How to prevent Phishing attacks – Your staff are the first line of defence.
Your staff are the primary target for cyber attacks and Phishing scams. Attackers target businesses large and small through a combination of fake emails and telephone calls. So how can you keep your business, and your staff, safe and prevent such attacks?
Email scams and telephone scams
Cyber attackers commonly use non-technical, malicious activity that exploits your staff’s interactions to obtain information about internal processes, configuration and technical security policies in order to gain access to secure devices and networks. Such attacks are typically carried out when attackers pose as credible, trusted authorities to convince their targets to grant access to sensitive data and your business’ IT network and systems.
A typical example is a telephone call or email where an employee receives a message that their computer is sending bad traffic to the internet. To fix this issue, your staff are asked to call or email a tech support hotline and prompted to give information such as usernames and passwords.
An email from the boss
One of the most common forms of attack is email Phishing – an attempt to acquire sensitive information such as usernames, passwords and other information by masquerading as a trustworthy and known person. Such emails often spoof the company CEO, a customer or a business partner and do so in a sophisticated, subtle way so that the victim thinks they are responding to a legitimate request. Among the reasons these scams succeed are the appearance of authority. Your staff are used to carrying out CEO instructions quickly. That’s why Phishing can be so easy to fall victim to.
4 Common Phishing techniques
The scope of Phishing attacks is constantly expanding, but frequent attackers tend to utilise one of these four tactics:
- Embedding links into emails that redirect users to an unsecured website requesting sensitive information
- Installing Trojans via a malicious email attachment or posing ads on a website that allow intruders to exploit loopholes and obtain sensitive information
- Spoofing the sender address in an email to appear as a reputable source and requesting sensitive information
- Attempting to obtain company information over the telephone by impersonating a known company vendor or IT department
Your staff should always be suspicious of potential phishing attacks, especially if they don’t know the sender. Here are five best practices to follow to help make sure employees don’t become helpless victims:
5 Ways to protect your staff from Phishing attacks
The scope of Phishing attacks is constantly expanding, but frequent attackers tend to utilise similar tactics. You can protect your staff from Phishing attacks in 5 ways:
Don’t reveal personal or financial information in an email
Be suspicious of all emails that request personal or financial information. This includes clicking on links sent in such emails. If you have any doubt report the email to the person or team that looks after your IT. Always follow the first rules of – if in doubt, do not click or open.
Check the security of websites
This is a key precaution to take before sending sensitive information over the internet. <http> indicates the site has not applied any security measures while <https> means it has. Also consider if staff are following safe browsing habits. Sites that do not serve a legitimate business purpose are also more likely to contain harmful links.
Pay attention to website URLs
Not all emails or email links seem like Phishing attacks, so your staff may be lured into a false sense of security. Teach them that many malicious websites fool end users by mimicking legitimate websites. One way to sniff this out is to look at the URL (if it’s not hidden behind non-descript text) to see if it looks legit. Employees may also be able to detect and evade the scheme by finding variations in spellings or a different domain (e.g.,.com versus .net).
Verify suspicious email requests
Contact the company they’re believed to be from directly. If a member of your team receives an email that looks odd from a well-known company, such as a bank, instruct them to reach out to the bank using means other than responding to the suspicious email address. It’s best to contact the company using information provided on an account statement – NOT the information provided in the email.
Keep a clean machine
Utilising the latest operating system, software and web browser as well as antivirus and malware protection are the best defences against viruses, malware and other online threats. It may be difficult for your staff to do this, so the business may want to invest in a managed IT services provider such as us who can also be a trusted adviser for all IT needs.