Phishing emails and social engineering
A large proportion of cyber breaches are related to phishing emails and social engineering. These are not technology related issues but are techniques used to exploit individuals and gain access to systems and data.
The attackers often work under the guise of being someone you might know or work with, to try and extract key information. Typically, these attacks are performed using emails (phishing) that purport to be from someone senior in your team, workplace or from a supplier asking for usernames and passwords or more commonly asking for bank transfers be made to false accounts.
Below is a recent example of a phishing email our team received. As you can see it claims to be an invoice from a supplier…
This example is a phishing attempt and everything looked legitimate except the “See your bill here.” link which redirects to a fake site to collect bank details. It is very easy for someone to click the link and enter bank or account details but can take sometime for anyone to realise an account or bank account has been compromised.
How it works
The attackers can easily build a picture of a business and identifying key personnel. A simple google search and view of your company website can probably identify Directors. Follow this up with completing your contact form on your website (many companies put an automated reply on) and they have enough information to craft a phishing email.
The email looks as though it is from a supplier or senior member of staff and the sender creates a contact that resembles the staff or suppliers email address. The email is sent to someone or a group contact such as accounts@ asking for payment of an invoice with a link to view your bill / statement. It may seem obvious but businesses have temp staff / new team members who feel they need to process as quickly as possible. By the time anyone has noticed the money has been transferred and you are likely to have difficulty in getting it back.
What can you do?
The first steps to take are to use a good email spam and virus filter, however you must remember that the more sophisticated scams can often bypass these solutions.
More importantly, educate your staff – make sure they understand what phishing and social engineering are and that if they are in doubt or are suspicious of anything, to always double check.
Make sure your internal processes include a sign off stage for any transactions for bank payments. You should never allow a single person the authority to make payments and transfers without a sign off process.
How we can help
HW Technology have a number of services that can help reduce the chances of your business being the victim of an phishing attack. If you would like to discuss how we can help and advise your business on security please contact us here or alternatively call 0845 5048989.
To find out more, please call us on 0845 504 8989, or complete our contact form.