Don’t take the bait: how to safeguard your business from phishing attacks
What is phishing?
Phishing is more than just a misspelt variation of a popular countryside activity. It’s also a key risk to businesses – one that we all need to be aware of.
Simply put, phishing is any attempt to trick a victim by pretending to be a trustworthy source. The victims can range from CEOs, to key employees, to regular customers. The supposed “trustworthy sources” can range from software providers, to financial services, to our bosses and colleagues and business partners. And the tricks can range from stealing login details, to inducing fraudulent bank transfers, to installing malware on the victim’s device.
Phishing has been around as long as the internet. For much of its history, this has simply posed a risk to our personal accounts, finances & devices. But since almost all businesses are digital-first, it’s now structural business risk to which companies need to pay attention.
Why is phishing becoming more of a risk?
As much as we have become used to the easily spotted spam emails landing in our personal inbox and junk folders, there are reasons for us to remain vigilant as phishing becomes more of a risk to businesses. With the rise of home working & cloud use accelerated by the global pandemic, it’s more likely for us to fall for phishing scams, and the value at risk from those scams has also increased.
Firstly, we’re communicating digitally in our day-to-day processes rather than meeting in-person in our offices. This means we’re used to receiving emails, WhatsApps, texts and other messages from our co-workers, bosses, and clients throughout the day, and these aren’t as unusual as they once were. And because we’re relying on these media more often, our use of them has become much more casual.
How many times have we sent a joke that we’d otherwise have just said to our colleagues? And how many times have we requested quick favours from others that we’d otherwise have just asked at their desk? And how many times have our clients sent over quick requests that would otherwise have waited for in-person meetings or scheduled calls?
This casual approach to digital communication has lowered our guard, making mistakes – wrong recipients, accidentally-clicked links and quick replies – more possible. And on top of this prolific use for our personal business communications, we’re also receiving an overwhelming number of confirmations, verifications and notifications.
All of this combines to make us vulnerable to getting duped by a phishing scam:
That routine “verify your login” email? I’ll click the link to get that done!
That text from the delivery company for me to track my parcel? I’ll visit that site to see if it’ll arrive before lunch!
That message from a colleague with the company’s 2021 remuneration adjustments attached? I’m definitely having a look at that!
These are just some of the easily openable phishing messages that victims have received, allowing attackers to steal important personal details and install malware.
Phishing isn’t just becoming easier to fall for, as the examples above show, but it’s also becoming increasingly devastating for individuals and businesses that fall victim to these scams. With an ever-higher number of our business services hosted online or “in the cloud”, criminals can access ever more valuable assets through these digital-first phishing attacks.
Many of our core business functions are now hosted online – from business assets stored in the cloud (e.g. code in GitHub, designs in Adobe Creative Cloud, or other files hosted across Office 365 and G Suite) to business bank accounts primarily used online. So, if an attacker is able to successfully phish a victim, they can access codebases to launch a further attack, steal valuable customer data, or simply rob the company’s bank account. All present attractive prizes for would-be criminals.
Furthermore, since many users re-use their passwords between many of these services, an attacker getting their hands on one means they also have access to a whole host of other valuable services. This access to multiple accounts also enables them to perform more sophisticated attacks and thefts (for instance, if they have access to an email account, they’re also able to click on any confirmation emails that come through for other services).
What can I do to protect myself from phishing?
While the risks posed by the phishing threat may seem daunting, thankfully there is a small number of simple steps that you and your business can take to protect yourselves. The first set of these centre around protecting your accounts, in case you do fall for a sophisticated scam. And the others focus on reducing the risk of those scams being successful in the first place.
To protect your accounts, the first and most powerful thing you can do is to start using a password manager, such as LastPass, 1Password, or even the in-built options from Google Chrome and MacOS Keychain. These password managers allow you to set a different, strong, random password for each of your accounts. This means that if an attacker is ever able to compromise one account, all of your other logins are still secure since none share the same password. As a bonus, the password manager will remember which password is for which account, meaning you’ll never forget a password again!
Additionally, it’s possible to ensure that you’re safe even if an attacker gets access to the password for an account, using something called multi factor authentication (MFA). MFA means that when logging-in to an account, you will also use a second code sent to you via SMS or by an app. Without this second code, an attacker with your password won’t be able to log in, meaning you have an extra layer of protection in case your details are stolen in a phishing attack.Both of the above methods are great for ensuring that your logins are secure even in the case of a successful scam.
However, you can also take some steps to reduce the possibility for scams to be successful. At a personal level, we always recommend that you don’t click on emails that you’re not expecting. This is especially true if the email is claiming to be for security purposes or includes an attachment/file that you’d be excited to open! If you’re running a business, you can arrange training sessions to help your employees spot and avoid these scams. Businesses can also implement inbound email security settings to filter out risky emails before users even have the chance to see them!
The KYND phishing tool
We have partnered with KYND, who have built a tool to help our clients’ business’ susceptibility to phishing. Simply input the email addresses of some of your employees and our system will send “phishing” emails to them over the course of a week. We’ll make a note of how many arrive into recipient inboxes and how many are clicked on. This will allow you to guide your staff on their internal IT policies as well as help inform how effective training schemes are. Much better than waiting until an attack happens!
If you would like to discover more about the KYND Phishing Simulator and other fantastic benefits exclusively available to our clients please get in touch with our lovely team at Ascend who will be happy to help.