3 Simple Steps to Reduce Risks from Email Phishing Attacks
With the news dominated by disastrous data breaches at large companies (think Talk Talk or Ashley Madison) you could be forgiven for thinking that small- and medium- sized businesses (SMBs) are are flying under the radar of hackers and internet fraudsters.
But in fact, the opposite is true. Symantec's 2015 Internet Security Threat Report found that nearly 60% of all targeted phishing attacks last year were directed at SMBs. With most SMBs lacking the robust email security measures of larger enterprises, they're often viewed as 'low hanging fruit' for hackers.
Worryingly, SMBs are also at the greatest risk from the consequences of such an attack – in a recent study by Databarracks nearly 80% of small business owners admitted to having no disaster recover plans in place to mitigate damage in the event of a major security breach.
It's clear that effective spam-email and phishing security is more crucial than ever. And as we head into 'spam season' (spam email and phishing attacks tend to increase dramatically over the Christmas period) here are 3 simple steps that you can take to reduce the risk to your business.
1. Learn to 'catch phish'
Even the best anti-spam filters won't stop every suspicious email from reaching your inbox. That's why it's crucial to be able to spot a potential phishing attack yourself.
Use our checklist to identify suspicious emails – if you answer yes to one or more of the following questions, be wary. Don't click any links or open attachments, and forward the message straight to your IT support who will be able to carry out the necessary scans and remediation.
- Does the email contain misspellings or improper grammar?
One of the simplest ways to check the legitimacy of a suspicious email is to look for misspellings or grammatical errors. These are warning signals that an email or text message may be fraudulent. Any legitimate organisation will have their email communications reviewed for spelling, grammar and legalities before sending.
- Does the email contain mismatched URLs?
Check the integrity of embedded URLs by mousing over them with your cursor (without clicking). You should see the actual address displayed in a small pop-up, and if the address displayed doesn't match the address in the hyperlinked text, the message is probably fraudulent or malicious.
- Is the email threatening or urging immediate action?
Phishing artists often use intimidation to scare victims into giving up information. Watch for pushy tactics or threatening language. Don't take the bait. If you're being asked to verify or provide information immediately or urgently, be suspicious.
- Is the email requesting sensitive information?
You should consider any request for personal or financial information to be suspect. Legitimate companies or financial organisations will never ask for these details via email. To be sure, contact the company that the email is purporting to be from directly.
- Does the message contain suspicious attachments?
High risk attachments file types include: .exe, .scr, .zip, .com, .bat. If you're in any doubt – don't click download!
2. Educate your employees
Human error is still the still the main cause of security breaches and data loss.
Teach your staff how to identify phishing scams and malicious emails themselves, and make sure they know what to do should they receive one. Share our checklist, or develop guidelines of your own, but be sure to follow up with regular reminders (research shows that open rates of internal communication emails are often lower than 50%).
You can also test the effectiveness of your training with an online phishing quiz, such as this one from McAfee. It's an excellent tool, showing real examples of phishing attacks. Try it for yourself – you'll be surprised just how convincing many of the fraudulent messages can be.
3. Make contingency plans
As they say, failing to plan is planning to fail. But if the unthinkable happens, and your system becomes compromised, a disaster recovery plan can keep your core business functions running when you need them most.
A lack of time or in-house resources to set up a contingency plan should is no reason to ignore such an essential piece of due diligence. Any IT support provider will be able to help you set-up and manage a recovery plan to match your requirements. And with cloud computing, the technology for secure systems backup and data recovery is no longer prohibitively expensive for smaller businesses.
We've been helping business manage internet security and disaster recovery plans for almost 9 years. Find out more about how we can help secure your business.
The 3 steps outlined in this post should be the starting point for any effective phishing and spam-management policy. For more information on any of the above, call us on 08456 806 806 or leave a message using the contact form below to speak to one of our dedicated consultants.