The most common cyber threat in the UK is phishing attacks, with at least 80% of businesses and charities having experienced them in 2021 [Cyber Security Breaches Survey 2021]. While they occur frequently, there are some very simple things you can do to avoid most of them.
What is phishing?
In a phishing attack, criminals will send you fake emails trying to trick you into revealing sensitive information or clicking on a link that’ll upload a virus or other malicious code to infect your device or network. Typically, they’ll attempt to get money directly from you or sell your private information. More recently, there’s been an increased number of phishing attacks with political or ideological motives as well.
Prepare your staff
There are a number of things you can do to secure your organisation against such phishing attacks. First and foremost, explain to your team how to deal with them.
The first step in any successful security training is to create awareness. If your team doesn’t know the potential threat that phishing mails pose, they won’t know to be vigilant about them. Talk to your staff about:
- What phishing is
- How it happens
- What risks it poses to them personally and to your organisation.
Train them to spot phishing mails
Explain to your staff what different methods phishing attacks use and show them a few examples of well-known scams, e.g., the Microsoft 365 scam, the HMRC scams or the CEO fraud. Though they’re getting increasingly difficult to spot and some of the more sophisticated mails can even deceive experts, there are some warning signs your team can learn to recognise:
- Emails requesting personal information
If someone is asking for personal data, e.g., for login details or payment information, be extra careful – especially if it’s coming out of the blue. Don’t give out anything, if you’re not 100% sure that it’s legitimate.
- Emails that need urgent attention
Is the message telling you to act quickly, for example within 24 hours or immediately? Scammers often threaten negative consequences if you don’t react quickly.
- Emails claiming authority
Often these mails will look as if they’ve been sent from someone official, e.g., the government, your bank, Microsoft or even your CEO. Don’t be fooled by the email address or the use of logos - those are easily faked.
- Too good to be true emails.
If something sounds too good to be true, it probably is. If you’re being offered some kind of special deal or reward and you don’t know the sender and didn’t initiate the conversation, it’s likely a phishing attack.
- Poor spelling and bad grammar
Many phishing scams are launched from abroad and typically have bad spelling and incorrect use of grammar.
- Unfamiliar greeting or salutation
Some emails will address you with more general terminology like friend, colleague or valued customer. However, don’t rely on all phishing mails to do so. Today many will address you by your name.
- Emails playing on your emotions
Scammers will often try to evoke emotions such as fear, hope or curiosity. They’ll use threatening language, pretend to offer support or try to make you fear missing out.
- Suspicious attachments
Most organisations use file sharing services like SharePoint, OneDrive or Dropbox to store their files. If someone internal sends you a file you should always be cautious; particularly if it has a weird extension.
- Inconsistencies in email addresses, links and domain names
If the email seems to be originating from an organisation you often communicate with, check the sender’s email against previous communication. You should also check the links in the email by hovering over it, just make sure you don’t click on this. If the link is from, for example, Microsoft, but the domain name is not, the mail might be a phishing attempt.
Make sure everyone knows how your organisation operates
Another common trick is to imitate internal or supplier emails. To help your team recognise requests that are out of the ordinary, it’s essential that you make sure everyone understands how you usually operate. For example, do you typically send files as an attachment or do you use Dropbox? How do your suppliers send invoices and to whom?
Some organisations you work with might also have communicated what they’ll never ask you. We, at Log my Care, for example, will never ask you for your password or PIN. Should you get such a request, it’ll likely be a phishing attack from a scammer.
If you’re unsure if the request you received is legit, contact the colleague or external organisation yourself with the information provided on their official website. Don’t use the information provided in the email or click on any links!
Get your team to report suspicious emails
Encourage your staff to report any suspicious emails they identify – especially if they’ve accidentally opened them. If they've received a suspicious email, others in the organisation probably have too.
It’s critical that you don’t punish them for being tricked as this discourages people from reporting such incidents in the future Phishing mails are becoming so professional that even experts find it difficult to recognise them, so, it’s not realistic to expect your staff to identify every single one.
If you’re unsure about an email, you can also forward it to the NCSC’s Suspicious Email Reporting Service (SERS): firstname.lastname@example.org.
If you’ve become a victim of a phishing attack, you can also report it with Action Fraud.
And if you’re using NHS mail, here’s some additional guidance on how to report a phishing mail.
Delete, don’t click
Make sure your staff know how to deal with suspicious emails. They should always delete them straight away, without clicking on any links or opening any attachments - this also includes ‘Unsubscribe’ links. Tell your staff not to respond to these, as it’ll let the criminals know that the email address is in use.
Talk about best practices for handling data
The more sophisticated phishing attacks will use data they find about your organisation and your staff to personalise their scams and make them more convincing. It’s therefore important to discuss with your team how to handle data safely and what information should be made public. They should also be aware of what information is easily found online about your company on your website or social media.