Phishing is becoming an increasingly difficult problem for businesses. As this form of cyber-attack becomes more prevalent, hackers are diversifying their methods. Phill Burke, our Managing Director here at Biscuit wanted to share his guidance about these new forms of attack, and how your business can avoid falling victim to them.
Like the booze bill at 10 Downing Street, cyber-crime went up during lockdown. It’s shown no signs of slowing either. The main targets are small businesses, schools and anyone else deemed an ‘easy target’.
So, I thought I’d scribble some advice about phishing. Most people know what I mean by that these days (they don’t think it involves a nice afternoon looking for trout), but it’s got much more sophisticated and you really do need to be aware of that.
With that in mind, I thought I’d run through some of the phishing techniques that cyber-criminals are using, and how you can guard against them.
I’ll start with the basics. Phishing is basically a form of social engineering fraud. What that means is that someone’s trying to trick you into revealing something (bank details, passwords, etc.) that they’ll then use to chisel cash out of you.
Emails will be designed to look ‘official’ – they may be posing as a bank, with all the logos in the right place. There are usually telltale signs that something ‘phishy’ is going on. It might be written in an unnatural style, or the email address might not be official.
Generally, if it’s asking for money or passwords, be suspicious. Banks love money, but they don’t ask you for it by email. Now on to the craftier techniques. You may notice that as the crimes get smarter, the names get dafter!
Where regular phishing emails might be sent to thousands of addresses, spear phishing is targeted at individuals. This means they’ll know a bit about you already – name, company, job title and so on. They might get this from prior phishing attacks, or anything you make public online, and will use this for a more sophisticated and personalised attack.
They might pose as one of your suppliers or clients, and generally it’ll look more convincing. It might lead you to download malware or transfer money. The stats tend to show that this is the most successful phishing technique, so you’ve got to make sure your employees are prepared.
This is a form of spear phishing that specifically targets senior executives. As an MD, I’m not sure the name ‘whaling’ is very flattering, but there you go. Whaling is especially dangerous for businesses, because executive-level staff tend to have the highest levels of access to systems, accounts and sensitive info.
On top of that, executives are the most publicly visible figures in a business. The information that criminals need to target them (name, email, job title) might all be on your company website. And if a CEO’s system gets hacked, you’re in big trouble. The moral of the story is that your senior team need to be just as well-trained as everyone else!
Smishing and Vishing
Told you the names would get dafter, and I promise I’m not taking the phish. These are like email phishing, but through different channels. Smishing is phishing via SMS messages, while vishing is the same with voice calls.
If anyone in your company does any work on a mobile, you need to be aware of this. Sometimes it’s easy to spot – for instance, if a regular mobile number displays instead of a company name, it’s probably not a message from that company. But it’s not always easy to detect.
What to do about it
It only takes one honest mistake from one person to land you in the sh*t. On top of that, just think of how many devices people work on these days, and how much work is done remotely. Every device and every employee is a potential ‘in’ for the crooks who do this.
So what to do? Well first off, you need to make sure everyone’s trained in cyber-security, including phishing methods. There’s anti-phishing software to screen inboxes, and of course you need anti-virus in case anyone slips up. A firewall is very much advisable too.
At Biscuit IT, we can help with all this, including the staff training and 24/7 systems monitoring. We can also do an audit of your IT if you just need some expert guidance. The thing about cyber-security is that you want to prevent problems, rather than dealing with the fallout.