£11,000.
That is the average amount that small business across the UK lose to cyber-attacks every single year.
The widespread problem of cyber-attacks is growing yearly. However, the pandemic has led to an explosion in attacks. According to cyber-security firm Mimecast, email-based security threats have soared by 64 percent.
That means that your business is more at risk of cybercrime than ever before. It is therefore critical to ensure that you and your staff are educated about the current threat landscape, and what you need to do to avoid falling victim to malicious phishing emails.
Fortunately, the team at entrust IT Group have years’ of experience guiding our clients through the minefield that is cybersecurity, and we have pooled our knowledge to provide you with a clear picture of what to look out for, and how to keep your data safe.
Social Engineering & Spoofing
Social Engineering attacks work by tricking unsuspecting individuals into divulging confidential or personal information that will be used for fraudulent purposes. This is typically done by a process called spoofing, whereby an attacker masquerades as a legitimate person or business using a carefully constructed email or email address.
The emails encourage the recipient to send bank information, money, or login details to the imposter, which can later be used to steal money or begin a devastating attack such as ransomware. They will typically contain a link or downloadable attachment which is designed to pique curiosity. The attacker will also disguise themselves as a friend, a colleague, or a boss.
Phishing or Spear Phishing
Phishing is a type of social engineering attack. The attacker uses a carefully constructed email, designed to look like it is from a reputable source, to try to encourage the recipient to click a malicious link, or input sensitive information such as login details.
Typically, a phishing email will look like a commonly used service, such as Amazon or Apple. This is because they will garner the broadest reach. Phishing emails are getting better, but they usually have some tell-tale signs that will expose them. Look for the following in an email you receive:
- Spelling mistakes or punctuation errors
- Check the email address to make sure it looks correct
- Check links by hovering your mouse over them. DO NOT CLICK.
- Starting an email with ‘Dear Member’ or ‘Dear User’, rather than your name
- Emails requiring urgent action
Spear phishing differs slightly from normal phishing in that it is designed to specifically target one organisation, or even one individual. This attack take planning and research to target the right individual and is therefore somewhat more malicious. An example of this would be a spoofed email from a particular person’s boss, asking for money to be transferred urgently or bank details to be inputted. The attacker is relying on the fact an employee is less likely to question their boss if they ask for something urgently and will give over what is requested without delay.
Business Email Compromise (BEC)
BEC is a type of spear phishing designed to target companies who conduct wire transfers or have suppliers abroad. Publicly available email addresses of high-level executives are spoofed or compromised through keyloggers or phishing attacks to be used for fraudulent transfers.
These attacks differ from traditional phishing in that they use legitimate, but compromised, email accounts to work – making them extremely difficult to spot. They typically use 5 types of scam, according to cybersecurity firm Trend Micro:
- The Fake Invoice Scheme - Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
- CEO Fraud - Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
- Account Compromise - An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
- Solicitor Impersonation - Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such fake requests are done through email or phone, and during the end of the business day.
- Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
Ransomware, Trojan and other Malware
To catch you out with malware or ransomware, an attacker must trigger a person to download an attachment. By clicking on a malicious attachment and triggering a download, an employee can unknowingly run a malicious programme which, once it is inside your network, is difficult to stop.
If you do happen to click on a malicious attachment by accident, speed is critical. The best thing to do is to disconnect your device from the internet as quickly as possible, as the trojan may need to download malicious code from the internet to harm your device fully. It will also try to spread across your network to infect other devices, so the faster you can get it offline the better. If you can turn your device off completely, that will help too. Make sure that you mark it is being infected and notify your IT team immediately so that they can conduct relevant steps to keep you and your corporate network safe.
What you should do to stay safe
There are three main ways you can keep your company safe amid this new, more advanced threat landscape. Those are:
- Education and Training
- Advanced Anti-Virus (AV) software
- Email Filtering
First and foremost, training your staff to spot malicious emails is critical. Since people are often the weak spot in a company’s defences, training your staff is absolutely essential to protect your data. A great way to start is using entrust IT Group’s security awareness courses. These short courses are emailed to all of your staff and their results are collated in a clear portal, allowing management to see which team members need more assistance. The service even sends example phishing emails to your staff to see which of them will be fooled.
Strong AV solutions are critical to eliminate a malicious programme before it can cause damage to your network. The entrust IT Group recommends Sophos Endpoint X, as it has some of the strongest protection, including Ransomware protection, on the market.
Finally, Email filtering will dramatically minimise the numbers of phishing emails working their way through to people’s inboxes, thus reducing the opportunities for compromise.
As more and more of us are working remotely, with weaker security systems in place, we can expect that cyber attacks will become more prevalent. With that in mind, it is so important to be prepared. No business is immune, regardless of their size, so you should ensure that you are protected.
To learn more about cyber security, download our FREE White Paper for some handy tips and tricks!
