Five tips to protect against phishing attacks
There’s a reason phishing attacks are so successful. Millions of messages that appear genuine at first glance are sent every day, with vast numbers passing through spam filters and being seen by users.
In a typical phishing attack, scammers send fake emails asking for sensitive information, or containing links to malicious websites. They might try to trick you into sending money, steal your passwords for websites or generally hunt for information that can be used to harm you and your business.
Phishing emails are getting harder to spot, and some will still get past even the most observant users. Whatever your business, however big or small it is, you will receive phishing attacks at some point.
Steps to reduce your risk
Know what an attack looks like
Expecting your staff to identify and delete all phishing emails is an impossible request and would have a massive detrimental effect on business productivity. However, many phishing emails have obvious tell tale signs that they can be trained to spot, these include:
- Poor grammar and spelling
- Not addressed to you personally (Dear Customer, Valued Colleague, Friend etc..)
- Appear to come from a high ranking person in your organisation
- Contain veiled threats
- Use time pressure to force you into quick action
Verify the address
Often phishing emails come from email address that are near identical to the genuine address. (support@microsoft1.com instead of support@microsoft.com). They also frequently link to sites that can look identical to the real website but again with a slightly different address (microsoftsupport.com instead of microsoft.com).
- Check the email address is genuine
- Check the website address of any link is genuine (Hover over the link to see the destination before clicking it)
- If in doubt ask someone else before replying or entering any personal information
Invest in email security software
Although many email services have a built-in spam filter, these can often lack the advance features of standalone security software. Email security software can be used to analyse messages before they are delivered to users and either delete them if they are determined to be malicious, or modify the message to alert the user that the message is suspicous and that extra care should be taken.
Don't give out personal information
If in any doubt don't give out personal information, usernames or password or transfer money. Many phishing attacks add a false sense of urgency to get you to act. We recommended taking pause, and contacting the person or organisation who has reportedly sent the email via a known good contact method such as phone to confirm the request. Yes this could add an extra couple of minutes for something to get actioned, but it could also prevent you losing money or data.
Report attacks
Make sure that your staff are encouraged to ask for help if they think that they might have been a victim of phishing, especially if they've not raised it before. It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
Do not punish staff if they get caught out by an attack as it discourages people from reporting in future, and can make them so fearful that they spend excessive time and energy scrutinising every single email they receive. Both these things cause more harm to your business in the long run.