Criminals often take advantage of a crisis by using phishing emails that appear to originate from reputable and familiar organisations. We've got some tips to keep your team safe.
Email phishing is a technique used by cybercriminals to spread malware when a recipient clicks on a call-to-action or link in an unsolicited email. When they are successful, the consequences can be devastating for your business, your customers and your reputation.
Recent examples of email phishing
- In the UK individuals have been targeted by Coronavirus-themed phishing emails with infected attachments containing fictitious 'safety measures'. The scale of attacks has prompted the National Cyber Security Centre (part of GCHQ) to step in and to automatically discover and remove malicious sites that serve phishing and malware.
- The US Federal Trade Commission has reported a spike in email phishing related to the COVID-19 pandemic. A report from Digital Shadows found scammers posing as well-known and reputable organisations - including the World Health Organization and the Centers for Disease Control and Prevention.
- In the Czech republic a major Covid-19 testing hub at Brno University Hospital suffered a ransomware attack that disrupted operations and caused surgery postponements. Even after a week, the Czech National Cyber Security Center and Czech law enforcement had still not fully restored digital services.
- In Japan cyber-criminals spread the Emotet banking trojan malware by posing as the state welfare provider and distributing infected Word documents.
Help your employees reduce the risk of email phishing
There are no fool-proof methods to prevent phishing. But you can reduce the risk by installing anti-phishing tools and making your employees aware of the risks.
Generally, in the workplace there are many ways employees are protected from malware, but even these are not always successful. That's why it is important to try and avoid the consequences by following a few simple guidelines.
- Keep your software up-to-date! It may seem obvious, but both at home and at work the first line of defence against attacks is the anti-malware software on your network or device. It takes seconds to keep it updated and mitigate the consequences of any mistake you might make.
- Be sceptical from the start about any email you get from a recognised brand (such as a bank, utility, shopping or tech firm) that asks you to click a link, provide your personal information or passwords.
- Avoid oversharing information about your position, title and where you work on social media - it can make you more susceptible as scammers can use it to make their emails more credible (e.g. "Hey I work with Julie in Accounts at X").
- Train yourself to recognise personal styles (e.g. how people generally communicate with you, words and phrases they use, their usual sign off, etc.) - this can help you detect impersonators.
- Delete any suspicious emails you get without opening or clicking on any links or forward them to IT for investigation - don't let your curiosity force you into an error.
- Don't respond to information requests from generic senders - e.g. IT, HR or Payroll.
- Watch out for red flags:
- Generic greetings (e.g. Dear Customer, Dear User, Dear Colleague, Dear Friend)
- Inconsistent or unusual sender information (e.g. email domain, sender name)
- Poor formatting (e.g. poor quality logos, inconsistent font sizes and colours)
- Spelling/grammar mistakes
- Alarming content with dire warnings and claims of serious consequences, often coupled with a need to act urgently
- Incorrect facts (e.g. locations/names)
- Offers of financial rewards or penalties
- Lack of legally required links to unsubscribe etc.
- Finally, trust your instinct - if it sounds too good to be true, it usually is.
Want to know more about Information Security?
As well as 50+ free compliance training aids, we regularly publish informative Information Security blogs. And, if you're looking for a compliance training solution, why not visit our Compliance Essentials course library.
If you've any further questions or concerns about Information Security, just leave us a comment below this blog. We are happy to help!