The number of phishing attacks against businesses and consumers has increased in recent years.
- Businesses warned about spike in invoice fraud during summer months
- UK small businesses losing £9bn a year to fraud
- How to protect against ransomware: a guide for small businesses and sole traders
- What does business insurance cover?
This aggressive form of data theft and fraud can be financially disastrous, and it is vital that you and your customers are properly protected, especially now that even ‘fail-safe’ organisations like HMRC are falling victim to phishing attacks (read our guide to spotting a fake HMRC email whilst you’re here). So how can you safeguard yourself against phishing?
What is phishing?
‘Phishing’ describes an attempt on the part of criminals to discover and record your personal information. This might include passwords to sites you use regularly, your credit card details, or other such sensitive data.
Phishing generally works by sending emails or other communications that purport to be from a reputable site or institution such as a bank or email provider. Phishing attacks have become increasingly sophisticated, and these communications can be very convincing.
You will then generally be asked to click on a link, which will take you to a page that asks for your details. Alternatively, the link or an attachment might contain ‘malware’, designed to infect your computer and, for example, track your keystrokes in order to gather private data.
Although phishing has existed since at least the mid-1980s, increased email use along with the proliferation of social media platforms such as Facebook has meant that both businesses and consumers are at increased risk from attack.
How can businesses protect themselves against phishing attacks?
There is a common misconception that it is only consumers who are at risk of phishing attacks. In fact, these intrusions affect both individuals and businesses, and it is increasingly important that firms of every size protect themselves.
First, it is vital that you install reputable antivirus and anti-malware software. While spam filters and malware warnings are built into some email providers, such as Gmail, you may not have these installed as standard. This should be a key part of your overall digital security plan.
But how can you identify phishing attacks that do make it into your inbox?
- Messages will often contain phrases like ‘reset your password’ or ‘verify your account’, and you will then be asked to enter your details ostensibly in order to regain access.
- Attacks will often suggest that an account has been suspended, or that you need to give further details in order for your account to remain open.
- Links in emails will often not be as they appear. By hovering your cursor over the link you can see whether the address matches. You should be wary of links that are completely different from the company in the email or misspellings of the name of the site from which the email has apparently been sent.
And what should you do if you receive a suspect email?
- Do not click on any of the links contained in the message.
- Do not open any attachments.
- Forward the message to the site from which it purports to have been sent in order to have it validated.
What if a phishing attack is made in my name?
Businesses also need to be alert to the risk of phishing attacks being made in their name. As your business grows this risk increases, and you need to build a strategy to deal with this possibility.
You should already have a clear plan in place for social media crisis management. This plan should include details of the social communications that you will issue in the event of a phishing attack. You should remember that social channels are likely to be the first means by which you learn of a phishing attack, as customers may query suspicious emails with you, using platforms like Twitter or Facebook.
If a phishing attack has been made in your name, prompt action is important. You should issue communications across all available channels making clear that the email is not genuine, that it has not come from you, and that recipients should not click on any of its links or download its attachments.
You should also consider setting up a dedicated email address to which customers can forward suspect emails. This will help you to quickly identify potential phishing attacks, and will enable you to reassure customers as to whether or not a message they have received is genuine.
Finally, you should consider publishing a list of all the email addresses or domains from which you will send emails. By listing these on your website you can provide a simple guide for recipients who have received an email purporting to be from you, but which comes from an unrecognised email address.