What is Phishing?
Phishing.org gives this comprehensive explanation of phishing:
“Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message, by someone posing as a legitimate institution to lure individuals into providing sensitive data, such as personally identifiable information, banking and credit card details, and passwords.”
Once those details are in the hands of a cyber-criminal, they can then access all kinds of information, such as client details, bank accounts, intellectual property and have access to your internal systems.
The media has reported several of these scams affecting people’s personal information, with customers losing their life savings after a fraudulent call from the bank. But it’s important to understand that businesses are equally vulnerable, particularly when staff members can be targeted without your knowledge.
The Impact of Phishing Attacks
A phishing attack can have both short and long-term implications for a business, which could result in a company having to close its doors. Below are just some of the issues you may face following successful a phishing attack.
1. Data breaches
This is just one of the results of a phishing attack – your information being stolen, compromised or made unavailable. More importantly, any client data you hold is also vulnerable in the event of an attack.
If data is stolen, it can be sold on to other criminals or used to access accounts or information elsewhere. It can also be used to make purchases in your name and using your own money, and, depending on the hacker’s reasons for getting into your system, they could also demand money before they return your data.
If your clients’ information is stolen, you will probably be non-compliant with the GDPR (General Data Protection Regulation) legislation, which was introduced in 2018, to protect an individual’s sensitive information. In this instance, fines will be imposed.
Also, your specific industry may have governance around looking after client data and may also apply sanctions to your company, whether that’s through a fine, removing you from the chartered body, or restricting your access to support. It’s worth investigating what the rules are in your field.
3. Identity theft
This is when your personal information is stolen by someone who then impersonates you for their own financial benefit, or to commit fraud of some type, or sell on to another person who uses them instead.
‘Personal information’ includes your date of birth, passport and driving licence numbers, national insurance number, bank account details, current and previous addresses, email address and online log-ins.
With phishing, a legitimate-looking email containing a link to a malware download is sent. If you or an employee clicks on it, information can be harvested. Similarly, people can be tricked into giving out details over the phone. Your systems can also be at risk if staff use their work computers to do their personal banking or similar.
4. Reputational damage
If your system is compromised, people will understand. However, if you haven’t taken the appropriate steps to protect your data, or if you haven’t acted on advice from a cyber security professional, your professional reputation could be damaged.
This will have a negative affect on your relationship with current customers and suppliers, and possibly staff, too, depending on the nature of the phishing. Potential clients might be put off from working with you, and your reputation with your industry peers is also at risk.
5. Business downtime
Phishing attacks, like other cyber-crime, take time to identify, contain and recover from. While this is going on, your servers may be offline and data could be unavailable.
Business downtime is damaging immediately to your staff, who can’t work as usual, and your clients, who can’t contact you. Depending on the severity of the attack and how easy it is to fix, your system may be down for quite some time, which can have an effect on the future viability of the business.
6. Financial loss
If your company experiences downtime, you’re at risk of losing money straight away, as well as in the longer term. In fact, many businesses are forced to close because they can’t recover from a cyber attack quickly enough to mitigate the damage.
If client data is stolen or damaged, you have an obligation to let them know, and to outline what steps you’re taking to restore it. If you have good relationships with your clients and can demonstrate the steps you’re taking, they may be happy to accept your explanation. However, you could find they go to your competitors instead.
How to Protect Your Business
The good news is that it’s possible to protect yourself as much as possible from phishing attacks, and also to restore information fast, so the impact to your business is kept to a minimum.
Here are the things you should look out for:
1. The email address
Is the email address from someone you know? If it isn’t, does it look like a legitimate business or individual? Look at the end of the address, after the @ - is there a web name that you can check up? Has the sender used a proper name or job title?
2. Email content
Have they addressed you by your name or job title, or does it start something like “Dear Friend?” Are there spelling and grammatical errors and odd line spacing?
Is the subject line a dire warning or threat that something bad will happen if you don’t act on the information given? Have they asked you for personal information or asked you for money?
Is it unsolicited? While you probably get genuine work queries to individual email addresses, if it’s unexpected and doesn’t look right, there’s a good chance it’s phishing.
3. Links and downloads
Has the sender included a link in the body of an email, or something to download? Unless you’re expecting something to be sent to you that way, don’t do anything. Make sure all employees know this too, and if they’re not sure, ask them to forward to the IT department or partner.
4. Email provider
Find out what your email server or provider offers in the way of preventing or limiting phishing or suspicious emails. If you use an IT partner and they manage your emails too, make sure they have something in place to keep you safe.
5. Verify websites
If you’re asked to click on a link or visit a website, verify if it’s genuine before you do so. Some IT support companies will offer this service, or you can use an online tool, such as Google.
6. Storing personal information
Staff and management shouldn’t be storing any personal information on their work machines, so include this in your security policy and staff handbook.
However, you will be storing staff’s personal information, including address, NI number and bank details, so you need to ensure that it’s protected. Likewise, your business banking and accounting information should be secured.
7. Restrict access
To reduce the risk of data being compromised, limit access to sensitive information only to the relevant people, such as the HR and Finance departments. Password-protect folders, and make sure any access requests are necessary and genuine.
Also include a rule that only certain staff members can install or update software and make any major system changes. This may be a named person, the IT team or an external partner.
As we’ve seen, passwords on folders and files containing sensitive information reduces the risk of a criminal accessing them, but you should also make sure passwords on all office computers and smartphones are strong and hard to guess.
You may also want to use something like LastPass, which generates passwords for you. Include detailed instructions on how to choose a password and how often it needs to be updated in the staff manual.
For extra peace of mind, consider using Two-Factor Authentication (2FA). This added level of security means you can be sure only authorised people are accessing data. Once the password has been keyed in, the system can request the user verifies their identity in one of several ways.
This may be answering a question the user has previously supplied, an additional password, entering a number sent to their Smartphone or even by using an ID card, fingerprint or biometric scan.
9. Staff training
Include a training session or handout on cyber security and phishing in the induction process for new employees, and make sure you review this with existing staff too.
10. BYOD and storage drives
If you allow staff to use their own electronic equipment for work purposes, ensure that these are as secure as possible. Consider setting up passwords or two-factor authentication on the business website, intranet and folders.
Likewise, if people use flash drives or other portable storage devices, these should be protected too, or you may choose not to allow them at all.
11. Restriction of certain sites
Implement a policy for staff that prevents them from accessing sites at work, such as their bank account or doctor’s website. This will again reduce the risk of cyber criminals finding and stealing data.
12. Protection and recovery solutions
It’s a good idea to invest in something that will reduce the likelihood of you being the victim of a phishing attack or other cyber-crime. It should also be able to restore and recover data if you are compromised.
Choose one that matches your business needs, or ask an IT company for recommendations and advice. At ATG, our comprehensive 5Nines solution does all of this, giving our clients peace of mind.