Some other points to consider
Expecting your staff to identify and delete all phishing emails is an impossible request and would have a massively detrimental effect on business productivity. However, many phishing emails still fit the mould of a traditional attack, so look for the following warning signs:
- Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you’d expect from a large organisation?
- Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
- Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like ‘send these details within 24 hours’ or ‘you have been a victim of crime, click here immediately’.
- Look out for emails that appear to come from a high-ranking person within your organisation, requesting payment to be made to a particular bank account. Look at the sender’s name – does it sound legitimate, or is it trying to mimic someone you know?
- If it sounds too good to be true, it probably is. It’s most unlikely that someone will want to give you money or give you access to some secret part of the Internet.
Make sure that your staff are encouraged to ask for help if they think that they might have been a victim of phishing, especially if they’ve not raised it before. It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
Do not punish staff if they get caught out. It discourages people from reporting in future and can make them so fearful that they spend excessive time and energy scrutinising every single email they receive. Both these things cause more harm to your business in the long run.
Help your staff understand how sharing their personal information can affect them and your organisation. This is not about expecting people to remove all traces of themselves from the Internet. Instead, support them as they manage their digital footprint, shaping their profile so that it works for them and the organisation. Find out here about steps to take when training your staff members to help them identify and avoid common phishing attacks.
Attackers use publicly available information about your organisation and staff to make their phishing messages more convincing. This is often gleaned from your website and social media accounts (information known as a ‘digital footprint’). We have listed down all common phishing attacks on a separate post, have a read through to familiarise yourself with all methods used by criminals and help prepare your cyber awareness training.
Understand the impact of information shared on your organisation’s website and social media pages. What do visitors to your website need to know, and what detail is unnecessary (but could be useful for attackers)?
Be aware of what your partners, contractors and suppliers give away about your organisation online. If you believe that your organisation has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. Action Fraud is the UK’s national fraud and cyber-crime reporting centre. If you are in Scotland contact Police Scotland on 101.
You can read our Cyber Security Guide for additional advice to help protect your valuable business information.