Small Business Cyber Resilience Improvement Guide. Part VI – Avoiding phishing attacks.
Part 6 – Avoiding phishing attacks
A phishing attack is a social engineering tool combined with technology.
The most common type is an email that is sent with the intent to obtain privileged information (such as access to various accounts) or containing links to a malicious website intended to cause harm.
The following are some tips to help you minimise the possibility of becoming a victim of a phishing attack:
- Configure accounts to minimise the impact of a successful phishing attack
- Educate your staff
- Look out for the obvious signs of phishing
- Encourage staff and report attacks
- Stay informed on the latest scams
Configure accounts to minimise the impact of a successful phishing attack
Configure your staff accounts according to the principle of least privilege giving them the minimum level of access needed to perform their duties. This should limit the damage of a potentially successful phishing attack.
Also, make sure staff does not use accounts with administrator privileges when checking the mail or browsing the web. A compromised administrator account can cause much more damage to the system than an ordinary user’s account.
Use Two Factor Authentication (2FA) on sensitive accounts (i.e., email)
Educate your staff
Make sure your staff knows the usual ways your business operates so they can recognise unusual communications and behaviour and not fall prey to them.
Does your staff know who your business partners are? It will help them because if they receive an email, especially with request for payment, from a company you don’t deal with it should raise their suspicion and they should act with great caution. And did you explain to your staff what to do in such instances? Especially if an email they received is from a company you do business with but does not fit the standard communication pattern? Did you instil in your staff the confidence to ask, ‘is this genuine?’
Look out for the obvious signs of phishing
Train your staff to screen emails for potential ‘phishing’ signs. Some of them are:
- Language mistakes – many phishing emails will contain spelling, punctuation, or grammar mistakes
- How is the email addressed? – ‘friend’, ‘colleague’, or ‘valued customer’ or other general ways of addressing can be signs of a phishing attempt
- Does the email put time pressure on you asking you to act by a certain date or time? – most likely phishing
- Does it sound too good to be true – such as 2.5 MIL USD is waiting for you to claim it – than it most likely is false.
Make looking out for phishing part of your business culture.
Encourage staff and report attacks
It is important your staff know they can come and ask for help especially if they think they became victim of phishing attack. It is important to take swift steps to verify if an attack took place to mitigate its effects. And don’t punish staff if they fell a victim – it might discourage them from reporting similar instances in the future or make them spend so much time verifying emails that it will become counterproductive.
And if you think that your business became victim of online fraud report it to the police.
Stay informed on the latest scams
Cyber criminals are continuously changing their tactics. So stayed ahead of the game by keeping an eye on their latest technics.
Do you require help with keeping your enterprise safe from phishing attacks?
If you have any questions or require help in connection with securing and protecting your organisation from malicious activities you are welcome to contact us for advice.
Our services cover such areas as Critical Infrastructure Protection, Cloud Services Security or Audits, and Threat Intelligence. For a full list of our services visit our services page – https://seqred.pl/en/services/
Stay safe rather than sorry!
About this guide
The idea for this guide is based on the Cyber Security Guide for Small Business published by NCSC in November 2018. You can access the guide here.
0 Comments