Phishing attacks are rising: Is your business protected?

24/02/2022

Phishing attacks are on the rise and the sophistication of these attacks is expected to grow further in the coming year. With that in mind, we look at what phishing is, why it’s a problem and what you can do about it.

One in every 3,722 emails in the UK is a phishing attempt, according to Symantec.

It’s a problem that impacts most companies in the country, yet just 34% of organisations regularly provide their employees with security awareness training for email, Tessian research suggests.

With experts suggesting that the sophistication of phishing is expected to increase in the coming year it’s arguably more important than ever to protect your business from these attacks.

What is phishing?

‘Phishing’ is a type of cyber-attack where criminals pretend to be a trusted entity to trick their victims into:

• providing sensitive or confidential information (such as passwords and bank details)
• sending money to individuals or organisations
• downloading something that infects your computer

The term ‘phishing’ is mainly used to describe attacks that arrive by email but it can also be conducted via a text message, social media, or phone call.

Around half of cyber-attacks in the UK involve phishing (roughly 20% higher than the global average).

The importance of being vigilant

When a business experiences a phishing attack the consequences can be severe, particularly when a data breach occurs as a result. Some of the potential consequences of a successful phishing attempt are detailed below:

1. Reputational damage

When a company experiences a data breach its policies and procedures can come into question and sometimes this can lead to an impact on reputation. This is particularly true for larger businesses whose data breaches often become mainstream news.

2. Loss of custom

News of a data breach can travel fast and make other businesses (customers, suppliers and sometimes even potential investors) feel uncomfortable about the possibility of increased risk to them. This can impact relationships and even trading levels.

3. Regulatory fines

The risk of failing to keep customer data secure can result in penalties of up to £17.5 million or 4% of a company’s annual global turnover – whichever is higher.

4. Business disruption

Even the smallest of data breaches can cause significant disruption and may carry an opportunity cost as well as the cost of recovering from an incident.

How to spot a phishing email and safeguard your business

Phishing attacks are constantly evolving, and cybercriminals are becoming more and more sophisticated in their endeavours. Because of this, phishing attacks are becoming more convincing and harder to detect – yet there are some tell-tale signs to look out for:

🚩 The sender’s email address doesn’t tally with the trusted organisation’s website address

This could be a completely different address, a free mail address or even just a single character’s difference and a very minor difference, making it hard to detect – for example a ‘-‘ instead of a ‘_’.

🚩 A sense of urgency

Many phishing scams often use words and phrases such as ‘urgent’, ‘important’ or ‘act now’ to trick you into responding quickly. These can be written as if it’s a colleague or superior, asking you for a quick response and engagement. For example, ‘Please let me know when you might be free to meet’ or simply ‘Are you free to talk now?’

🚩 Threatening language

Scam emails often threaten you with fines or other negative consequences, such as closing your account, loss of service by accounts/apps that are commonly used

🚩 A prominent website link

Website links can be forged or seem very similar to a proper address, but even a single character’s difference means a different website. If you do click through to the website be wary that fraudsters often copy websites of businesses that were previously live but are no longer, or create sites for businesses that are live but don’t have a web presence. So, it’s always worth looking up any businesses that are new to you.

🚩 A request for personal information such as username, password or bank details

Remember, your bank (or any other official source) will never ask you to supply personal information via email.

🚩 You weren’t expecting to get an email from the company that appears to have sent it

Criminals often pretend to be important people or organisations to trick you into doing what they want. If in doubt, do not click on a link. Instead, search for the business and contact them using details provided on a secure website (those with a lock appearing in front of the URL).

🚩 Suspicious content

Be wary if the entire text of the email is contained within an image rather than the usual text format, the image contains an embedded hyperlink to a bogus site or if there are lots of spelling and grammatical errors.

To mitigate risk

DON’T:

• Click on any links
• Reply to the email
• Open any attachments
• Supply any information
• Attach any attachments
• Use any contact information supplied in the message

DO:

• Forward the email to the Suspicious Email Reporting Service (SERS): report@phishing.gov.uk

Also, contacting the organisation the attack appears to stem from (the real business, assuming you can trace that) directly, using the details from their official website is worthwhile and serves to alert them also.

How to protect your business from email phishing attacks

As the threat from phishing increases, businesses must do all that they can to safeguard their company from these attacks and decrease their cyber risk.

This video from the National Cyber Security Centre (NCSC) gives tips on how to do just that.

Did you find this information helpful? Please share this article to help others.