According to global insurance broker, Marsh, phishing cost UK businesses £29.1 billion in 2016. Two years on there’s no doubt that the industry is still suffering at the hands of cyber criminals using this tactic – having to pay billions of pounds to negate these attacks and invest in preventative tech measures.
This is because cyber criminals are still very much engaged in their underhanded ways. In June this year, Her Majesty’s Revenue and Customs (HMRC) said in a statement that new figures show that a record number of malicious sites have been removed. Taxpayers were still warned to be vigilant or stand the risk of losing substantial amounts of money to online crooks.
While the average man on the street is vulnerable to cybercrime and attacks like phishing the truth of the matter is that organisations are at risk of these attacks too. This is because their employees are often targeted through emails that they may get to their work email or even private email address.
Phishing can be described as the fraudulent practice of sending emails purporting to be from a reputable company to entice people to reveal personal information such as passwords (for bank accounts, email addresses, etc.), credit card numbers and the associated pins and other vital private financial information.
Employees could unwittingly put the company security at risk just by opening such emails which could contain a virus and infect the network. Or the staffer could download the virus or respond to the email thinking it’s from a legitimate source and then pass on personal or company secrets that will enable the scammer to access information or money that does not belong to him or her.
Individuals and organization are very vulnerable to phishing attacks as the emails they are engaging with look very real. This is because the cyber criminals have gone through many lengths to design the layout and content in such a way as to make the correspondence look as authentic as possible. It seems almost impossible to negate such a sophisticated attack.
However, the good news is that you can protect your company from phishing and other forms of cyber-attacks by taking these eight precautions/lastinforming your employees about the following:
- Be careful with links: If your staff members get an email that looks suspicious tell them to be wary and not click on any links as these may open them up to a phishing attack.
- Never divulge sensitive information: This may go against the very nature of what most employees think they will do (of course they’d never willingly impart with private company information). However, it’s surprisingly easy for employees to get genuinely duped. If they think an email comes from a legitimate source, for e.g. a client they may pass on secretive information. Remind them that genuine organisations like banks and the HMRC will never contact people out of the blue to ask for their or your company’s pin, passwords or bank details. When you train your staff, reiterate how vital it is to never give out private information, download attachments or click on links in emails and messages that they aren’t expecting or that they believe to be suspicious. Many companies and other organisations now have reporting tools that the public and your staff can make use of if they suspect a phishing attack. With the HMRC, for example, suspicious emails can be forwarded to firstname.lastname@example.org and texts to 60599. Alternatively, employees can contact Action Fraud, the National Fraud & Cyber Crime Reporting Centre, on 0300 123 2040. For more information and to make use of Action Fraud’s tool, click here.
- Research the email online: If the email still looks genuine, encourage employees to do a bit of sleuth work and do some digging online on the topic or information contained within the email. A quick Google search could provide a whole host of information and they’ll probably even find people sharing information about how they have been scammed before by the given email address.
- Be wary of typos: This is by no means a definitive way of identifying a phishing email but generally fraudsters operate from abroad and English is not their first language. Emails will then typically contain spelling, grammar and other errors. Reputable companies will generally not make this type of mistake and loads of grammatical mistakes are a sure sign that the content has come from a suspect source.
- Be wary of strange instructions: Employees should be cautious when getting instructions from a company/individual that asks them to do something out of the ordinary. Fraudsters may also demand that sensitive information be sent to them in a specific way that a typical client or business would not normally ask for. The HMRC, for example, warned earlier this year that the most common type of scam is the ‘tax refund’ email and SMS. However, HMRC does not offer tax refunds by text message or email. Tell your employees to contact the source of the email to find out if it and its contents and instructions are true. Warn them not to use the contact details provided within the actual email as, chances are, that the fraudster and his/her team will be ready on the other side to receive the call and ‘verify’ the instruction. It’s best to contact the source directly with the information provided on their own company’s website.
- Teach your employees to keep informed about scams: Fraudsters will always evolve the way in which they operate. By changing their methods, they can catch their victims unaware and remain one step ahead of investigators and company security measures. Get them to sign up to Action Fraud’s alert to received direct, verified, accurate information about scams and fraud in their area. This system is provided by the National Fraud Intelligence Bureau (NFIB), which is run by the City of London as a national service. Just recently, it warned the public about fake Netflix emails claiming there are issues with users’ accounts when in fact there isn’t. The fake email goes on to ask customers to ‘update’ their information. The link that people are encouraged to click on even directs them to a legitimate looking Netflix website. But these are fake and merely designed to steal vital information like usernames, passwords and payment details. Keeping stock of such evolving scams will not only will this help employees to stay alert and informed, but they may in turn help the company develop ways and ideas in which it can protect itself from this type of cybercrime as well as others. Encourage them to use password managers that store encrypted passwords online, so they don’t have to remember them. There’s lots of freemium ones out there like LastPass, for example.
- Get them to improve their own security: Many people are lazy when it comes to passwords. Who, after all, wants to remember a different password for every single service or social media account that they have. But having one password for everything puts your employees, and ultimately your business, at even greater risk.
- Upgrade your security: For any business, upgrading software and tech security measures is vital. Use of antivirus software (that is up to date) is essential. High quality firewalls are important too and doing something as simple as keeping your browser up to date can help in the fight against cybercrime. Tell employees to be careful when pop-up windows are displayed.
There is no single fool-proof way to protect your business against cyber-crime and phishing attacks in particular. Back in April this year, the Department of Culture, Media and Sport issued statistics that showed that over four in ten of all UK businesses have suffered a breach or attack in the last 12 months.
Most common attacks were fraudulent emails, followed by cyber criminals impersonating an organization online. For the average large business, the financial costs of all attacks was £9,260 with some attacks costing significantly more.
At the time, the Minister for Digital and Creative Industries, Margot James, said: “We are strengthening the UK’s data protection laws to make them fit for the digital age, but these new figures show many organisations need to act now to make sure the personal data they hold is safe and secure.
“We are investing £1.9 billion to protect the nation from cyber threats and I would urge organisations to make the most of the free help and guidance available for organisations from the Information Commissioner’s Office and the National Cyber Security Centre.”
Organisations must do all they can to enhance their security to reduce the likelihood of a data breach or cyber-attack. It’s so easy for individuals within businesses to get duped. This does not only affect the intern but senior members of staff can also mistakenly hold their guard down.
If you feel that your business is not equipped to deal with the latest form of cyber threats out there, there is no reason why a specialist or team of specialists cannot be hired to assess the threat and come up with solutions to the problem. Not every single cyber threat needs to be dealt with in-house. Sometimes hiring experts is vital to the success and security of the business.
At SchemeServe there’s a team of experts that can offer you a whole host of security and backup measures, training, tests and various other solutions. Contact them today to see what they can do for your business.