According to Mimecast, impersonation fraud jumped by almost a third during the first 100 days of the coronavirus pandemic, as cyber criminals looked to take advantage of how many people are suddenly working remotely.
Nobody wants to fall prey to a phishing scam. There’s a good reason that such scams will continue, though they are successful enough for cybercriminals to make massive profits. Phishing scams have been around practically since the inception of the Internet, and they will not go away any time soon. Fortunately, there are ways to avoid becoming a victim yourself. We will take you through TIPS that will help you to help you stay safe from phishing attacks.
The number of phishing attacks and other email-based cyber-criminal campaigns continues to rise, with most organisations having witnessed an increase over the past year – but despite this, under half of businesses provide awareness training about cyber threats on a frequent basis.
Phishing attacks continue to pose problems for businesses around the world and, according to The State of Email Security 2020 report from cybersecurity company Mimecast, 60% of organisations believe it's inevitable that they'll fall victim to an email-based attack over the course of the next year.
What are phishing attacks?
Phishing is a broad term, and actually encompasses a range of different strategies that hackers use to try and track their employees. Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masked as a trusted entity, dupes a victim into opening an email, instant message, or text message. An attack can have devastating results.
Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.
An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.
Phishing Emails
The most well-known kind of phishing attack is the phishing email. Pretty much everyone will have received one of these at some point. Below is an example of such an email where the customer is being informed of winning a huge prize money. This, in many cases can lead to the receiver clicking on the the link. This is what the hackers want. We advice not to click on any such email link.
.jpg?width=248&name=Phishing%20email%20example%20(personal%20emails).jpg)
Spear-Phishing and Business Email Compromise
An advanced kind of phishing attack is spear-phishing. Spear-phishing is defined as hackers actually impersonating a trusted sender, like a business contact. They will then go to users, impersonating someone they know, and ask them for account information, or ask them to make a payment.
Phishing Websites
There is also the issue of phishing websites to consider. When surfing the web, users may come across pages that look legitimate, but are really phishing pages, that are designed to look genuine, but will actually be scraping your user data. Around 1.5 million new phishing sites are created every single month, according to Webroot. Below is the example of a website that shows Microsoft login but the URL is not of Microsoft. Please refrain from adding any personal information on such URLs.
.png?width=571&name=MicrosoftTeams-image%20(2).png)
How has remote working increased the risk of phishing?
Many organisations offer flexible working practices, with employees working from home on an occasional or full-time basis. Employees often feel obliged to check work emails on personal computers or phones outside of business hours.
Most companies will therefore already have some experience of the processes involved in home working and the security vulnerabilities associated with remote access. However, the rollout of a remote workforce in the wake of COVID-19 has challenged even the most prepared organisations. One of the biggest problems was the spike in cyber-attacks targeting the uncertainty and fears surrounding the pandemic.
Without the security protections that office systems afford us – such as firewalls and blacklisted IP addresses – and increased reliance on technology, we are far more vulnerable to cyber-attacks.
According to Deloitte, "cyber criminals are adapting their tactics and are now targeting people in their homes, which in many cases, is now their office too. As working from home becomes a gateway to new forms of data theft, companies face increased cyber risk.
However, cyber criminals attempting to access corporate data, customer information and intellectual property are not the only threat to businesses - employees can also be a weak link in corporate IT security systems".
Tips to avoid phishing attacks when working remotely
-
Prevent phishing attacks by email filters
As they're so hard for users and for security technologies to detect, phishing attacks are often very successful. So how can you stop them? Your first line of defence against phishing is a secure email gateway.
Email gateways are used to filter out harmful and malicious emails, and quarantine them automatically away from user inboxes. A good email gateway will block 99.99% of spam emails, and will remove any email that contains any malicious links or attachments. This means they are crucial in stopping users from receiving fraudulent phishing emails.
Email gateways also expose when accounts have been compromised, and so can prevent business email compromise attempts within your organization, and stop your accounts being used to send out spam or phishing emails to companies that you work with. Having an email gateway in place is important for organizations of any size. There are a number of different vendors providing cost-effective, easy-to-use and highly secure email gateways that will help you to stop phishing attacks.
-
Train your staff
Make staff aware of these issues, train them in managing sensitive data and remind them of the company’s code of conduct and related rules. Working from home introduces new cyber risks and employees need to be adequately trained in their responsibilities.
-
Check security measures
Regularly check that the security measures taken to protect new and tactical IT solutions (including cloud-based solutions) deployed are effective. Many solutions were rolled out under enormous time pressure at the beginning of the crisis and IT staff now needs to ensure effectiveness of security controls. -
Increase security
Step up security monitoring of both devices and users to enable companies to proactively identify and correct mistakes made by users in managing sensitive data. -
Access your capabilities to manage attacks
Assess capability and capacity to recover from catastrophic cyber-attacks effectively, such as a widespread ransomware attack. This includes the capability to get the entire IT infrastructure back up and running as soon as possible after such an event.
-
Validate effectiveness
Validate the security effectiveness of your most important service providers, suppliers and sales partners. Weaknesses in the supply chain can cause major cyber and data breaches.
Common myths about phishing attacks
Enterprises are not the target, consumers are
Most business' consumer phishing has evolved into an enterprise attack because:
1. Employees reuse passwords from their personal accounts on their business accounts
2. Attackers have learned that they can get inside our networks by exploiting our employee’s personal accounts
Phishing is all about opening attachments
Few years back researchers saw more phishing lures lead victims to URL-based threats that originate from multiple channels including SMS messaging. So, it is not just about the email attachments. The first thing that the attackers do is - compromise a legitimate website or register a fake domain. Once the environment is established and the targets are identified, phishing messages are sent to the victim who is often compelled to investigate the message claim. Some of the most effective messages targeting both consumers and employees refer to online order delivery or business financial transactions.
Security controls at my perimeter are all I need
If you think that security controls in your perimeter are enough, then you must read this. With the move to cloud apps, traditional perimeter controls often can’t be applied in the same way. Moreover, the ease and speed at which malicious domains can be deployed to support targeted phishing attacks renders our traditional perimeter defences only partially effective, as blocking domains becomes a never-ending game of whack-a-mole that leads to false positives and false negatives.
Guidance on keeping safe and secure whilst working remotely
With more and more companies working remotely, it is even more important to talk about keeping safe when working remotely. Let us see what all can businesses do in their capacity to keep safe whilst working remotely.
- Use antivirus software.
- Make sure your system and programs are up to date.
- Pay attention to WiFi and network security.
- Secure your privacy with a VPN.
- Avoid oversharing your screen.
- Beware Covid-19 related scams.
- Don't share personal information in messages or social media.
- Create a good working environment.
If you have any questions regarding cybersecurity, get in touch touch with us today. For a FREE consultation around cybersecurity for your business, please click on the below button.
