Don’t get phished

Phishing attacks have been around since the 1990s, but they’re still causing trouble for SMEs across the globe. All it takes is one misplaced click from an unwary employee to give attackers the keys to your most sensitive data, or cause mass service outages.

It's crucial to understand how phishing scams work, so you can educate your employees and protect your business against potential attacks.

Phishing: a cybercrime classic

Phishing is one of the oldest cyberattacks in the book: essentially, it’s a confidence trick. Phishing attacks typically involve an attacker communicating with their intended victim via email, social media or even by phone, and getting them to disclose valuable information (like login details, bank account numbers, website passwords etc.).

Corporate phishing attacks are either fired out in a scattergun approach to reach multiple users or they will target specific members of your team. Often, the email or online message will be a spoof that appears as if it came from a reputable source. Traditionally, the scam asks your users to provide personal details, such as corporate logins, giving hackers access to your network.

Another tactic involves tricking your user into clicking on a malicious link or opening an attachment. This, in turn, could download covert malware with the goal of either stealing sensitive corporate information or, if it’s ransomware, locking you out of your own systems until you pay a ransom.

For example, in May 2017 Gmail users were targeted by emails that looked like they were from a trusted contact. But if users clicked on the attached file and gave the fake app it opened permission to manage their email, then the criminals had full control of their account and the email would then reproduce itself across all the users’ contacts.

How to stay safe

So, what can you do? There are lots of steps you can take; here are 10 of them:

  1. Keep your operating system patched and up-to-date.
  2. Download the latest version of your web browser software.
  3. Check the URLs of any link in an email by hovering over the link or using a site like CheckShortURL for shortened links.
  4. Never click on links in unsolicited emails.
  5. Only download software from trusted sites, avoiding free screensavers, clocks and other apps.
  6. Check whether the URL is safe before visiting a new site, e.g. via a WHOIS search.
  7. Make sure your ISP has strong anti-spam and anti-phishing measures in place.
  8. Check your bank statements for suspicious or unfamiliar transactions and contact your bank if anything looks amiss.
  9. Use two-factor authentication, when available, to make your online accounts more secure.
  10. Update all your software and apps to say abreast of the latest security patches.