Email phishing and why your organisation should protect itself
In our series of blogs covering cyber security, this one will focus on how you can train your staff to contribute positively to the cyber security of essential functions.
The National Cyber Security Centre highlights email phishing and some of the defences you can implement in order to make your organisation less vulnerable to a phishing scam. These defences are not restricted to phishing alone and you may wish to consider them.
If you’re not yet Cyber Essentials accredited, you may want to read ‘Audit your security with Cyber Essentials’ which details the 5 technical controls that must be implemented to protect your organisation against the most common forms of cyber attack.
What exactly is email phishing?
There are various types of phishing and all share the same intent - to steal personal data. This blog will concentrate on email phishing but probably the majority of us have been on the receiving end of cold calls; nefarious individuals alleging to be calling from reputable sources such as your bank or credit card company wanting to extract further information. It pays to be vigilant - by whatever means you’re approached.
Email phishing has been around since the 1990s and back then was more easily detectable - the English was poor and the grammar incorrect. Sending to any email address they could get hold of, hackers would wax lyrical about a windfall waiting in an account that needed unlocking - all you had to do was respond by clicking on the link within the email.
Now more sophisticated and harder to detect, you may need to do a little research in order to identify a phishing email. The hackers have also diversified into another area of email phishing known as ‘sextortion’. The victim receives an email that appears to have come from their own email account; it states that their password is known and a recording of a video has been made - whilst adult videos were viewed. The hacker then blackmails the victim - asking for payment in bitcoin.
It’s not just individuals who are susceptible. A new item on IT Pro’s website reported, ‘BBC hit with over 250,000 phishing emails every day’.
As a result of a Freedom of Information (FOI) request it was established that the BBC ‘receives over a quarter of a million malicious email attacks every day’. From January - August 2020, the BBC blocked on average 283,597 scam or spam emails a day.
Crucially, as the spread of COVID cases increased, so did the volume of phishing emails. This is attributable - according to Tim Sadler, CEO of security software provider Tessian - to ‘cybercriminals prey(ing) on people's desire for information during uncertain times, and bank(ing) on the fact that busy, distracted and stressed employees may miss the signs of a phishing email and fall for their scams.’
Another reason was the upsurge in remote working which is now, for many of us, our new normal. It’s therefore vital that organisations have strong technical security measures in place; to patch vulnerabilities and limit the likelihood of attack. Similarly, businesses that have enabled remote working may be relying on staff using their own personal devices (as opposed to company equipment) which means those devices do not have a robust security setting configuration, over which, they have no control.
(To read up on official statistics, go to Cyber Security Breaches Survey 2021 published 24 March 2021 and contains the latest data on breaches,
How do I help protect my employees from email phishing?
Anyone can become be a target and as a business owner you need to protect both you and your employees. Whether hackers are attempting to install malware (such as ransomware), cause major disruption to your systems, obtain personal information or steal money - there are defences you can put in place to mitigate these attacks.
Defending against email phishing - adopt a multi-layered approach
Don’t just rely on your staff being able to spot a phishing email. Even after they’ve had training, it is likely they will need more after a period of 6 months. Presented at the USENIX SOUPS security conference in August 2020, research suggested that security and phishing awareness programmes were less effective as time went on.
Ensuring staff undergo formal security awareness training (such as that provided by Webroot) means they’re mindful of the threat whether they’re at home, work or on the move.
Training encompasses various aspects: educating employees how to avoid phishing and other types of social engineering cyber attacks. It’s crucial that they follow both rules regarding data privacy and compliance regulation. Training should help them identify potential malware behaviours, report the threat and thereby prevent a security infringement.
The advice given by the National Cyber Security Centre is to deploy technical methods to stave off an attack which at the same time, doesn’t affect staff productivity.
The NCSC details 4 layers of defence which gives you more opportunities to detect an attack. You won’t be able to claim a 100% success rate but being aware that some attacks may get through allows you to plan and minimise any damage they may cause. The layers and solutions to each issue are available on the NCSC’s web page (and we’ll be covering these in future blogs) ‘Phishing attacks: defending your organisation’. Here are the 4 layers of defence:
1. Make it difficult for attackers to reach your users
2. Help users identify and report suspected phishing emails
3. Protect your organisation from the effects of undetected phishing emails
4. Respond quickly to incidents
A useful summary video is published by the NCSC entitled, ‘Phishing attacks: defending your organisation’ and offers guidance on preventing the damage from phishing attacks.
If you would like to know more about how we can help your organisation defend itself against email phishing or security in general, please get in touch with our cyber security team. We’re here to safeguard both you and your staff.
Past articles you may find of interest:
