How to protect your business from phishing attacks

Businesses like yours and mine get studied all the time by hacking groups, preparing for a coordinated attack. I'm not a fan of fear mongering, this is simply the business landscape of the digital age. As hackers' tools and processes become more sophisticated with time, the security infrastructure of a company must follow suit and an awareness of evolving changes is paramount.

Phishing is a common cyber-attack method where someone endeavours to fool you into clicking on a link to infiltrate your system with malware by some means. It can be a bid to access a device attempting to steal sensitive information (i.e. passwords, usernames, pins, credit card numbers etc.) and access your online accounts. Any nightmare scenario you could imagine can become a reality via phishing.

Phishing is one of the most prevalent and successful modes of attack carried out by hackers, as it is easy to implement and not too costly. It is economical and very profitable for cyber criminals. Every staff member in your business must be able to recognise a phishing email baiting them on their computer screen.

Even enterprise organisations who consistently invest in security training, to ensure staff are slick to the tricks still find around 30% of people continue to be fooled into clicking through to links of which they shouldn’t, no matter what they do to safeguard their business. Statistically, some countries are worse clickers than others and some are better on a consistent basis. 

All the training in the world can't prepare for tired, unfocused people thinking unclearly for whatever reason. They may have learnt otherwise but an absent mind will often click on links they shouldn’t click on.

A common phishing method is to send fake emails or instant messages to steer you to a bogus website appearing identical to the original. This attack is aimed at weak spots in the coding of web technologies in the wake of mistakes made by web developers in order to carry out the attack. Super crafty!

It is critical to understand that email does not verify or digitally assign to a sender. You see, email wasn't originally purpose-built with security at the forefront of focus, therefore there is no attestation to who actually sends an email. If there was, this issue would diminish massively.

Emails can be swindled with little effort, to appear as if they've come from where you believe and happens very frequently. Encrypting emails could go some way to solving this although encrypting and decrypting emails lacks appeal to the lethargic side of human nature which may explain why it's not common place.

Phishing attacks are usually carried out in bulk by sending millions of emails instantly. E-mail addresses are often gathered via hacking websites due to people publically disclosing their email on public forums.

Hackers often attempt to guess email addresses like "firstname_secondname@emailaddress.com". If you have one similar, you'll know the level of spam is almost unwadable due to the amount you receive.

Many spam attacks are directed toward business emails, with specific attacks known as spear phishing. This is when a hacker or hacking group studies a business for a quantifiable amount of time and with their gathered information, they'll coordinate an attack based off of their research on your business.

I hope this goes some way in helping you understand more about phishing attacks. If you feel the need for technical assistance, please get in touch and one of our engineers would be happy to assist you.

Huw Tremlett

Data Management Consultant

Huw Tremlett