So, You Think You’re Safe From Phishing Attacks?
Phishing attacks are a type of social engineering attack where hackers attempt to gain information or access to systems through an email. This can take a number of forms: some contain a link that takes the receiver to a fake website where they enter details that give the hacker information, some contain malware and are designed to encrypt files until a ransom is paid for the encryption key that will release the files. Some use impersonation tactics, pretending to be someone else in the company in order to defraud the organisation.
Hackers are becoming increasingly sophisticated in their methods of attack, sometime combining information gleaned from several channels into order to obtain their objective: the breach of your systems.
It may initially sound far fetched when we say hackers will comb social media profiles, Google companies and compile the information, but this is all relatively easy and not time-consuming and improves their success rates significantly.
Think your Agency isn’t big enough to attract attention? Think again. Hackers know that smaller companies have the perception that they aren’t significant enough to warrant targeting and are therefore less likely to bother with significant security systems. Hackers also know that smaller companies are less likely to have the in-house skill or the financial wherewithal to adequately protect their systems and their data – and by extension – their customer’s data.
True story (names and identifying details have been changed to protect those involved).
Neil, Managing Director of Best Staff 4U, is going on holiday. At the airport, he takes a photo of his ice-cold beer and posts it on Facebook saying: “Getting the holiday to Rhodes off on the right foot!”
Unfortunately, Neil’s privacy settings aren’t high – so people he doesn’t know can see this post. Hackers see the post and check Neil’s Facebook profile to discover he’s the MD of Best Staff 4U. They also know he’s going on holiday to Rhodes and will be out of the office for a period of time, leaving the business inherently slightly more vulnerable. A quick search on Google shows the Agency has a decent website with lots of recent job vacancies posted. The Meet The Team page shows the key members of staff, their names, their position within the company and all their contact details. A quick email fired off to the ‘enquiries at’ email address sends back an automated response complete with email signature.
The hackers now have all the information they require to send a convincing email purporting to be from Neil. They create an email domain for address that looks virtually identical to Neil’s and, a couple of days into Neil’s holiday, send an email to Hazel, who is, according to Best Staff 4U’s website, in charge of Accounts. The email reads along the lines of:
Hope all is well in the office, I’m sure it is! Rhodes is amazing, lovely and sunny, around 25 degrees – can’t keep the kids out of the pool!
I forgot to ask you to pay Computers R Us for the new servers and PC’s I’ve ordered. Could you transfer £10,000 to this bank account please so we can get this moving sooner rather than later: ***********
Hazel sees the email signature, complete with the image, etc., as per normal. She thinks it’s a bit odd Neil didn’t tell her before he left but he had been quite busy in the run up to taking time off so it’s not surprising. Not wanting to disturb his holiday, she goes ahead and pays the money.
Neil returns from his holiday and questions where the money has gone – and the fraud is discovered. By then, it’s too late.
So, how can you protect yourself from this type of fraud, known as phishing?
- Don’t use social media. If you do, make sure your privacy settings are set to the highest level so only friends can see what you’re up to. Don’t accept friend requests from people you don’t know.
- Have a strict social media policy for staff so they know what they can and cannot say or do on social media with regards to their place of work.
- Educate your staff of the dangers of phishing attacks and how they could fall victim, exposing the whole company. Hackers rely on staff being too busy to spend time checking the provenance of emails and therein lies a huge vulnerability.
- Install an email security program that spots emails from newly created domains, or that show signs of potential fraud, and automatically quarantines them before they even get to staff’s inbox.
Even if you think your staff has been educated against this type of cyberattack, allowing these emails to filter into their inbox puts you at risk.
In March of 2019, West Sussex County Council decided to test their staff by using a third party to send out fake phishing emails with tempting offers such as cheap or free iPhones. Other emails warned staff members they needed to change their bank details. One set of emails purported to have been sent by the Council telling staff members they needed to reset their work emails for security purposes. Emails were sent to 886 staff. Despite ‘horribly obvious’ mistakes contained within either the email address or the body of the text, 611 people opened the emails anyway. Of that number, 285 clicked on the link the email contained. 200 people clicked on the link supposedly sent from the Council even though ‘Sussex’ had been misspelled.
There will be several reasons why people clicked on the links but there’s a good chance the temptation of a new, free iPhone was just too high. The ‘change your password’ email clearly also carried an urgent call to action. It’s easy to see why some wouldn’t question it but equally, they weren’t paying enough attention to notice the misspelling of ‘Sussex’.
Your agency falling victim to a phishing attack could lead to disastrously costly consequence: damage to reputation, your clients’ loss in faith in your ability to protect their data, downtime if systems have been locked, loss of data required to make the business function, not to mention the punitive fines employed by the Independent Commissioner’s Office. Can you afford not to have the right email security in place?
At Westtek Solutions, we make sure your technology works for your business and not the other way around. We have built decades of experience operating as the Technology Success Partner of choice for many of the UK’s leading independent recruitment agencies.
We pride ourselves on the level of service we give to our clients to save them time and money and keep their critical IT systems secure and robust.
If you’re looking for a proactive Technology Success Partner that offers strategic consulting and technical support services to help you maximise productivity, contact Westtek Solutions on 020 3195 0555.
Francis West - Westtek Solutions