How to avoid phishing scams this Cyber Security Awareness Month

As we approach the 10th European Cyber Security Awareness Month, it’s never been more important to ensure that your organisation’s digital landscape is as secure as possible.

  • Monday, 17th October 2022 Posted 1 year ago in by Phil Alsop

Attacks are becoming more complex and costly to rectify, especially as the average total cost of a data breach increased by nearly 10% year over year. This year's campaign, ‘Think Before U Click’ #ThinkB4UClick, focuses on the damages that can come from phishing scams and ransomware attacks. Whilst these might be rudimentary concerns for IT teams, it is worth restating that rigorous cyber security requires everyone with access to a company email to remain vigilant.

‘There’s plenty of phish in the sea’

Phishing attacks, specifically, are still one of the biggest concerns for IT and cyber security professionals, with 75% believing that hybrid work models have expanded the range of attacks and success rate of cyber criminals. Particularly with the new technologies that organisations have had to embrace to adapt during the pandemic, these traditional attack methods can cause huge amounts of damage to digital environments.

Phishing is not a new concept, but in recent years, additional complications have developed as cyber criminals get smarter and more sophisticated. Andy Bates, Practice Director for Security at Node4 has noticed that bad actors “can now impersonate you without even hacking into your system. We are all trained (subliminally or actively) to spot a fake email address – when a 0 is used instead of an O, for example – but if a message came from a proper email address, you are much more likely to believe it and fall into their trap”.

“Ransomware and phishing continue to grow in volume, with attacks launched by socio-political groups fighting on either side of the Ukraine war inevitably spilling over into commercial and public sector organisations”, Chris Cooper, Cyber Security Practice Director at Six Degrees, adds. This is a current issue that will require modern solutions to combat as threats evolve, and in an increasingly hostile world, businesses will need to ensure that their staff are prepared.

Get your team hooked

Although these attacks might be damaging, there are steps that can be taken to reduce the impact should the worst happen. Education and awareness of phishing threats should be an integral part of the corporate calendar.

“Today’s environment has made this a necessity for all organisations, no matter the size or tenure. By further educating employees and executive management on the importance of data security and governance, companies can be better protected against potential threats”, suggests Jeff Sizemore, Chief Governance Officer at Egnyte. Although cyber security might not be the most exciting topic to get motivated about, being cyber aware should become a badge of honour, especially when employees understand that they can become the first line of defence for the business.

However, it’s not just down to staff to keep the business secure. Richard Barretto, CISO at Progress, believes that “security leaders should empower and support their IT and Engineering teams to prioritise patching of infrastructure and endpoint devices before malicious threat actors can exploit them”. By scanning incoming emails, internal systems can help to build a picture of current threats and prevent malware from reaching staff inboxes.

John Grancarich, EVP of Strategy at HelpSystems, adds that “at the end of the day, the smarter you can make a system to detect and prevent a threat the safer you and your organisation will be. While phishing attacks are always going to evolve like any threat vector, the more often we can spend that one brief moment clicking 'Report Phish' makes the entire system smarter not just for you but for everyone else as well. A smarter system is a safer system”.

Back to basics

If you’re starting to analyse your security risk for the first time, Gary Lynam, Director of ERM Advisory at Protecht, suggests that companies “should strongly consider the ISO 27000 series of security standards and best practices. The standards offer a systematic approach to information security risk management around people, processes and technology. Smart security practices, risk assessment, compliance management and operational resilience will help businesses minimise attack surfaces and recover quickly if attackers get through".

Ultimately, the best way to become as secure as possible against phishing attacks is to join employee advocacy with digital preparedness. As a part of your Cyber Security Awareness Month training, the European Cyber Security Awareness Month organisation suggests that you cover key signs of foul play, such as;

1. Poorly written sentences - does the spelling and tone suit what you’d expect from the “source”?

2. Is there a generic greeting? - most scammers will be unlikely to include your name in their emails. Instead, be aware of “Dear Customer” or “Dear Sir/Madam”.

3. Links and attachments are dangerous - cyber criminals often include links or attachments that contain malware. If you’re not sure of the source, don’t click.

4. If you’re unsure, block - if it feels wrong, it probably is wrong. Never reply to suspicious senders, block the address and, if possible, report the email as phishing so future threats can be sent straight to spam.

Always have a copy

Finally, whilst it’s best practice to try and prevent the impact of malware, it’s almost impossible to completely remove the risk. Christopher Rogers, Technology Evangelist at Zerto, a Hewlett Packard Enterprise company, notes that “businesses need backup and disaster recovery plans that ensure that they can recover quickly and minimise disruption and data loss - limiting downtime and restoring operations in a matter of seconds or minutes, rather than days or weeks. When it comes to cybersecurity, protection alone is not enough, and a recovery plan should be an essential part of every cyber strategy”.

Overall, we can never truly reduce the risk of phishing and malware attacks, but by ensuring that both the organisation and employees are prepared, the impact of these attacks can be significantly reduced.