Just as burglars don’t wear striped jerseys, a mask, or carry a bag marked ‘SWAG’, cybercriminals have also tightened up their act. This month’s tips and tricks blog explains how cybercriminals can breach your security protocols using a platform you – and your colleagues – use every day.
Phishing is hard to spot, it’s easy to be caught out – and the potential outcomes could bring down your business.
1/ Know your enemy: A widely-quoted Internet stat suggests that cyber criminals send 3.4bn emails very day, and with most office workers receive more than 100 emails a day it’s easy to imagine something sneaking under the radar.
Tip: Make sure everyone receiving emails in your company’s name understands the scale of the constant bombardment. Scammers are always looking for the weakest link in your security profile. Nine times out of 10 it’s a person, not a system.
2/ Don’t be fooled: These days, it’s not Nigerian aristocracy looking to park millions of USD in your account you need to worry about. Phishing emails seem legit – from your bank, a sender you know. While it may seem a little OTT, a ‘trust no-one’ policy is the safest.
Tip: The quickest and easiest method is to check the sender’s email address. If the email purports to be from Microsoft, but the sender’s email suffix is something wacky, you can be sure that’s it’s not Bill Gates reaching out to you.
3/ Use your common sense: With phishing emails increasingly well formatted and visually indistinguishable from perfectly legitimate comms, you’ll need to call it. But criminals are not copywriters, and AI can only help them so far. Typos and poor grammar are obvious giveaways, but context also matters. Are the right words in the wrong place?
Tip: Legitimate senders will know your name from a dedicated database. So, anything not personalised, ie ‘Dear Customer/Account Holder/Subscriber’ is likely to be a ‘spray and pray’ phishing attack. They only need two or three to get through to make the exercise worthwhile.
4/ Check the link/s: Banks, enterprises and the other big email senders rarely supply a link. They’ll ask you to log in yourself. However, a link per se doesn’t necessarily mean something nefarious. If a company is taking you to their site, fair enough, but it’s easy to check before you click.
Tip: The destination URL must correlate with the sender’s web presence. So, if the email’s from Dave@yourfavouriteshop.com, and the link purports to lead elsewhere on the Your Favourite Shop site, take a second to hover your cursor over it. You may see a completely different destination hidden under the legitimate destination.
5/ Don’t be rushed: Scammers are not stupid and know their email will not survive extended scrutiny. The longer you have it, the greater the chance you’ll spot a giveaway. Also, we British love a bargain, and hate missing out. So, they’ll add a sense of urgency. Hurry! Deadline approaching! Act now! Ends soon! The clock is ticking! Only XX hours left! (Any of this sound familiar?)
Tip: Again, the chances of an authorised sender using such hyperbolic language are slim.
6/ It may already be too late: Dodgy links and attachments are one thing, but simply opening the email can give up your IP address, Operating System (OS) and location. And that’s all they need to launch a doxing/doxing campaign and publish your personally Identifiable Information online. Where you work, live, your credit card numbers are just the start. No-one grabs this information for charitable purposes.
Tip: It’s important that you – or anyone opening emails in your name – understand the risks lurking in every inbox. Because running through a mental checklist of things to do before opening every email is tedious, it’s nothing compared to the hassle of the disaster recovery processes.
7/ There is another way. No matter what your role in the company, and whatever the LOB of that SME, you have better things to do than constantly trying to stay ahead of the curve on data protection. There are dedicated companies who will do all that for you. It’s another expense, sure, but when these breaches cost the UK economy more than £27Bn in 2023 alone, it’s not hard to justify that spend.
Tip: Sprint Infinity can be your outsourced IT partner. We offer all the services you need to do what you do that bit faster, more cost-effectively and safer. When you’re ready to talk, we’re here. (Best avoid sending emails until you do.)
