Secure at work, secure at home
Everyone knows about a scam that they or someone they know, has fallen for. Although we understand by using the internet and digital services, we run the risk of being targeted by cyber criminals, many organizations don’t know where to start.
Attacks which use social engineering can cause harm and it is important to understand what they are and how to spot them.
In this blog, you can find out how you can protect yourself and your business from social engineering, especially phishing.
These scams are usually based on what we call “social engineering” attacks which is a broad term for techniques to trick someone into doing something they wouldn’t normally do, so an attacker can gain information or access computer systems to commit crime.
The most common form of social engineering is phishing. Email is the “front door” for most organizations. Attackers know that most people receive so much email about so many different topics, even the most cyber-aware employees can let their guard slip from time to time.
How to spot phishing emails and how to deal with them?
Phishing refers to fraudulent or fake emails, designed to trigger an emotional response to impair someone’s decision-making. Under pressure, they are more likely to reveal information such as a password or even be tricked into doing something they wouldn’t normally.
Phishing attacks usually happen via email but can also be through text messages, WhatsApp, or even phone calls. Regardless of how or where they happen, having the knowledge and confidence to spot phishing attacks is important to protect you and your business.
An attacker using phishing or other social engineering techniques is seeking to make someone feel emotional or under pressure and may claim to be a reputable source. Your employees should always be cautious if there is a sense of urgency, or if they are being asked to do something they wouldn’t normally do such as login in a different way or transfer money.
Criminals may use online resources such as LinkedIn to learn about employees and your organization and tailor their phishing emails to appear legitimate. It is common for phishing emails to appear as if they are internal emails or “spoofed” to appear to come from a known source, such as a business contact. At first glance, the email addresses will match, but there may be a character out of place, or the details of the sender may reveal an alternative, anonymous address.
Research has shown however that spending too much time considering the specifics as a regular user can be counterproductive as it can lead to confusion and uncertainty. However, it can be helpful to practice looking at emails mindfully as usually there is something about the way the message is conveyed that doesn’t quite feel right. Understanding this is a powerful tool for employees to nurture so that they can respond in slow time and raise any red flags if they feel unsure. If in doubt, report.
Common themes that are used in scams can include:
- Asking the victim to use their business credentials to login via a webpage to access something, such as a file which has been shared.
- Asking the victim to download and install an important update, such as a security patch.
- Collecting a prize or some other unexpected financial gain.
- Scare tactics such as an overdue invoice and the threat of turning off a service.
- Requests to donate to a charitable organization, often following a humanitarian crisis such as an earthquake.
- Open email attachments, which can be hiding viruses or malware
The best way to protect against phishing is to make sure your employees know to expect it and know where to report it. Remember—there is no such thing as over-reporting! Far better to hear about 9 false positives but catch the one malicious email.
Real-world examples are also powerful. If someone reports a phishing attempt, then this can be shared with everyone to both highlight the threat and celebrate someone’s vigilance in reporting it.
What you should look out for
While a phishing attack could come at any time, attackers also use current events and seek to capitalize on external contexts. For example, there is always an increase in attacks around public holidays, elections, natural disasters, health scares, or any other major national or international event.
Although it can feel worrying for employees, you can reduce their uncertainty by letting them know they can report anything they are unsure about and if in doubt, ask.
Some specific things you can highlight to people in your organization are:
- Unsolicited emails, phone calls, or text messages that ask for information.
- Communications, by email or text, that do not include your name, a return address, and include poor grammar, inconsistent spellings, and layout.
- Suspicious attachments—an email that asks you to download an attachment is a common way that a cyber criminal may gain access to your system.
If in doubt:
- Never provide personal information or information about your organization unless you are certain of who you are talking to.
- Never provide personal information in email or click on links sent in an email.
- If you are ever unsure, contact the company directly to verify it.
What to do if you or one of your employees has been a victim of a phishing attack?
If you suspect that you’ve responded to a phishing scam with personal or financial information, take these steps to minimize any damage:
- Report it to your IT team and they or you can change the information which has been revealed. For example, change any passwords or PINs on the account or service that you think might have been compromised.
- If the details are for an external service, then contact the relevant the service provider directly.
- Routinely review your bank and credit card statements for unexplained charges or enquiries that you didn’t initiate.
- Contact the authorities. In the US this is the National Cybersecurity Communications and Integration Center (NCCIC) but most countries will have a similar reporting service.
Receiving counterfeit emails which appear to be from Sage
If you receive an email which appears to come from Sage but makes you suspicious, then please report it to us. To safely report the email you suspect is counterfeit, without opening any attachments or replying to the email, please do the following:
- Create a new email > attach the email you suspect is counterfeit > send the email to [email protected].
- Alternatively, forward the email to [email protected].
Note: Sending the counterfeit email as an attachment is the best way to preserve information which will make it easier for us to trace its origins.
- Employees should know there’s no such thing as over-reporting when it comes to phishing.
- Anything that makes someone feel nervous, anxious, under pressure, or emotional means they should proceed with caution.
- Set strong passwords for personal email and work email. Enable 2-Factor-Authentication or 2FA on all accounts.
As more services move online, it is becoming increasingly important to empower yourself and your employees with cyber security knowledge, and what you and they can do to protect your business.
In our Trust and Security Hub, you can explore essential advice on how to be secure at home and at work, before incidents occur.