Introduction
The vast majority of cyber attacks begin with a phishing attempt, and scammers’ methods are becoming increasingly sophisticated. With money, data, and reputation at stake, organisations need to be aware of the threat and take action to minimise their risks.
The growing phishing threat
Around 80% of organisations that identified a breach or attack experienced phishing attacks (e.g. by staff receiving fraudulent emails or being directed to fake websites). (Cyber Security Breaches Survey 2022)
Phishing has evolved. Clumsily worded emails from strangers have been replaced by sophisticated communications designed to target businesses. The content is now much more convincing and can deceive the recipient into thinking the email comes from a trusted source. There has been a massive surge in the volume of phishing emails since the launch of ChatGPT; generative AI has given scammers new tools and improved output. Fake emails have become harder to spot and it is more important than ever to have protection and processes in place to reduce the likelihood of a breach.
Our reliance on email
Email is a primary communication tool both in the workplace and for individuals, with over 300 billion emails sent every day. It is used to send, share, store and access a variety of sensitive information, documents and correspondence as well as to carry out critical transactions.
Cybercriminals see our reliance on email as a great opportunity, especially as there are often gaps in security.
Robust email security is essential to reduce exposure to cyber attacks. Without it, businesses are vulnerable to numerous threats including phishing campaigns, malware attacks and business email compromise attacks.
Your organisation may be vulnerable to these attacks
Phishing attacks are usually email-based, although text messages, social media and phone calls are also used. Using an email message that appears genuine and benign, the attacker tricks the user into performing an action (e.g. clicking a link to a malicious website, downloading malware, opening an attachment) or revealing confidential information or passwords. The emails often convey a sense of urgency in the hope that the user will act immediately rather than taking time to reflect, check with others or consult a supervisor. Since the launch of Chat GPT and other generative AI software, the wording of these fake emails has become much more convincing and persuasive, and they have become harder to spot.
Malware (malicious software) includes viruses and ransomware. It can be transmitted by email attachments or downloaded from malicious websites. If allowed to run on your device, malware can compromise your systems and expose confidential data to hackers. As well as affecting the infected device, malware can enable hackers to use the infected device as a platform to attack or access other devices and organisations.
Unauthorised access to an email account doesn’t just expose its data and documents. It also provides cybercriminals with a trusted email identity they can use in further attacks. Hackers can use the compromised account to log in to and access other accounts and services. They can also impersonate the account owner to launch attacks against other individuals or organisations.
Business email compromise attacks use emails to trick the target into sending money or confidential information. For example, if a scammer uses a phishing attack to gain control of an accounts department’s email account, they can then send fake invoices to customers and request payment to a fraudulent bank account.
Costly consequences
Cybercrime costs UK businesses billions of pounds every year (in 2011, the government estimated the annual cost at £27 billion and growing).
Apart from the direct financial loss of any funds stolen, there is also the time and money an organisation must spend to recover from a breach.
For many organisations, when the computer system is down everything grinds to a halt, leaving businesses unable to fulfil their obligations.
Breaches that may compromise personal data must be notified to the Information Commissioner’s Office and any adversely affected individuals must be informed. The ICO has stated that “If you don’t take adequate security measures to prevent or contain a serious personal data breach, this could lead to a fine. This is because it’s the law to protect people’s data if you’re a controller.” The fines can be substantial – in 2022, Interserve were fined £4.4.million when they fell victim to a phishing attack. The ICO found that they “broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.”
It can be hard to quantify the effect a breach has on an organisation’s reputation. A minor breach may inconvenience customers, while a major breach will have them asking why their personal data was not better protected. Recovering from the associated bad publicity and loss of trust can be challenging, with some businesses forced to close after an attack.
Reducing the risk of phishing attacks
To reduce the risk of becoming a victim of a cyber attack, organisations need to adopt a holistic approach to cybersecurity, combining training, processes and technology. Improve your organisation’s security by doing the following:
1. Implement effective staff training – phishing attacks rely on the human element. To be effective, staff training needs to be properly designed and implemented, and must be checked, e.g. with user tests. Staff manuals and guides are too easily overlooked to be relied on, as are periodic emails recommending vigilance against cyber attacks. Staff training is a topic in its own right, you can read more here: Employee training – your secret advantage in cybersecurity
2. Consider adding an additional spam filter to block more dangerous emails. We employ an advanced system using artificial intelligence to detect and stop cyber threats. It analyses threats in real time to protect against sophisticated attacks including targeted attacks (where a cybercriminal focuses on a specific organisation or individual) and blended attacks (where the attack combines different tactics to try to gain access). We combine this with a web link filter to ensure that internet links contained in incoming emails are safe.
3. Consider setting up an email banner on inbound email. A banner can alert the user that an incoming email originated outside the organisation, or remind them to think before opening attachments. Some phishing attempts rely on the user rushing to take action – these banners can prompt the user to pause and consider what to do. Of course, some departments routinely correspond with external parties and may find that the majority of incoming emails are flagged, leading to fatigue or desensitisation (and reducing the effectiveness of the warning). This is not a “one size fits all” solution, we can help you find the right balance to ensure effective deployment of email banners.
4. SPF and DMARC – Make sure that SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are set up. SPF and DMARC enhance email security and protect against email fraud and phishing attacks. They are key components of your cybersecurity strategy. SPF acts like a digital ID for business emails. Domain owners list which mail servers are authorised to send emails on their behalf. The recipient’s mail server checks the list to verify the sender’s identity. This protects your business’s reputation by reducing the chances of a hacker impersonating your company in a phishing email (e.g. sent to your customers). DMARC builds on other security protocols (including SPF) and adds and extra layer of protection. It allows domain owners to specify what should happen to emails that fail security checks like SPF and DKIM (DomainKeys Identified Mail), including phishing emails impersonating your domain. It’s an essential tool in ensuring that your domain isn’t used in phishing attacks (e.g. against your customers). DMARC’s reporting mechanisms give practical information on how an organisation’s email authentication is working, allowing adjustments to be made (e.g. to address any security issues). SPF and DMARC work together to ensure the integrity of email communications. By weeding out fake emails, they reduce phishing attacks, enhance email deliverability and protect your business’s reputation. They play a pivotal role in the fight against email-driven cyber crime.
Staying ahead
As cyber criminals employ new tools and develop new strategies, it can become increasingly challenging for organisations to keep up with developments and stay one step ahead. But the expensive consequences of a breach make it imperative that businesses address the threat. With proper staff training and robust email security, your systems are much more secure, significantly reducing the risk of successful cyber attacks.
If you would like to discuss your cybersecurity strategy with a member of our team, please contact us.
