It all starts with spam…
Employees are vital in the everyday operations of a business. They are gatekeepers to swathes of lucrative data. This becomes particularly evident when considering the impact of phishing attacks on businesses, the diligence of employees is one of the most potent tools in defending against data breaches and cyber-attacks. Read below for some steps that a business can take to aid their employees in this aspect.
First off, what is phishing? How does this relate to spam emails?
The National Cyber Security Centre (NCSC) describes phishing as “a type of social engineering where attackers influence users to do ‘the wrong thing’, such as disclosing information or clicking a bad link.”
Phishing attacks occur mostly via email, but can also occur via text message, social media or by telephone. Phishing attacks can be used to steal sensitive information, install malware, sabotage systems or defraud money.
What people often refer to as spam email, is coined phishing in the cyber-world, threat actors cast a line (or millions) and wait for a payday.
Create and maintain a policy whereby employees are not allowed to use their main business email addresses when signing up for services or websites.
This includes services that are specifically related to an employee’s daily duties.
Instead – supply your staff with secondary email addresses which are to be used for this purpose.
Data breaches have many knock-on effects, one of which is spam. When you sign up to a service or website, you are trusting that company with your information, and if that company suffers a data breach, that information becomes public knowledge.
Threat actors will seek to monetise this information. Among other things, the many thousands of email addresses will be added to databases of potential phishing targets. Threat actors will use these databases to send out millions of phishing attempts, with minimal effort.
The purpose of this tip is to keep your company’s main business email addresses as clean as possible, reducing spam, and reducing the chance of threat actors being able to contact your staff directly.
It will not aid in avoiding more sophisticated spear-phishing attempts (where attackers research your company beforehand to inform their attacks), this tip will simply help to reduce the volume of spam received from automated attacks.
NEVER click on any links OR allow images/files in emails to be downloaded from unknown senders.
This includes images in the body of an email where your mail client may ask if the sender is trusted and if the images should be loaded/downloaded.
This is for several reasons, files and images can perform many malicious tasks on your computer if downloaded, such as open a backdoor to an attacker, and images in the body of the email can be used by threat actors to track who opens emails (among other things).
Even when the sender is known, employees should still maintain a degree of scepticism. Threat actors could have compromised another legitimate business’ network and launched the attack from there.
You can set up email clients to automatically block all extra content and ask for permission even when the sender is known. Though this may make employees complacent, and indeed cause a reverse effect on security.
Train your staff.
Although Tip 1 will help reduce the amount of spam received in your employees’ main email accounts, it is still likely that they will receive spam – unfortunately, this cannot be avoided altogether. Therefore, the next step to take is to train your staff.
We urge all staff to read through advice on spotting spam emails. Some common features would be that spam often has typos or general irregularities i.e. the sender email address is not correct (email@example.com instead of firstname.lastname@example.org) or the formatting of the email is strange.
Some phishing/spam is more targeted and convincing, however, so the most important advice is to create a work environment where all staff stay vigilant and be cynical of any emails that ask them to do anything (especially urgently), i.e. click this link to re-activate your account or the whole world will implode.
Action Fraud, the UK’s National Fraud & Cyber Crime Reporting Centre, reports that it received over 8,000 reports of phishing scams every month – with around 70% of those coming from email. Furthermore, according to a report from Verizon, 23% of people will open a phishing email.
You can check if your email has been compromised on the ‘Have I Been Pwned’ website. You can also sign up for notification, to notify you if your email has been ‘Pwned’. If any accounts have been found, make sure to change your passwords as soon as possible.
Avoiding spam and phishing attacks is one of the first steps a company can make towards improving their cybersecurity tool kit. As recent reports suggest, it is not a question of if a business experiences a data breach but when.
Moreover, data breaches can severely impact the day-to-day functioning of a business. However, cybersecurity expert Theresa Payton recommends to “fear not the breach” but instead ensure you develop a “cybersecurity playbook”. Having a playbook or policy in place before a breach saves business valuable time and money. Nicholls Law works closely with a variety of experts in this field and can offer advice on this process, as well as advice after a data breach. Speak to Nicholls Law today to get your cybersecurity playbook and forensic readiness policy in place today. Alternatively, visit our specialist Fraud & Cyber Risk website.