Email Phishing Defence for UK Businesses

The threat of phishing

There is an urgency for every business to protect itself from phishing, the most dangerous cybersecurity threat. Proper safeguarding demands a multi-layered set of mitigations to increase the resilience of your organisation against phishing attacks while minimising disturbance to employee user productivity. The defences outlined in this blog article can protect your organisation from other types of cyberattacks as well and will increase its overall resilience.

Phishing awareness is essential for everyone, at work or at home. You will learn about spear phishing, and related forms of attack, as well as basic steps to protect your business from hackers. These crooks want your financial information, and your credit card numbers, along with sensitive information and other key credentials. Even your phone number has value in the wrong hands.

This advice is intended for the technology, operations, or security employees who oversee creating and implementing defences, and it is relevant also to personnel in charge of phishing training. Additional information for small businesses can be found in the UK NCSC’s Small Business Guide. The mitigations described in this guidance necessitate a mix of technological, procedural, and human-centred strategies. To be truly effective, your defences must be viewed as a whole. For instance, if you want to encourage people to report suspicious emails, you must support that with a technical method of doing so and a procedure that will enable you to promptly respond to the emails that people report.

What is phishing?

Phishing is the act of an attacker trying to get a user to do “the wrong thing,” such as opening a malicious link or visiting a dubious website. Just one member of staff clicking on an attachment loaded with malware can cause the entire business operation to be paralysed. With cyber-attacks increasing by 400% throughout the pandemic, there’s a real sense of urgency in every boardroom.

Phishing can occur via an SMS text message, social media, or phone calls, although the phrase is most frequently used to refer to attacks that come in the form of emails. Phishing emails can directly reach millions of users and can blend in with the countless good emails that busy users receive. Attacks can destroy systems, steal money and intellectual property, or install software (like ransomware).

A successful phishing scam

Any organisation can be victimised by phishing emails. It could be the start of a targeted attack on your business, where the purpose could be something much more specific, like the theft of important data, or it could be a mass campaign where the attacker is just trying to gather some new passwords or earn some quick money. In a targeted campaign, such as with spear phishing, the hacker can make use of information about your personnel or business to increase the persuasiveness and realism of their claims. Let’s look at this in more detail:

Phishing: Company Impersonation
The most prevalent type of phishing involves attackers pretending to be your company. Typically, this is done using an email address that is linked to a domain that is extremely similar to the target business (for example, “first.name@amazon-support”). Because you won’t be aware of it until someone falls for it or alerts you, it is also a challenging attack for businesses to defend against.

Phishing: Spear Phishing
Spear phishing is a technique that impersonates a real company while also using crucial information about the target. A representative locates the name, job, usernames, and other metrics and adds that in an email pitch, just like in sales. The same tokens are found by attackers, who utilise them to lure other victims into their trap. It’s a potent method of attack.

Phishing: Email Account Hijacking
Every member of your management and executive team is at risk. If a phishing scammer obtains the email credentials of prominent leadership, it is likely that they would use those credentials to target anybody they can. Colleagues, team members, and even consumers (if they’ve already obtained this information through hacking) could be targets. No wonder login credentials need strong policies.

Phishing: Scam Emails
Email phishing fraud uses emails, just like the email account takeover scam. The key distinction is that phishing scammers employ email addresses that closely mimic those of real people, businesses, or organisations. The email will ask the recipient to do one of the following: click a link, change their password, provide money, reply with private information, or open a file attachment. Educating users as to how they can verify that the URL or domain name isn’t fake is notoriously difficult.

Phishing: Phone Fraud
Scammers once more pretend to be businesses by using Voice over Internet Protocol (VoIP) technology. To acquire a better understanding of the broader fraud, this method also uses other phishing tactics, such exploiting targets’ personal information and posing as firm employees (like the CEO). Company credit card details can be exposed, or fraudulent invoices expedited and paid. The dangers are even worse if a corporate instant messaging platform has been compromised.

Hackers can also spoof a mobile phone number, so even an SMS message from a known contact, perhaps a company director, will be coming from the hacker.

