How does phishing work?
Phishing often uses scam emails to convince users to click on a malicious attachment or link. Doing so can infect the victim's computer with malware, which reveals private information – allowing an attacker to steal money, disrupt business operations or destroy data.
Phishing attachments often bypass security and anti-virus programmes by using Microsoft Office 'macros' which download malware if run. Links may connect to seemingly legitimate websites, which exploit vulnerabilities in the victim's computer to install malicious code. Alternatively, these webpages may simply trick the user into entering personal information.
Sophisticated attackers aim convincing 'spear' phishing emails at carefully selected groups, researching recipients through social media, website information or public facts about their organisation.
High-volume phishing, on the other hand, targets as many recipients as possible – of whom only a tiny percentage have to be caught for possible success. Fake invoices, delivery notifications, receipts and banking updates can all be used as lures in these attempts.
How to defend your business against phishing?
The risks of phishing can include data theft, hardware damage, fraudulent internet banking redirection and significant financial loss. Here are some ways you can protect yourself:
- install/update reputable anti-virus software
- keep systems up to date with new releases and security patches
- never open attachments, click links or download software from unknown sources or questionable websites
- put in place protective policies and training to ensure that staff have the knowledge to conduct online business safely
- limit access to systems and information based on job duties
- split financial responsibilities between employees
- restrict internet access to trusted websites
- limit the use of external media devices
- be aware of what information is available about you and your organisation on social media and the wider internet
There are several tell-tale signs: An unexpected email, such as confirmation for a form you haven’t submitted or an order you haven’t made. A new email address from a sender you know. An unusual greeting or title in the subject box. A strange tone, or odd language. An unusual attachment, or a request to enable ‘macros’. A link to a strange URL domain. Any mail or link asking you to enter a password.
Find out more about Protecting your business from cybercrime
Short for ‘malicious software’, malware is coded with the intention of stealing confidential information from individuals and businesses. Once it breaches a computer or network, it can also spy on internet activity and damage data. An increasingly common form of attack is the fraudulent redirection of internet banking users.
Business email compromise
Also known as CEO/Chairman fraud, business email compromise is one of the emerging forms of cybercrime that is frequently targeted at SMEs. It combines the techniques of malware and phishing to trick users into revealing confidential business information, leading to huge financial damage.
Text and phone scams
This form of fraud spoofs the contact details and websites of legitimate sources to trick targets into making payments or revealing confidential information. Scam calls and texts are often referred to as ‘vishing’ (voice phishing) and ‘smishing’ (SMS phishing) respectively.