Phishing scams are on the rise, and small businesses are bearing the brunt it. A Federation of Small Business survey found UK SMEs suffer seven million cyber-attacks a year at a cost of £5.26 billion. And the vast majority of these attacks — 89 percent — are phishing scams.If you run a small business, it’s time to get serious about protecting yourself. So, with this in mind, here’s a rundown of what phishing is, how it works and what you can do to prevent it.
Phishing is when cyber-criminals try to trick you into giving out personal information. Followed by selling it on the dark web or used to steal your money or identity.
Most phishing scams have the same basic structure:
Cyber-criminals are becoming as sophisticated as the day is long. That said, phishing scams often have one or more of these telltale signs:
Checking email addresses and link URLs is one of the quickest ways to recognise phishing. Look out for subtle differences. For example, an email from HMRC should end in gov.uk, not gov.org.Sometimes, links redirect to addresses unrelated to the company that’s supposedly contacting you. If this happens, pop the URL into a WHOIS lookup tool and run a quick search. If registration is less than a year old, it’s probably a scam.
Large organisations hire professionals to handle their customer communications, often at considerable cost. And every message goes through several rounds of approvals before it reaches your inbox.It’s unlikely that your bank or the government would send a poorly-written message. Treat spelling mistakes, obvious grammatical errors or odd word choice as red flags.
For phishing to work, you must believe the sender is legitimate. So, cyber-criminals will try and trick you by replicating the branding of the organisation they’re claiming to be.The problem is that they don’t have access to original source files. Which means the result will often look blurry, lo-fi or amateurish.Next time you get suspicious, think. Is this the level of design quality you’d expect from a reputable organisation?Even better, compare the message to previous correspondence you might have. Seeing legitimate and fake messages side by side makes it easier to tell the difference.
The bank would never ask for sensitive information by email or over the phone. And no government department would ever do that, either. So, if it happens, something’s probably not right.
A common phishing technique relies on panicking you into doing something. You’re advised to “take action immediately” (or words to that effect). Or, you risk a heavy fine, prison time or something else equally bad.A legitimate company would never do this out of the blue. You’d usually receive warnings and reminders before the situation escalates.
Some phishing scams do the opposite. They'll try to entice you into giving away your personal details by making you an offer you can’t refuse.Won a contest you can't remember entering? Got an email promising an all-expenses-paid trip to the Bahamas, or the latest iPhone for free? And all you have to do is click a link and fill out a form?Yeah, that’s probably a phishing scam.
Official correspondence usually addresses you by name. You'll also see an account number, customer number or reference number.Not so in phishing.Cyber-criminals try to cast a wide net when they make phishing attempts. The idea is that the more people receive a phishing email or message, the greater the chances of someone falling for it.
For this reason, the message will probably be generic. It'll address you as “Sir / Madam”, “Valued Customer” or something to that effect. And it won't contain any personally-identifying information.That said, cyber-criminals are getting better at personalisation. A technique called spear-phishing uses information from the internet, such as recent purchases, to personalise the message and make it more believable.You’ve been warned.
Understanding phishing and learning how to spot suspicious messages is a good start.But how do you reduce the likelihood of falling victim to a phishing attack? Or, even better, prevent it from happening?Here are some tips:
Most cyber-criminals are savvy and sophisticated. But they also like the path of least resistance. So, you can reduce the risk of phishing scams (and minimise their impact), by taking some simple precautions:
You can greatly reduce the chances of falling victim to phishing scams if you:
Check any links before you key in any sensitive information. In particular:
It’s also worth training your employees in these simple best practices.
You should have up-to-date antivirus software running on all your devices. Yes, even if they’re Apple devices.Most antivirus software programs these days have anti-phishing protection built in. Which means they’ll block attachments and links if they detect something untoward.
You should also make sure your operating system is always up to date. System updates can take forever. But they address vulnerabilities that could make life easier for cyber-criminals. So it’s important to make time for them (think of it as a well-deserved work break).
Employees are the leading cause of successful phishing attacks.Your staff may be careless or fall for a phishing scam. Or a disgruntled employee might click on a malicious link on purpose. Either way, it’s worth controlling how much access they have to your network.
The National Cyber Security Centre recommends using the principle of ‘least privilege’. In other words, your employees should have the lowest level of user rights they need to do their job. This limits the damage if they click on a phishing link or download a malicious attachment.
With the rise of spear-phishing, being aware of what you share online is crucial.Even an innocent tweet could be your downfall. In May 2018, TSB had its infamous IT meltdown. Customers took to social media for support. And, almost immediately, phishing scams targeting them shot up 843%.The good news is that you’re in control.Make an audit of your website and social media accounts.
Do you share details that don’t matter to customers but could help cyber-criminals? Take them down. It’s also worth checking what your vendors and partners share about you. And explaining to staff that what they share might harm the business.
Check out the Centre for the Protection of National Infrastructure for more information and help.