Cybercriminals use phishing emails to spread malware more often in times of crisis. They appear to originate from reputable and familiar organisations.
Email phishing spreads malware when a recipient clicks on a call-to-action or link in an unsolicited email. If your employees are duped, the consequences can be devastating for your business, customers, and reputation.
Recent examples of email phishing
- In the UK, individuals were targeted by Coronavirus-themed phishing emails with infected attachments containing fictitious 'safety measures'. The scale of attacks prompted the National Cyber Security Centre (part of GCHQ) to step in and automatically discover and remove malicious sites that served phishing and malware.
- The US Federal Trade Commission reported a spike in email phishing related to the COVID-19 pandemic. A report from Digital Shadows found scammers posing as well-known and reputable organisations - including the World Health Organization and the Centers for Disease Control and Prevention.
- In the Czech Republic, a major Covid-19 testing hub at Brno University Hospital suffered a ransomware attack that disrupted operations and caused surgery postponements. Even after a week, the Czech National Cyber Security Center and Czech law enforcement had not fully restored digital services.
- In Japan, cyber-criminals spread the Emotet banking trojan malware by posing as the state welfare provider and distributing infected Word documents.
How to reduce the risk of email phishing
There are no fool-proof methods to prevent phishing. But you can reduce the risk by installing anti-phishing tools and making your employees aware of the risks.
Workplace malware protection tools may not always succeed. That's why it is important to try and avoid the risks by following a few simple guidelines.
1. Keep your software up-to-date!
It may seem obvious, but both at home and at work, the first line of defence against attacks is the software on your network or device.
That's not just the anti-malware software, but also security patches for your operating system, windows and any packages you use. It takes seconds to keep it updated and mitigate the consequences of any mistake you might make.
2. Be sceptical about links in branded emails
If you receive an email from a recognised brand (such as a bank, utility, shopping or tech firm), be sceptical if it asks you to click a link, provide your personal information or passwords.
Make that domain on both the sender's email address and any links match that of the actual site as you would find it via a search engine. Roll your mouse over the link and email address to ensure that they match the text displayed.
3.Avoid oversharing personal information on social media
Avoid sharing your position, job title, location, company and even age on social media (with the obvious exception of sites like LinkedIn and Workplace).
It can make you more susceptible as scammers can use it to make their emails more credible (e.g. "Hey, I work with Julie in Accounts at X").
4. Train yourself to recognise personal styles
Make yourself familiar with how colleagues and suppliers communicate with you. It will help you to recognise their personal style in terms of the words and phrases they use, their usual sign off, etc. This can help you detect impersonators.
5. Notify your IT team of suspicious emails
If you are suspicious of an email, then forward it to your IT team. It allows them to investigate and, if necessary, both block the sender and warn your colleagues.
Remember, don't open the email or click on any links. But if you do, tell your IT team immediately so that they can mitigate any consequences.
6. Be wary of requests from generic addresses
If you receive an email from a generic address, e.g. customerservice@, help@, hr@ itsupport@, or payroll@, always be suspicious. If they ask for any personal information, check the sender's identity before responding - even if that means calling them to check!
7. Know the red flags
Generic greetings (e.g. Dear Customer, User, Colleague, Friend).
- Inconsistent or unusual sender information (e.g. email domain, sender name).
- Poor formatting (e.g. poor quality logos, inconsistent font sizes and colours).
- Spelling/grammar mistakes.
- Alarming content with dire warnings and claims of serious consequences, often coupled with a need to act urgently.
- Incorrect facts (e.g. locations/names).
- Offers of financial rewards or penalties.
- Lack of legally required links to unsubscribe etc.
8. Finally, trust your instincts
If it sounds too good to be true, it usually is.
Want to learn more about Information Security?
If you'd like to stay up to date with information security best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
And if you're looking for a compliance training solution, why not visit our Compliance Essentials Course Library.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!