Phishing Prevention Guide: Protect Your Business from Phishing Attacks and Scams

8 mins

05 May 2021

Cybercrime is big business. With whole industries built around stealing sensitive data, online baddies have a whole arsenal of tools and tricks they use to exploit - and damage - companies. From small businesses to the largest corporations, one of the oldest cyber-attacks remains one of the most effective: phishing.

Phishing is one of the easiest forms of cyber-attacks for a criminal to carry out, because it targets the weakest link in the chain – people.

Designed to exploit well-meaning employees, phishing can provide scammers with everything they need to infiltrate every aspect of a victims personal and working life, stealing data, passwords, and financial information along the way.

For individuals, that can mean anything from identity fraud to unauthorized credit card purchases. For companies, it can be a disastrous foothold into networks as part of a larger attack, with financial losses and reputational damage a common consequence.

What is phishing?

A basic phishing attack is a method of gathering personal information, usually using email as a weapon.

Our guide to identifying phishing attacks explains the most common threats in detail with examples of what a phishing scam typically looks like. Whilst the mechanics of these scams vary, the goal is always the same: to trick the email recipient into believing that the message is from a trusted source and then duping them into clicking a malicious link.

Once a link is clicked, businesses can expect malware, frozen systems, ransomware attacks and for their data – both their own and their clients – to be stolen and sold to the highest bidder.

What makes a phishing scam different from other cyber-attacks?

What really distinguishes phishing scams from other forms of cyber-attacks is the element of social engineering.

For example, a cybercriminal might pretend to be someone important and trusted, such as your Chief Executive or Head of Accounts. To gain information, hackers will send a fake email designed to make the victim feel a sense of fear, curiosity, or urgency. In turn they quickly open a dodgy attachment or send important details like bank/credit card details, usernames, or passwords.

Hackers rely on the fact that most staff are eager to please their superiors and won’t question them, so they freely give out sensitive information they would normally hang on to.

Am I vulnerable to a phishing attack?

In a word, yes. With around 135 million phishing attacks attempted every day, it’s highly likely that you, or a member of your team, will receive a phishing email. Whilst it’s easy to think “it’ll never to me”, can you be as confident about every member of your team?

Hackers know that a company’s cyber security is only as strong as its people, which is why cybercriminals work hard on manipulation tactics that can compromise security. Even the savviest of staff members can take the bait, and its little wonder.

It's estimated that 3.7 billion people send around 269 billion emails every single day, meaning most people simply don't have the time to carefully analyse every message which lands in their inbox - and this is what hackers look to exploit.

Cybercriminals will also go to great lengths to mimic the style of company emails, copying colours, logos, and email signatures to make messages look legitimate. Malicious links usually resemble their genuine counterparts so closely that it’s difficult to tell the difference. Lastly, there’s often a sense of urgency, that causes the staff member to panic and therefore be less vigilant.

That’s why 30% of phishing messages are opened by targeted users, with 12% of those users going on to click the links or attachments.

Types of phishing

From spear phishing to wide net attacks, companies need to stay ahead of cybercriminals by understanding exactly what a phishing attack looks like. With the average phishing scam costing a mid-sized company around £1.22 million, businesses simply cannot afford to be caught out.

Whilst there are various types of phishing scams, generally they will ask the intended victim to do one of two things:

Hand over sensitive information: These messages aim to trick the staff member into revealing important data. They tend to include a link to a malicious site that looks like a company webpage and asks for a username and password, which the hacker will then use to break into an account or system.

Download malware: Like a lot of spam, these scams aim to install malware on your computer via a legitimate looking attachment. For example, you might receive a form or spreadsheet from what appears to be an internal email address. Clicking on the form then installs the malicious code embedded in the file on your network.

5 ways to identify phishing emails

Phishing is a popular scam because it gives criminals direct access to the most vulnerable part of any network – the users. According to Iconsclales Email Security Report, 90% of successful cyberattacks trace back to phishing emails, so it’s important you and your employees know how to recognise a fraudulent email.

Check the source

A favourite tactic used is sender or domain spoofing. The display name shown from the email header may look familiar, perhaps a colleague or recognised business. However, take a close look at the full email address or at the email properties. The sender address may be misspelled or slightly altered but may resemble a well-known domain.

Check the content

Read through the entire email before clicking anything. Often the language gives away a phishing email so check for spelling and grammatical errors.

Links and attachments

Before clicking any hyperlink hover over it and if the address is different from the what’s displayed, or it looks like a misspell of a familiar domain name, then it’s probably fraudulent.

Is the email threatening?

The types of phishing campaigns that are most successful are ones that invoke a sense of urgency or fear so you will be inclined to act without thinking. Legitimate companies - or co-workers - would rarely use a threatening tone. If you’re concerned contact the company or the person directly.

What is the purpose of the email? 

No matter where the email is sent from or how official it looks nobody should ask you to send personal information over email. Just because an email has convincing brand logos, language, and a seemingly valid email address does not mean you should ever provide any personal information or sensitive data over email. Again, if in doubt ask the person making the request directly.

What to do if you suspect a phishing attack

Don’t click anything: This is the first and most important rule – if you suspect you’ve received a fake email or a phishing message, don’t interact with it. That means don’t download files, avoid clicking on links, and don’t reply. Be cautious and report it to your IT support team if at all suspicious.

Reporting a phishing email: Even if you’re certain you haven’t clicked anything or your business isn’t in any danger, let the security experts in your IT team know what happened. Phishing attacks are rarely targeted at a single person and chances are you co-workers are also going to find themselves on the receiving end of a fake email.

Clicked by accident? There’s always a chance you won’t notice the true nature of a phishing email until you’ve clicked. If that happens, expediate reporting it immediately. Be sure to tell your IT security team all the details; remember this isn’t about blame, it’s about keeping your data safe.

How can I prevent a phishing attack?

There are numerous ways to avoid falling prey to a phishing attack – download our guide to phishing attacks and discover how to fight back against cyber criminals.

As we’ve mentioned, for staff members vigilance is key. If an email doesn’t look quite right, it probably isn’t.

For business owners, it’s about having the right cybersecurity tools in place - from up-to-date technology to a robust IT security policy. Installing, monitoring, and updating anti-virus protection, SPAM filters, web filters and anti-phishing toolbars take time, but are crucial to stopping the potentially devastating effects of a cyber-attack.

We’re here to help with your cyber security

As a business owner you’re already working hard, and keeping your cybersecurity ship shape is a lot to take in. So, if you’d like to find out more about phishing attacks or the dangers of fake emails, why not contact us. We have a range of cybersecurity solutions and we’re on hand with clear, friendly advice to help you get started.

Need reliable IT support in Edinburgh?

Book a call with our lead technician.

No salespeople, no obligation

Free, genuine advice

30 minutes chat

Simon McCullagh, founder and lead technician of Digital Orchard IT

Simon McCullagh