Criminals often take advantage of a crisis by using phishing emails that appear to originate from reputable and familiar organisations. We've got some tips to keep your team safe.
Email phishing is a technique used by cybercriminals to spread malware when a recipient clicks on a call-to-action or link in an unsolicited email. When they are successful, the consequences can be devastating for your business, your customers and your reputation.
Recent examples of email phishing
- In the UK individuals have been targeted by Coronavirus-themed phishing emails with infected attachments containing fictitious 'safety measures'. The scale of attacks has prompted the National Cyber Security Centre (part of GCHQ) to step in and automatically discover and remove malicious sites that serve phishing and malware.
- The US Federal Trade Commission has reported a spike in email phishing related to the COVID-19 pandemic. A report from Digital Shadows found scammers posing as well-known and reputable organisations - including the World Health Organization and the Centers for Disease Control and Prevention.
- In the Czech Republic, a major Covid-19 testing hub at Brno University Hospital suffered a ransomware attack that disrupted operations and caused surgery postponements. Even after a week, the Czech National Cyber Security Center and Czech law enforcement had still not fully restored digital services.
- In Japan, cyber-criminals spread the Emotet banking trojan malware by posing as the state welfare provider and distributing infected Word documents.
How to reduce the risk of email phishing
There are no fool-proof methods to prevent phishing. But you can reduce the risk by installing anti-phishing tools and making your employees aware of the risks.
Generally, in the workplace, there are many ways employees are protected from malware, but even these are not always successful. That's why it is important to try and avoid the consequences by following a few simple guidelines.
- Keep your software up-to-date! It may seem obvious, but both at home and at work the first line of defence against attacks is the anti-malware software on your network or device. It takes seconds to keep it updated and mitigate the consequences of any mistake you might make.
- Be sceptical from the start about any email you get from a recognised brand (such as a bank, utility, shopping or tech firm) that asks you to click a link, provide your personal information or passwords.
- Avoid oversharing information about your position, title and where you work on social media - it can make you more susceptible as scammers can use it to make their emails more credible (e.g. "Hey I work with Julie in Accounts at X").
- Train yourself to recognise personal styles (e.g. how people generally communicate with you, words and phrases they use, their usual sign off, etc.) - this can help you detect impersonators.
- Delete any suspicious emails you get without opening or clicking on any links or forward them to IT for investigation - don't let your curiosity force you into an error.
- Don't respond to information requests from generic senders - e.g. IT, HR or Payroll.
- Watch out for red flags:
- Generic greetings (e.g. Dear Customer, Dear User, Dear Colleague, Dear Friend)
- Inconsistent or unusual sender information (e.g. email domain, sender name)
- Poor formatting (e.g. poor quality logos, inconsistent font sizes and colours)
- Spelling/grammar mistakes
- Alarming content with dire warnings and claims of serious consequences, often coupled with a need to act urgently
- Incorrect facts (e.g. locations/names)
- Offers of financial rewards or penalties
- Lack of legally required links to unsubscribe etc.
- Finally, trust your instinct - if it sounds too good to be true, it usually is.
Learn more about Information Security & Compliance
If you'd like to stay up to date with information security best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
And if you're looking for a compliance training solution, why not visit our Compliance Essentials Course Library.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!