if you feel a call to action  in an email is suspicious, follow these actions before following through:

  • Check the links before clicking them (hover over the URL)
  • Speak to your contact through a different format to confirm it is them
  • Don’t download attachments if you weren’t expecting it and
  • Speak to someone in IT who can support you.
4.     Urgency

When someone who has authority over you, for example, a director in your company contacts you with an urgent task, it is easy to make simple mistakes. Some examples of these urgent actions are your ‘bank’ texting you to say your account has been hacked and to click the link to make a new password, or your ‘boss’ asking you to pay an urgent invoice. If you do receive any correspondence like the examples above, or even if the message puts a time constraint and real sense of urgency on it, take time to think and clarify with a colleague or the individual. It’s easy to make simple mistakes when you feel pressured, take time to consider the source, the request and if you are still not 100% sure it’s legitimate correspondence, contact the person or organisation through a reliable source.  

5.     Relationship

It is normal to have emails from someone new or get an email from someone you don’t usually have this form of correspondence with. However, this can be an indication of a phishing email. Review the email address carefully, with the other points covered in this blog to check its legitimacy and if you need additional support, contact your IT team to help confirm.

It is vital to know the key features and common traits used in phishing attacks, to prevent possible breaches. Therefore, being mindful of the areas covered in this article will help build your awareness of what to consider and hopefully prevent the risk you face from a phishing attack. However, user awareness will only protect you so far. Therefore, we recommend that you have the right visibility and detection tools in place such as email protection to further protect you against sophisticated threats.

If you have been affected by cybercrime, please speak to The National Cyber Security Centre to help stop phishing attacks.