Always in the top one or two by frequency of incident, the humble email is still one of the preferred methods of attack by cybercriminals. At the end of 2018 a report by the IRS said they’d seen a 60% increase in phishing attacks.
A phishing attack is an email-based deception that attempts to get you to do something that will, in one way or another, benefit the cybercriminals. The emails will look like they are from familiar companies such as Microsoft Office365, banks, PayPal, Facebook, HMRC, UPS, Amazon and Parcel Force. They try to generate a sense of urgency by giving a deadline or requiring some immediate action to avert some undesirable outcome such as a payment penalty, an account being closed or the end of a special offer.
Such an email may ask you to log in to an online service to ‘check your credentials’ or ‘reset your account’. They’ll provide a handy link for you to click. Sometimes the email asks you to make an online payment. Other phishing emails try to coerce you into doing something as innocuous as opening an attachment.
Which element of your cyber defences are under attack here?
Because so much of what we do in our lives now has some online element to it, and because all businesses have internet connectivity, more of our home life can be managed and organised from work than ever before. This has facilitated a blurring between the business use and the private use of company IT.
Staff think nothing of jumping onto a browser at work to check personal email accounts, check social media, to check the traffic on their commute, to look up cinema times and buy tickets. The list goes on and on. At home they’ll order goods and specify they should be delivered to their place of work, and they may give out their desk extension as the point of contact.
Scam emails follow trends and seasons. In the run-up to Christmas, the number of private deliveries to business addresses completely escalates. Cybercriminals use this to their advantage, and the blurring of home life activities and work life activities makes it easier for them to manipulate people into making an ill-judged move.
A malicious email campaign mounted in November and December 2019 sent scam emails to business email addresses. Although they were sent to business email addresses they were talking to the recipients about activities related to their home life. The emails looked like Amazon had sent them. They carried a message along the lines of ‘We’ve tried to deliver a parcel several times, we were not successful, please see the attached PDF for details to organise a re-delivery’.
How many of your staff would have opened the attached PDF? If just one of your staff had clicked on that attachment your business would have been infected by ransomware.
Staff training is one of the core pillars of good cyber security and it must be an integral part of your cyber defences. Policies state the rules and procedures give best practices. Staff training ensures that your employees understand the relevant documents, what their responsibilities regarding cyber security are, and what they need to do to uphold those policies.
Have your staff been given clear, written guidance on what is acceptable and what is not, concerning your IT systems, data and infrastructure? Do they have an Acceptable Use or Fair Usage policy to refer to and guide them? Have they been trained to recognise and correctly handle and escalate the common threat types?
We can help to produce the policies, train your staff, and then perform covert appraisals to identify individuals or teams who need remedial training.