Email is a vital tool for modern business, providing an affordable and simple communications solution for SME’s and enterprise organisations throughout the world. Never has this form of communication been so important to keep connected. However, as technology has grown to boost available business opportunities, so has the opportunity for increased exposure to online security and email systems vulnerabilities. Accessing the web is among the most important needs for any business – and supplying safe web access is vital for the productivity in all businesses today.
Unfortunately, each working day, staff and management are subject to an ever-escalating volume of email spam. While this troublesome trend shows no sign of abating, there are systems and solutions available to minimise the probability of email phishing scams hooking in you and your staff. A recent report by Proofpoint stated that ‘80% of the overall threat landscape is using the Coronavirus as a theme in their attacks. This includes attacks that don’t outright mention Coronavirus in the subject or body of a message but instead reference it within attachments, links or lures. Attackers are taking advantage of a once-in-a-century crisis to wreak havoc on security systems.1
What Are Phishing Emails?
Phishing is the term used for when a cybercriminal sends you some type of electronic message to deceive you into doing something risky.
Phishing scams are generally fraudulent email messages that appear to come from legitimate enterprises (e.g. your clients, suppliers, Internet service provider or bank). These messages usually direct you to a spoofed site or otherwise get you to divulge private information, such as your passphrase, credit card or other account information. The perpetrators then use this personal information to commit identity theft. One common kind of phishing scam comes in the form of an email saying that fraudulent activity has been detected on your account, with a request for you to “click here” to verify your information.
The “fishing” metaphor refers to the concept of getting you on the hook and then reeling you in. Scammers behind this kind of crime, who are known colloquially as phishers, usually utilise email because it’s surprisingly easy to generate messages that are very realistic in appearance. However, phishing attacks may also arrive via social media, SMS or other instant messaging platforms (including Facebook messenger).
Below are a few examples of the techniques employed by phishers to gain access to staff accounts:
- Staff receive an invoice detailing a minor or low-cost purchase from a well-known site, complete with duplicated logos and text from a real invoice. At the end of the email message is a legitimate-looking link to discuss or query the pricing. Often staff don’t recall making the purchase, so there is a tendency for them to click the link and log in. After clicking, they are redirected to an imposter login page, and their password is easily captured by cybercriminals direct from the website.
- Staff receive an email from an applicant looking for a role currently advertised on your company website. Attached to the email is a file that appears to contain a CV. The tendency of staff is to open it, but this activates a malicious file which permits cybercriminals to offset malware on the local PC.
- Staff receive a marketing or promotional email that invites the recipient to enter a (realistic in appearance) survey in return for an opportunity to win a shopping voucher, iPhone, holiday or similar reward. Recipients who elect to complete the survey will be asked to supply personal information that typically would not be asked for such as their birthday, home address or credit card details.
How to Combat Phishing Scams
Phishing can be difficult to recognise because phishers do not always make obvious spelling or grammatical errors that most people associate with email scams.
The phishers may already know the correct name and address of staff members from looking at contact or staff pages, so obvious giveaways always such as Dear Sir/Madam, or unspecified addresses aren’t always included.
Four Techniques To Prevent Staff Email Scams
- Tell your staff to never enter passwords to login pages that are displayed after clicking a link in an email. Instead, advise staff to bookmark the official login pages of their favourite websites or type the URLs into their browser from memory.
- Advise everyone to avoid opening attachments in emails from recipients they do not know. This is important for all staff (including HR or accounts) who regularly use attachments in their daily work.
- Establish an email or online expert’s address within your organisation (e.g. firstname.lastname@example.org). That gives your users a fast way to ask for information about unexpected emails and unsolicited attachments.
- Remind staff that if in doubt, do not give it out!
Ref: 1 2020, Proofpoint Report, https://securitybrief.co.nz/