No one likes to be fooled. Especially when it costs us money.
Last year phishing emails cost UK businesses almost £6.91 billion.
You may have heard of phishing emails because they have been around for a long time. You may even think you know how to spot phishing emails, but the statistics show that successful phishing attacks are increasing.
Last year 1.3 million UK businesses were affected by phishing emails, making it the most common form of cyber attack.
Phishing emails are not going away anytime soon. Your business IS receiving these emails so, your business needs to know how to identify them and how to deal with them.
In this blog, I'll explain what phishing emails are, why they are so dangerous to a business, how you can spot phishing emails and give you some actionable tips on how to protect your business from them.
What are phishing emails?
'Phishing emails' is a term you might have often heard, but what are they? Phishing emails aim to trick the target into doing what the scammer wants you to do. This could be sending password information so they can get access to your accounts. It could be requesting credit card or payment details. The biggest threat is the delivery of Cryptolocker, a form of ransomware designed to encrypt all your files and hold them ransom.
It could be getting you to click on a link to infect your network with a virus. The email's (and any web pages they lead you to) are all designed to look as genuine as possible, so they fool the reader into believing they are legit.
Keepnet labs produced a phishing study for 2017. They found that 48.2 per cent of phishing emails were opened by the target (that is an increase from 30 per cent from a similar study by Verizon in 2016). Of those emails opened, 31.5 per cent went on to click the malicious link or attachment in the email. That is almost triple the percentage in Verizon's 2016 report (12 per cent). So if you believe your staff would not open phishing emails the study suggests otherwise. The emails are getting opened and the links are getting clicked.
Awareness may be increasing but as the stats show phishing emails are still working, and the success rate is rising. That is bad news for businesses.
Why are phishing emails a problem?
Think about how many emails you receive in a day. A business owner easily receives 50 emails each day. Now think about how many emails each member of staff receives in a day. Most businesses receive 100's even 1,000's of emails each day. Research by Radicati predicts in 2018 124.5 billion business emails will be sent and received each day.
Among all those emails lurk the danger of a phishing email that could cost your business a lot of money. Recently we spoke with a business that received a phishing email that was so realistic they followed its request and made a five-figure payment.
The real danger with phishing emails is how sophisticated and realistic they have become. Gone are the days of the 'Nigerian Prince' scam emails. While anti-spam is a great form of defence (and I'll cover other ways you can protect your business later), some phishing emails can still get through. Then it's down to human error for them to be successful.
Because of the increase in effectiveness of phishing emails 59% of business decision-makers said it was the chief concern to their business (Study by cyber security experts Clear Swift).
The ransomware attack, WannaCry that caused so much damage in 2017 was initially spread by phishing emails. The damage they can create for a business is severe. Imagine a member of your staff clicks on a link in a phishing email and it locks all their files. The virus will then spread through your network and lock everyone's files. Suddenly the whole business can no longer access any files. What would you do? What would your customers think? This isn't an attempt by me to scare you; it's making clear that phishing emails are serious business.
How to identify phishing emails?
Carefully analyse the URLs
Many phishing emails ask that you click a URL that looks innocent but navigates to a malicious web page or to execute a download of malicious files. On the off chance that these URLs aren’t malicious, you should hover over them (don’t click it), and check if the URL goes where it says it does. You should be able to see the destination of the URL easily enough, which indicates whether or not you can trust it.
Does the message ask for personal information?
One of the easiest ways to identify a phishing email is if it asks for credentials or personal information of any kind. This could include usernames, passwords, credit card information, and much more.
A typical phishing email is a fake invoice. The email is made to look like a genuine invoice from a company you do business with. Just keep in mind that most large institutions generally contact you with other means if there’s something they need you to do for them; usually via direct mail or a phone call. Never hand over information via email to anyone.
Does the message contain spelling or grammar errors?
More often than not, large companies that reach many people with their marketing campaigns or other offerings practice proper spelling and grammar in their emails. This isn’t always the case with phishing scams. If the message doesn’t look professional, it probably isn’t and should be treated as a threat.
Their offer doesn’t make sense
Have you ever heard the saying, “If it’s too good to be true, it probably is!” This applies to phishing emails. If you receive messages that are offering you a small fortune or claim that you’ve won a lottery (especially if you did nothing to warrant doing so), chances are you’re dealing with a phishing scam. Promptly call your IT support provider. If this isn't possible, then delete the email and then delete again from your deleted items folder.
