While an organisation’s employees are its most valued asset, they are also, potentially, its weakest link in the area of IT security defence framework(technology, policy enforcement, and people behaviours), and their current capability to protect, defend, and respond to such threats coming into their organisation via email. Cybercriminals target employees at every organisational level, and those who are not aware of their tactics and means can easily and innocently fall for them. Such is the case of these organisations that we encountered previously:
- An international and very high profile government authority suffered a very serious phishing attack. Their finance team received two invoices from separate supplier entities via email, both of which looked very authentic with electronic funds transfer details and links. The problem was that the invoices were from corporate entities that were subsequently identified as being fake and setup by bad actors, and this regrettably occurred only after the invoices were paid and funds transferred. The government entity unfortunately suffered serious financial losses of approximately US$300,000.
- An Australian organisation risked losing approximately AUD$1,000,000 after their bank received an email seeking release of funds for a supplier to a nominated bank account. The email seemed to come from this organisation but their bank’s fraud detection systems identified anomalies with the email domain format of the senders of both invoices. The organisation’s bank checked with them to verify if their instructions were true and valid. Fortunately, they both came to a realisation that it was a scam email and attempted fraud, and stopped the release of the funds to the bad actors.
- Our final story involves another Australian organisation where their business IT operations completely stood still for three weeks after a ransomware request followed a successfully executed malicious and destructive phishing attack via email against them. This attack brought their critical corporate IT infrastructure to its knees and eliminated all access by staff to applications and systems for the 3 weeks until the situation was resolved with the bad actors.
Cybersecurity threats, in general, pose real and serious risks to all businesses today, including but not limited to:
- Financial loss from substantial fines to government regulatory authorities for security related compromise events.
- Temporary or permanent loss of valuable business data and identity theft.
- Operational disruption and staff productivity losses.
- Damage to one’s organisational brand reputation and public image.
These risks can happen to your business as a result of a malicious email that your people probably wouldn’t know or identify as suspicious, even if it is right in front of them. A small effort towards education and making your people aware of how to spot a phishing email will go a long way towards reducing the risk of occurrence and further securing your IT operations environment.
What is Phishing?
According to Microsoft, phishing is an attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communications that often look to be official from legitimate organisations (commercial, government, not-for-profit, education) or individuals. It is a practice used by cybercriminals to entice users to reveal personal information like passwords or payment details which they seek to profit from commercially. Common phishing techniques use invoice phishing, payment or delivery scams, file downloads, or those that deliver threats such as ransomware in the email attachment.
How to detect a Phishing Email
The key to prevention is awareness and education, so we’re sharing with you some of our pointers on how to spot a phishing email:
Unusual, urgent request
Does the email message ask you to perform an unusual activity like changing your password or updating your bank information? Does it require you to take urgent action for a strange request? If it smells “phishy”, it must be! Banks and many authentic organisations do not typically ask for personal credentials via email, so do not give them up that easily.
Suspicious links or attachments
Think before you click. Be wary of misspelt website domain names or bizarre links. Check that the link will go to a legitimate website by hovering over it first. Do not open abnormal links or attachments until you can verify them with the sender by calling them.
Dubious sender
Does the “From:” field have a matching email address? Legitimate companies would normally use matching sender name and business email. In the sample below, the sender’s name is ‘Yahoo business Email’ but it goes to psmc_jdcantillo[a]yahoo.com.
Badly written email
Phishing emails typically contain odd phrases and grammatical errors. Badly written emails like the one below coming from a well-known corporate or government entity brand is one of the sure signs of a phishing email.
What to do when you encounter a phishing email
Being overly cautious is better than having regrets in the future for not taking action. Don’t ever hesitate to report to your IT department a suspicious-looking email. You may also contact the sender by calling them on the phone to confirm.
If you are using Office 365, you should turn on its built-in Multi-Factor Authentication (MFA) function for additional security and safety. Back up your data so you still have a copy of your files in case you fall victim to a phishing trap.
Need assistance with a cybersecurity incident or to broaden and deepen your defences? Contact Professional Advantage today and our Security Specialists will be in touch.