It’s not an exaggeration that phishing attacks are probably the biggest cyber security risk facing your business today.
The UK government’s annual Cyber Security Survey found that phishing attacks made up 86% of all business cyber attacks in 2022. And considering nearly one in two businesses were a victim of a cyber attack last year, this is an issue that can’t be ignored.
That’s why we’ve written this article. We’ll help show you how to spot a phishing e-mail and give you the exact steps on how to stay protected.
To start, we’ll need to define some of the key terms, as it’s important to properly understand the topic. However, we’ll keep the jargon to a minimum. Anywhere certain terms are used, we’ll explain these in an easy-to-understand way.
What is phishing?
Phishing is an e-mail based form of cyber attack where cybercriminals try and trick you into handing over sensitive information like login credentials or personal data. These will often pretend to be from a legitimate company, or even someone you know personally.
What is spear phishing?
Spear phishing is a form of phishing attack. The fraudster will make a more targeted approach and will use specific information to make the request appear a lot more genuine and convincing.
What is whaling?
Whaling is the third type of phishing attack and probably the most dangerous. This is a phishing attack that targets Senior members of a company to get access to highly confidential information or to authorise large payments. Like spear phishing, these types of attacks are often more carefully researched and planned, and therefore are much more convincing.
Examples of phishing
The most common types of phishing are spear phishing, whaling or standard phishing attacks. These can be from an individual or a company.
How to spot a phishing email
It’s vitally important to know how to spot a phishing e-mail. If you see any of the following red flags, be very cautious before revealing any information.
1. Incorrectly spelt email addresses
This is the most basic form of e-mail phishing where someone will create an e-mail address that is very similar to a legitimate one, apart from having a slight typo or spelling difference. Be aware that this check isn’t foolproof as emails can be ‘spoofed’, which means they look identical the genuine address. In this situation, you need to check for any of the other red flags listed below.
2. Poor grammar or spelling
You receive emails from your clients, colleagues and businesses you work with on a regular basis and you become familiar with how they sound over e-mail. If you receive an e-mail that doesn’t “sound” like the sender, or has unusual spelling and grammar mistakes, this could be a sign of a phishing attack.
3. Requests for login details or sensitive information
If you’re ever asked for your login credentials or personal information via e-mail, this is an immediate red flag. Almost all businesses will not request this type of information over e-mail.
4. Forced urgency and scarcity
Be very wary of any emails that try to encourage immediate action and that use language to attempt to force you into a decision before you’re ready.
5. Requests for transfer of funds
Finally, be extremely cautious of any financial requests made by e-mail. Any time someone requests in an email that you transfer money to an account, especially a new account, this should always be verified first. Ideally, speak to the sender yourself, and get internal confirmation from your finance team. If the sum of money is in the hundreds or thousands, it’s even more important to have the right checks in place.
How to protect yourself against a phishing attack
Now you know what to look for when trying to spot a phishing attack. The next step is to put in effective prevention to make sure you’re fully protected.
1. Training
The best protection always starts with being fully informed. Make sure your staff know how to spot a phishing attack and have regular training to keep their knowledge up to date. Sharing this blog is a good start! Regarding specific training recommendations, we really like Phishline. It’s a program that can send fake phishing attacks to see if your staff can spot the difference between a real and a fake email.
2. Use unique passwords
Using unique passwords won’t prevent phishing attacks by itself but it will certainly minimise the damage if any of your accounts are compromised. Be sure to use strong and unique passwords for every login.
3. Good company processes
Having good company processes is a vital part of strong e-mail security, and security in general. An example could be ensuring that all requests for sensitive information or money transfers over a certain amount are always authorised by senior management.
4. Two-Factor Authentication
Similar to having good password practises, putting Two-Factor Authentication (2FA) in place will make your accounts more secure. This means even if your e-mail is compromised, an attacker still won’t gain access to your account without your second method of authentication such as a code or an app.
Choosing the right email security solution for your business
The final stage is to make sure your business has an adequate e-mail security suite in place.
At a baseline level, this will consist of a good email filtering solution and up-to-date anti-virus on your devices. Regarding email filtering, we recommend Barracuda’s cloud-based email protection.
If you’re interested in more advanced phishing protection, we recommend Barracuda Sentinel. It uses advanced AI to block more phishing attacks and offers an even stronger level of protection against phishing than email filtering alone. Contact us if you’d like to see how it works.
Summary
You should now be in a much better position to not only spot phishing attempts but also prevent them in the first place. Remember, the best form of prevention is a good mix of training, awareness, internal systems and technical solutions.
If you need help protecting your business against phishing, or would like to discuss anything raised in this article, get in touch and we’ll be happy to help guide you on the path to email safety.