There’s plenty of scams out there. Not only aimed at you as an individual but also those targeted specifically at businesses.
This means it’s imperative you know what to look for and how best to defend yourself, and your organisation, protected from such crimes.
Phishing emails are one such example. But, what are they?
Phishing is when a cybercriminal attempts to get malware and exploits into a network, and credentials and sensitive data out.
To do this a cybercriminal dresses up a malicious link to look legitimate – often appearing as a financial institution or popular service i.e. post office. For business specific scams the email will often look as though it comes from inside the company.
These emails often have an urgent tone or include the name of a colleague to entice you to click without thinking. The content often suggests your account has been compromised, your order cannot be filled, or someone you trust is trying to send you a file. Sound familiar?
Spotting phishing emails can be difficult, but there are ways to protect you, and your organisation, from them.
Here’s 5 steps to help keep you secure:
1. A genuine email from your company will be more than likely to reach recipients’ inboxes than get filtered into spam. So, if you find something that looks to be from a colleague in the spam box, it’s best to check with the sender directly before you click any links or reply with sensitive information.
2. Are you up to date? Many people can be guilty of putting off updates. Whether that’s at home or at work. However, the first line of defence against attacks is the anti-malware software on your network or device. It takes seconds and can be the difference between a phishing email slipping through or being filtered out.
3. Check the URL of any embedded links. To do this just hover over the links in the email. But do not click on them. Does the destination URL match the site you would expect? Is anything going to be downloaded? Are they using a link shortening service? When in doubt use this method instead of immediately clicking.
4. Passwords. A lot of business phishing content will be looking for an ‘in’ to your company systems and data, you can make that a lot harder by looking at your password practices.
- Don’t email passwords, or other such sensitive information, between colleagues. And make sure everyone is aware this isn’t the company norm. If passwords require sharing consider using a password manager, such as MYKI that allows for secure sharing.
- Further to this, some can recognise real websites and will refuse to autofill on fake websites.
- A single sign-on method works similarly – the device recognises and signs into the real website automatically.
- Any damage an attacker causes will be proportionate to the privileges of the credentials have compromised. Regularly review and revoke privileges when they’re no longer required, so employees only have access to what they need for their roles.
5. Awareness. There’s workshops, course and talks, as well as plenty of free educational material out there to help businesses train staff, or for an individual to teach themselves, to recognise phishing. When delivering training or holding discussion around cybersecurity ensure you:
- Make it clear that phishing can be difficult to spot. Do not expect people to be able to identify them 100% of the time. And never punish users who are struggling to recognise phishing emails, those who fear reprisals will not report mistakes promptly, if at all.
- Training should encourage reporting of future incidents and re-assure that it is OK to ask for further support when something looks suspicious. Messages should be inclusive of all departments including HR, support and senior management.
Remember:
If you’re suspicious at all, always forward on the email or contact your IT department / provider, they can take it from there. It’s better to take preventative action where possible.
What next?
If you are uncertain or have questions about cybersecurity, then speak with SupportWise. Why not give us call, send us an email – [email protected] or fill in the form on our contact page?
