Protecting your business from a phishing attack
In our last blog post, we established that phishing attacks are one of the most common forms of cyber attacks (the 2023 Cyber Security Breaches Survey found that 89% of businesses suffered phishing attacks). This staggering figure highlights the importance of making sure your business is protected, and your people are cyber aware.
In fact, phishing is one of the easiest, and most effective ways for hackers to gain access to your systems, confidential data and even your money.
It is imperative that your staff are trained in how to recognise fraudulent requests. Not only that, your systems and processes must be robust: important requests that are sent electronically, or any type of money transfer should always utilise two-factor authentication of some kind to ensure that your business and your reputation is protected.
Stopping a phishing attack
In this guidance from the National Cyber Security Centre (NCSC), they outline a few ways in which you can help your staff recognise and obstruct phishing attempts.
Ensure staff are familiar with the normal ways of working for key tasks (such as how payments are made), so they’re better equipped to recognise unusual requests
Make processes more resistant to phishing by ensuring that all important email requests are verified using a second type of communication (such as SMS message, a phone call, logging into an account, or confirmation by post or in-person. Other examples of changing processes include using a different login method, or sharing files through an access-controlled cloud account, rather than sending files as attachments
Consider which processes could be mimicked by attackers, then review and improve them so phishing attacks are easier to spot
Think about how your outgoing communications appear to suppliers and customers. Is the recipient expecting an email, and will they recognise your email address? Do they have any way of knowing if links are genuine?
Consider telling your suppliers or customers what to look out for (such as ‘we will never ask for your password’, or ‘our bank details will not change at any point’). This gives the recipient another chance to detect a phish.
How to spot a phishing attempt
There are some common warning signs and indicators with phishing attacks (including but not limited to those below):
Unusual “From” email address
A “Reply-To” email address that is different from the “From” email address
A sense of urgency in the tone of the email body
An unusual email topic, such as confirming bank details or installing a software/application that is not used by the business
An unusual email that asks the recipient to enter/confirm Personally Identifiable Information (PII)
But phishing attempts are getting more sophisticated and business costs are sky-rocketing, meaning that staff are busier than ever before. This creates the perfect opportunity for hackers.
Keeping cyber criminals at bay
So what can you do to better protect yourself and your business? In a small business, it can be hard to prioritise your security; there are many other pressing things that require your attention. This doesn’t make you any less of a target though. It is critical that you have security measures in place to protect your data. Some of the basics include:
Anti-virus or anti-malware software on company devices
Secure password or passphrase storage
Two-factor authentication on all online accounts
Implement a cyber security policy
The North West Cyber Resilience Centre (NWCRC) offers a variety of training which can help you safeguard your business.
Our Simulated Phishing Exercise helps to raise your staff's awareness of phishing emails and makes them more likely to identify and report scams.
Security Awareness Training can be delivered one-to-one, or to larger groups of people and helps to create a culture of cyber resilience in your business and provides staff with the confidence to notice and challenge something that doesn’t look right.
If you understand the importance of improving your cyber hygiene but you’re not sure where to begin, please contact the NWCRC using the details below. We can talk you through our free and paid for services and help you to protect your business.