Last year scammers stole £1.2bn from the British public. Their favourite tactic: taking over your email account with convincing phishing emails.
There’s been a huge uplift in the number of spam emails being sent. This has risen from 204 billion in February 2019, to 459 billion at the start of June 2019. Not only are phishing emails becoming more and more numerous, they’re becoming ever smarter, and more difficult to identify.
So our Internet Security team have compiled some expert guidance to help you avoid joining those alarming statistics.
What is Phishing?
Phishing combines ‘phreaking’ (a dated form of phone hacking) and ‘fishing’. Hackers send out bait and see who unwillingly hands over access to their sensitive data in response. Phishing emails look genuine and mimic trusted email providers to trick you into giving away your password. Once they have your login details, hackers can take control of your actual email account.
Dangers of Spam Emails
Remember, our email account is ‘the key’ to every other service we use. Sophisticated phishing scams allow hackers to take control of your entire account.
If a hacker gains access to your email account, they could:
– Read your emails to know more about you. e.g. Who do you usually send and receive money from, no questions asked?
– Reset your passwords for any websites/services you are registered with.
– Identify who sends payments in your organisation and how to request money transfers.
– Send emails to clients and contacts requesting future invoices are paid elsewhere.
– Interfere with business communications and deals.
– Access your contact list to send further scam/phishing emails from your account.
In one recent case, hackers emailed the victim’s bookkeepers asking them to pay an invoice, first for £2000, then £8000. They backed up their claim with a seemingly genuine email conversation back and forth.
Another example saw a solicitor sent £120,000 to a fraudulent bank account after receiving an email with “updated bank details”.
What does Phishing look like?
Unfortunately, phishing emails often appear harmless, yet they almost always request direct action. A phishing email will usually comprise of an error message, alert, or notification, offering a simple resolution: click a link to enter your username and password:
“Hi NAME, Your account on X@Y.com will be disconnected … you need to resolve the errors on your account … [BUTTON]”
Once you’ve clicked the button it’ll take you through to a login screen that’ll look legitimate. Nothing will usually happen once you’ve logged in but your username and password will then be saved on the scammer’s database. Once inside, they can cause potentially devastating damage to your business, finances and reputation.
How to Protect yourself Against Phishing Scams
There are a range of cybersecurity measures you can take, from implementing everyday habits to upgrading your systems.
- Be Vigilant. If you get an email you are not expecting that is asking you to take action, check with your IT support team. Always confirm with a phone call to the official listed number before transferring money or updating bank details etc. Don’t fall for a fake phone number included in the email.
- Switch on 2Factor authorisation (2FA). Connect your Microsoft account with a mobile phone app that enables a temporary passcode from one device to another. The process takes just 20-30 minutes to set up and provides significantly enhanced security.
- Enrol on Cyber Security Awareness Training. Ongoing training ensures you and your staff are aware of the latest threats and how to spot them. Our user-focused awareness training is easily accessible through our automated online platform. We begin by determining your users’ current vulnerabilities, to enrol them on a personalised course of digestible modules. Phishing simulations test your knowledge in a real-life situation with data-driven reporting for improvements and compliance tracking.
- Enable Office 365 Advanced Threat Protection. Secure your Microsoft Office suite with industry-leading, automatic updates that evolve with the software. With the Office 365 Threat Intelligence service, you can access the latest warnings about malware found both inside and outside of your organisation, right down to the specific lines of code at risk. Protect your system with this 365 add-on.
- Store Complex Passwords in a Password Manager. Always use a unique, random password for each website and service you subscribe to. Store all of your password combinations securely with a cloud Password Manager, with unlimited usage for the whole business. Within a Password Manager, you can share data safely and audit all interactions within secure AES-256 randomised encryption codes.
- Monitor Dark Web Data Breaches. Monitor your domain for any user/passwords that appear for sale on the Dark Web. The Linten team offer this monthly service to help customers stay one step ahead of hackers.
Other Spam Emails to be Aware Of
Other types of spam emails include:
- Unsolicited Advertisements (low/medium risk).
We’re all familiar with spam emails for weight loss cures, male enhancement pills/pumps/lotions, unscrupulous dating sites, etc. To most people it’s clearly not a great idea to buy from these emails. It could just be a waste of money, or potentially dangerous if you’re buying non-approved medicines. These types of emails can generally be blocked with a spam filter like Microsoft Advanced Threat Protection or Symantec Email Security.cloud.
Also known as ‘Nigerian Scammer emails, you’ll usually receive an email out of the blue, from a stranger either claiming to be an agent for a long-lost relative, a bank manager, or a government worker offering you a large lump sum. Naturally to release this lump sum you need to wire an administration fee to your ‘agent’… never to be seen again. Spam filters work great for these emails. But if some slip through the net, we recommend Cyber Security User Awareness Training to ensure you’re not tricked into anything.
- Trojan Horse Emails (high risk).
This email type is usually a nondescript email, enticing you to click an attachment or a link. Clicking will execute a script that will attempt to install malware onto your device. This malware can take many forms, it could be: ransomware, a keylogger, spyware, or a general virus. Ransomware in particular can cost a business a lot of money as these generally attempt to encrypt all files on a PC/Network and try to charge you to have them unencrypted. Alongside User Awareness Training, minimise risk with business-grade Antivirus solutions.
- Email Spoofing (high risk).
Spoofers send emails that seem to come from a known address, but actually originate from an unauthorised, external server. Amongst other scams, spoofers may send malware attachments or request money for a false invoice. Microsoft Advanced Threat Protection, alongside correctly set SFP records, will help to combat this type of email spam.
To discuss any cybersecurity concerns in more detail, or to learn more about our training and security services, get in touch with our expert support team.