Laptop User Checking email
Published 11 Apr 2019

Always in the top one or two by frequency of incident, the humble email is still one of the preferred methods of attack by cybercriminals. At the end of 2018 a report by the IRS said they’d seen a 60% increase in phishing attacks.

Cybercriminals Love Email

A phishing attack is an email-based deception that attempts to get you to do something that will, in one way or another, benefit the cybercriminals. The emails will look like they are from familiar companies such as Microsoft Office365, banks, PayPal, Facebook, HMRC, UPS, Amazon and Parcel Force. They try to generate a sense of urgency by giving a deadline or requiring some immediate action to avert some undesirable outcome such as a payment penalty, an account being closed or the end of a special offer. 

Such an email may ask you to log in to an online service to ‘check your credentials’ or ‘reset your account’. They’ll provide a handy link for you to click. Sometimes the email asks you to make an online payment. Other phishing emails try to coerce you into doing something as innocuous as opening an attachment.

All Is Not What It Seems

  • A link in a phishing email will take you to a copy-cat site designed solely for the purpose of harvesting your login credentials. The cybercriminals can then access your real account on the real site. And because some people use the same password on many sites, they’ll try your login credential in many other places as well.
  • Any payments you make will go straight to the cybercriminals, and not to who you think you were paying.
  • Attachments on these emails carry malicious payloads of malware, such as cryptojackers, keyloggers and ransomware.

Which element of your cyber defences are under attack here?

Your Staff Are the Targets

Because so much of what we do in our lives now has some online element to it, and because all businesses have internet connectivity, more of our home life can be managed and organised from work than ever before. This has facilitated a blurring between the business use and the private use of company IT. 

Staff think nothing of jumping onto a browser at work to check personal email accounts, check social media, to check the traffic on their commute, to look up cinema times and buy tickets. The list goes on and on. At home they’ll order goods and specify they should be delivered to their place of work, and they may give out their desk extension as the point of contact.

Scam emails follow trends and seasons. In the run-up to Christmas, the number of private deliveries to business addresses completely escalates. Cybercriminals use this to their advantage, and the blurring of home life activities and work life activities makes it easier for them to manipulate people into making an ill-judged move.

A malicious email campaign mounted in November and December 2019 sent scam emails to business email addresses. Although they were sent to business email addresses they were talking to the recipients about activities related to their home life. The emails looked like Amazon had sent them. They carried a message along the lines of ‘We’ve tried to deliver a parcel several times, we were not successful, please see the attached PDF for details to organise a re-delivery’. 

What Would Your Staff Do?

How many of your staff would have opened the attached PDF? If just one of your staff had clicked on that attachment your business would have been infected by ransomware. 

Staff training is one of the core pillars of good cyber security and it must be an integral part of your cyber defences. Policies state the rules and procedures give best practices. Staff training ensures that your employees understand the relevant documents, what their responsibilities regarding cyber security are, and what they need to do to uphold those policies. 

How We Can Help

Have your staff been given clear, written guidance on what is acceptable and what is not, concerning your IT systems, data and infrastructure? Do they have an Acceptable Use or Fair Usage policy to refer to and guide them? Have they been trained to recognise and correctly handle and escalate the common threat types?

We can help to produce the policies, train your staff, and then perform covert appraisals to identify individuals or teams who need remedial training.