In 2017/18 the most successful form of cyber attack took the shape of phishing, a form of social engineering. It is estimated that 91% of cyber attacks start with a phishing attempt. In this article, we'll take a look at what phishing is and how you can take steps to protect your business against it.
So, why phishing?
Phishing at its core is the attempt to obtain valuable or important information, such as passwords and bank card details, via electronic means such as emails and text messages. It first came to prominence in the early 1990s and has constantly been on the rise with increasingly sophisticated methods.
Phishing attacks can be carried out in several ways and some of them are incredibly sophisticated. Primarily, they revolve around deceiving the intended victim by the phisher pretending to be someone or something they are not. Below we'll look at two of the most commonly used.
In its most common form, link manipulation is when an email is sent out, seemingly from a reputable company and possibly one that the intended victim already has dealings with. Once the user has opened the email, inside it will be a link, which on the surface looks like it will take you to the company’s website. When you arrive at the site you will probably be presented with a good facsimile of the company’s website you’re expecting, however, all is not as it seems.
The website while seemingly legitimate is being run by the phishers. Any information entered, including card details, user names, and passwords, etc., will now be in their hands. These types of emails can be made to look as if they have come from a whole range of organizations such as banks, food delivery and even HMRC.
Voice phishing, as the name suggests, is when a phisher seeks to gain sensitive information over the phone instead. The calls can either be automated or carried out by someone in person. The usual method is to pretend that they are from an organization, such as a bank, stating that there is an issue with the victims' account; they will then attempt to obtain account information. Alternatively, if a company rather than an individual is being targeted, they may pretend to be from the companies IT department to obtain usernames and logins allowing access to the companies systems.
Other types of phishing that you may hear of are spear-phishing, where the phishing attempt is aimed directly at an individual or whaling which is aimed at an individual in a particularly influential role, such as the CEO of a company.
The effects of phishing
It is difficult to calculate what the overall cost phishing attempts have caused. In 2017, cybercrime of all types was calculated to have cost U.K. internet users £4.6 billion, with over 17 million people affected. How much of this is directly attributed to phishing attempts is difficult to put a precise figure to, but as stated, 91% of attacks are believed to start with a phishing attempt it can be assumed the number is high.
How do you increase security in small business?
The key element here is making sure that both you and your staff are aware of the potential risks.
The weakest part in any defense against cybercrime is a person, which is the reason why phishing is the most successful. Make sure your staff is aware of any changes in your business that may lead to emails from organizations they haven’t dealt with before. Equally, make sure that they know who to inform if they receive any form of suspicious communication.
If you are in doubt about the authenticity of an email, caller or website, do not give out private or sensitive company information, such as payment or bank details, user names or passwords, any further email addresses or telephone numbers. Organizations and businesses such as banks and HMRC will not ask you to identify yourself over your phone or email. If a caller rings up identifying themselves as an organization that you have ties with, they may sometimes ask you to call back, this is quite a common trick used in many types of attempted telephone fraud. If you do call back, don’t call on the number that you were called on. Instead, find a number for the organization and call it.
If you receive an unsolicited email with attachments, be cautious before opening them up. While anti-spam filters on most email providers are very good, people with malicious intent are constantly coming up with sophisticated methods of evading them. If you suspect it may be a legitimate attachment, before opening it, contact the organization who is supposed to have sent it. It’s worth remembering that the vast majority of organizations will not be sending out this form of email and they certainly will not be asking for any sensitive information.
If your business is relatively small, or you don’t make much use of online services you may be thinking you're relatively immune from these sorts of attacks, however in 2019 with the U.K. government shifting to all VAT returns being completed online, along with the growing number of self employed in the U.K., a whole new area for phishers to attempt to exploit people and businesses has opened up.
If you think you have been the victim of a phishing attempt the best thing you can do is report it. ActionFraud is the U.K.'s national reporting center for fraud and cybercrime. It provides a central point of contact for information about financially motivated internet crime. It is run by the City of London Police working alongside the National Fraud Intelligence Bureau.