Don’t click or download unexpected attachments
One of the leading sources of dangerous ransomware and other computer threats comes in the form of an email attachment. Sometimes this might look like a CV, shipping information of an unexpected package, or some other document or zip file. No matter how legitimate it seems, if it is unexpected or not going through the proper channels, it’s best to follow up with the sender before opening the file. Don’t risk it if there are any red flags.
A strange or mismatched sender address
A very common phishing email pretends to be from an official company account telling you there is a problem with your account and urge you to click a link to verify your account details. The email will look extremely realistic and with all the correct contact details and correct spelling and grammar.
However, what about the sender address? In many instances, the scammer can't fake the real address and are relying on the target not checking it. Sometimes there is only a slight change, maybe one letter missing from the domain name, e.g. Infotec.co.uk. Other times the sender address is a string of characters that is clearly made up. Check the sender address before you do anything, and if you're still unsure call the company yourself to verify.
In the last example, I said that in many instances the scammer can't use a real sender address. One of the latest phishing emails can use a genuine sender address; it is commonly known as CEO fraud.
The latest phishing emails
Here are some examples of the latest phishing emails that are being sent through to businesses. These have been taken from the emails we have received in the last month.
This email has been made to look realistic but look at the sender address. By checking that sender address, you can see this isn't real.
Again, look at the sender address on this example, and you can see that it's not a real email.
When you hover over the link in this email, it showed that the link didn't go to EDF Energy and was unrelated to that site, meaning the link is most likely malicious and should not be clicked.
How can you protect from phishing emails
Install a spam filter
You will never be able to stop all spam emails, but anti-spam can minimise how many hit your inbox. The good news is there is a wide range of anti-spam products to choose from, but that can also make it difficult it pick the best one for your business.
We recommend anti-spam and robust email security products to all our customers and any other businesses we talk with.
Update your software and hardware drives regularly
It is essential to make sure your computers are kept up to date will all the latest software updates. Many attacks exploit a vulnerability that is then fixed by a future update. If you don't do that update, the vulnerability will still exist.
We offer a service of regular patching to make sure all your machines have the latest updates installed.
Train your employees
Phishing emails are becoming more and more sophisticated. That is why their effectiveness increased between 2016 and 2017. Because the phishing emails and the scammers behind them have become so sophisticated, it's impossible to stop all of them hitting your inbox. Even the very best anti-spam will not be able to stop all spam emails. The emails that make it past antivirus and email security are so realistic they are tricking employees.
Create a training guide, or use an existing one, to help educate your employees on how to spot phishing emails and avoid clicking on the malicious links. We use an excellent training resource called KnowBe4 that sends emails to your staff to test how good they are at spotting phishing emails.
Become Cyber Essentials certified
Cyber Essentials is a Government scheme that set a baseline of technical controls to help businesses improve their cybersecurity. The scheme addresses the most common internet-based attacks including phishing emails.
Working with InfoTech Solutions going through the Cyber Essentials can make sure you have in place the protections to reduce the threat of phishing emails.
There are many other ways to protect your business from phishing emails, but these five are a great place to start. Beyond these steps, the work becomes a lot more technical, and I would recommend getting help to implement them. Besides helping with phishing emails, Cyber Essentials is a great resource for making sure your business is GDPR compliant.
How InfoTech Can Help
Phishing emails are an ever-evolving form of cyber attacks. We can help you by installing and then managing anti-spam and other security products to reduce the number of phishing emails making it to your inbox.
Using KnowBe4 we can help you educate, train and test your staff and their understanding of phishing emails.
We can also help take you through Cyber Essentials certification to give you extra piece of mind about your cyber security. Get in touch to find out more about how we can help your business and your staff with phishing emails.
Phishing emails are not going away any time soon. In fact, they are becoming more sophisticating and more successful. I've given you five tips to get started on protecting your businesses from the phishing email threat. If you haven't installed anti-spam or email security solution start by doing that. If you have already done that you will want to double check that they are both up to date and are set up correctly. You must also test and educate your staff regularly because that is going to be the best way to protect your business. Even if you stop all but one phishing email reaching inbox, if that email is opened and the link is clicked all that protection was for nothing.
Phishing emails are already costing UK businesses millions of pounds. If you think it won't happen to you, then please think again.
Depending on your current IT solutions there may be some costs involved, but they are far smaller than the cost of doing nothing at all.