Are you protecting your business from phishing attacks?
What’s the most precious part of your business? Depending on your trade, that answer might vary, but when you boil most businesses down to their core, it will usually revolve around money; either the operating capital that keeps you afloat, or the profits that you make on a day by day basis as the result of whatever it is that you do.
That information is usually stored electronically, and that has had a profound effect on business efficiency, whether it’s the speed with which you can turn around an email to a client, or the level of detail you can provide the tax office if they come calling. There’s few that would advocate for a return to a more fragile, harder to index paper business world.
Having said that, the use of technology to run your business isn’t without its risks, especially when it comes to the rising preponderance of phishing attacks. Phishing broadly defines the act of maliciously impersonating some other person or business you deal with (whether it’s your bank manager, your clients or the company that hosts your web site) in order to gain access to your private information. It’s by no means a new concept, but it’s also one that’s on the rise. The classic phishing approach is via email, because if you’re a scammer, it’s very low cost to execute, and even if 99% of your emails are either bounced back or ignored, that 1% that you fool could be very lucrative indeed.
There are numerous technological approaches you can take to mitigate phishing risks in order to minimise your exposure, by way of filtering incoming emails, but the best approach by far remains using your own actual intelligence. A recent report from Mimecast (Updated Email Security Risk Assessment) suggests that emails that intend to impersonate other business bodies for phishing purposes saw a 400% increase in the last quarter year. Testing the actual email from 44,000 users over 287 days uncovered 9 million pieces of spam, 8,318 dangerous file types, 1,669 known and 487 unknown malware attachments and 8,605 impersonation attacks.
Bear in mind that in all these cases, email had already passed through some kind of spam detection filter, which is why it’s vital to keep your wits with you at all times. Always check the simple stuff, like spelling errors, or even errors in the way that you’re addressed. Why would your business partner/bank/other entity not address you by your full name, rather than, say “customer”? There’s one bit of phishing spam I’ve hit recently that seems to love inverting my name, so it always sends through to kidmanalex, which is a bit of a giveaway. Unfortunately, not all the scammers are quite that dumb.
Even if you don’t operate a business, where many of these phishing scams are targeted, it’s worth keeping your exposure to spam and malware at a minimum. You might think that you have no data worth pillaging or no online banking for the fraudsters to access, but even if they can get access to your computer, that’s a valuable resource in and of itself. For email phishing scams, for example, it’s fairly common to route emails through unsuspecting bot-controlled PCs to evade detection, which means that if your machine is compromised, it could be putting others at risk. As we saw with the recent wannacry infection as well, scammers will often use multiple attack vectors, so if the phishing email doesn’t get you, a gap in your patching updates just might.