Phishing scams are on the rise, and small businesses are bearing the brunt it. A Federation of Small Business survey found UK SMEs suffer seven million cyber-attacks a year at a cost of £5.26 billion. And the vast majority of these attacks — 89 percent — are phishing scams.If you run a small business, it’s time to get serious about protecting yourself. So, with this in mind, here’s a rundown of what phishing is, how it works and what you can do to prevent it.
What is phishing?
Phishing is when cyber-criminals try to trick you into giving out personal information. Followed by selling it on the dark web or used to steal your money or identity.
How does phishing work?
Most phishing scams have the same basic structure:
The cyber-criminals pose as someone you trust. For example, they could pretend they’re from your bank or HMRC. Or, they could pose as your boss or even as a family member.
With their fake identity in place, they’ll get in touch with you. They can do so by email, over the phone (this is called ‘vishing’) or, increasingly, through social media.
Based on some pretext, they’ll ask you to provide personal information. This could include usernames, passwords, your credit card number or other private data.
In some cases, the message may ask you to download an attachment or follow a link. These will harvest your personal data.
How do you spot a phishing scam?
Cyber-criminals are becoming as sophisticated as the day is long. That said, phishing scams often have one or more of these telltale signs:
Dodgy URLs or unnecessary redirects
Checking email addresses and link URLs is one of the quickest ways to recognise phishing. Look out for subtle differences. For example, an email from HMRC should end in gov.uk, not gov.org.Sometimes, links redirect to addresses unrelated to the company that’s supposedly contacting you. If this happens, pop the URL into a WHOIS lookup tool and run a quick search. If registration is less than a year old, it’s probably a scam.
The message is poorly written
Large organisations hire professionals to handle their customer communications, often at considerable cost. And every message goes through several rounds of approvals before it reaches your inbox.It’s unlikely that your bank or the government would send a poorly-written message. Treat spelling mistakes, obvious grammatical errors or odd word choice as red flags.
Lo-fi or blurry logos
For phishing to work, you must believe the sender is legitimate. So, cyber-criminals will try and trick you by replicating the branding of the organisation they’re claiming to be.The problem is that they don’t have access to original source files. Which means the result will often look blurry, lo-fi or amateurish.Next time you get suspicious, think. Is this the level of design quality you’d expect from a reputable organisation?Even better, compare the message to previous correspondence you might have. Seeing legitimate and fake messages side by side makes it easier to tell the difference.
You're asked for your personal details
The bank would never ask for sensitive information by email or over the phone. And no government department would ever do that, either. So, if it happens, something’s probably not right.
You're warned to act urgently
A common phishing technique relies on panicking you into doing something. You’re advised to “take action immediately” (or words to that effect). Or, you risk a heavy fine, prison time or something else equally bad.A legitimate company would never do this out of the blue. You’d usually receive warnings and reminders before the situation escalates.
Offers that sound too good to be true
Some phishing scams do the opposite. They'll try to entice you into giving away your personal details by making you an offer you can’t refuse.Won a contest you can't remember entering? Got an email promising an all-expenses-paid trip to the Bahamas, or the latest iPhone for free? And all you have to do is click a link and fill out a form?Yeah, that’s probably a phishing scam.
The message isn’t personalised
Official correspondence usually addresses you by name. You'll also see an account number, customer number or reference number.Not so in phishing.Cyber-criminals try to cast a wide net when they make phishing attempts. The idea is that the more people receive a phishing email or message, the greater the chances of someone falling for it.
For this reason, the message will probably be generic. It'll address you as “Sir / Madam”, “Valued Customer” or something to that effect. And it won't contain any personally-identifying information.That said, cyber-criminals are getting better at personalisation. A technique called spear-phishing uses information from the internet, such as recent purchases, to personalise the message and make it more believable.You’ve been warned.
How do I prevent phishing attacks?
Understanding phishing and learning how to spot suspicious messages is a good start.But how do you reduce the likelihood of falling victim to a phishing attack? Or, even better, prevent it from happening?Here are some tips:
Make cyber-criminals’ life as difficult as possible
Most cyber-criminals are savvy and sophisticated. But they also like the path of least resistance. So, you can reduce the risk of phishing scams (and minimise their impact), by taking some simple precautions:
Use strong passwords. The best combine random numbers, letters and special characters. And they’re at least six words long. Use websites like 1password (that's what we use at MileIQ!) if you need help.
Use a different password for each one of your online accounts. Password managers like LastPass, 1Password or Dashlane can store all your passwords securely. You can also share individual passwords with your staff if necessary.
Change your passwords every few months. Some password managers can do this for you.
If possible, set up two-factor authentication via Google Authenticator or Authy. This way, cyber-criminals won’t be able to log on to your account, even if they have your password.
Be vigilant
You can greatly reduce the chances of falling victim to phishing scams if you:
Check any links before you key in any sensitive information. In particular:
Secure websites should start with https://
There should be a green padlock icon on the left side of the address bar.
If in doubt, you can click on the padlock. This will show you the website’s security certificate.
Or, you can use the Whois Lookup Tool to check how old the domain is. The younger the domain, the greater the chance of it being a scam.
Don’t download suspicious attachments. Files ending in .EXE are the most dangerous. That said, there are also other file types that are just as bad. As a rule, unless you’re expecting someone to send an attachment, it’s a good idea not to open it.
Verify strange or unexpected requests. This is as simple as Googling the company’s number and phoning them up.
Trust your instincts. If you think something’s odd, you’re probably right.
It’s also worth training your employees in these simple best practices.
Protect your devices
You should have up-to-date antivirus software running on all your devices. Yes, even if they’re Apple devices.Most antivirus software programs these days have anti-phishing protection built in. Which means they’ll block attachments and links if they detect something untoward.
You should also make sure your operating system is always up to date. System updates can take forever. But they address vulnerabilities that could make life easier for cyber-criminals. So it’s important to make time for them (think of it as a well-deserved work break).
Have an IT hierarchy in place
Employees are the leading cause of successful phishing attacks.Your staff may be careless or fall for a phishing scam. Or a disgruntled employee might click on a malicious link on purpose. Either way, it’s worth controlling how much access they have to your network.
The National Cyber Security Centre recommends using the principle of ‘least privilege’. In other words, your employees should have the lowest level of user rights they need to do their job. This limits the damage if they click on a phishing link or download a malicious attachment.
Take control of your data
With the rise of spear-phishing, being aware of what you share online is crucial.Even an innocent tweet could be your downfall. In May 2018, TSB had its infamous IT meltdown. Customers took to social media for support. And, almost immediately, phishing scams targeting them shot up 843%.The good news is that you’re in control.Make an audit of your website and social media accounts.
Do you share details that don’t matter to customers but could help cyber-criminals? Take them down. It’s also worth checking what your vendors and partners share about you. And explaining to staff that what they share might harm the business.