How to protect your business from phishing

The mitigations discussed here are mostly aimed at minimising the effects of phishing attacks within your organisation, but they also contain certain steps that will assist safeguard the entire UK. For instance, DMARC configuration prevents phishers from impersonating your domain (that is, making their emails look like they come from your organisation). There are a lot of advantages to doing this, including:

• Genuine emails from your own company are more likely to be opened by the receivers and not be flagged as spam.
• No company wants to be associated with fraud and scams from a reputational standpoint.
• Your connections (such as partners, customers, and suppliers) will gain from it if you urge them to register their information with DMARC. This can offer you a lot more confidence that the email genuinely originates from the location you believe it to.

Using a multi-layered approach against phishing

Users’ ability to recognise phishing emails is frequently the only factor in typical defences against phishing. This strategy will only be somewhat successful. You should instead broaden your defences to include additional technical safeguards. This will increase your resistance against phishing assaults without interfering with your users’ ability to work effectively. There will be numerous opportunities for you to recognise a phishing attempt and put a stop to it before it causes damage. To prepare for incidents and lessen the harm done, you also accept that some attacks will succeed.
A four-tier phishing defence

1. Ensure it’s challenging for attackers to access your users
2. Assist people in recognising and reporting phishing emails
3. Defend your business from the effects of phishing emails that go undetected.
4. Immediately address incidents

In the circumstances of your organisation, some of the suggested mitigations might not be practical. Try to address at least some of the mitigations from within each of the levels if you can’t implement them all. The following infographic provides a summary of the mitigations inside each layer.

1. Defensive steps to counter phishing

A company can protect itself from phishing in several ways. They must keep up with how phishing is done now and make sure that their security policies and solutions can keep up with new threats. Just as important is making sure their employees know what kinds of attacks they could face, what the risks are, and how to deal with them. The best way to protect your business from phishing attacks is to make sure your employees know what to look out for and that your systems are secure.

1. Train your employees with phishing simulations.
2. Install a SPAM filter that detects viruses and blank senders.
3. Patch and update all systems regularly.
4. Install antivirus, update signatures, and monitor all equipment.
5. Create a password expiration and complexity policy.
6. Web filter malicious websites.
7. Encrypt company data.
8. Convert HTML emails to text or disable them.
9. Teleworkers need encryption.

2. Teaching your staff to recognise phishing

Because they are so clever, socially engineered phishing emails often get past email filters. They have the right Sender Policy Frameworks and SMTP controls to pass the front-end tests of the filter, and they are rarely sent in bulk from IP addresses that are on a blacklist so that they don’t get blocked by Realtime Blackhole Lists. Because they are often made by hand, even advanced email filters with Greylisting capabilities might not catch them.
But phishing emails often have things in common. For example, they are often made to make people feel things like curiosity, fear, greed, or sympathy. If the workforce is told about these signs and what to do when a threat is suspected, the time spent training the workforce on how to spot a phishing email can stop attacks and prevent the attacker from getting into the network.

Emails that demand action right away
Emails that say something bad will happen or an opportunity will be lost if you don’t act quickly are often phishing emails. This is a common way for attackers to get people to act before they’ve had a chance to look over the email for flaws or inconsistencies.

Emails with bad spelling and grammar
Bad grammar and spelling are another way to tell if someone is trying to scam you. By default, many companies use spell-checking tools on emails that are sent out to make sure that the grammar is correct. People who use email clients which run within web browsers use features like autocorrect and highlighting, so poorly written communications should be regarded with suspicion.

Emails with a greeting or salutation that they don’t know
When co-workers send each other emails, they usually use a casual greeting. Those that start with “Dear” or have phrases that aren’t often used in casual conversation are likely from people who don’t know how your office works and should make you suspicious.

Email addresses, links, and domain names that don’t match up
Find inconsistencies in email addresses, links, and domain names is another way to spot phishing. Does the email come from a company with which you often talk? If so, compare the sender’s address with addresses on other emails from the same company. Look at what comes up when you move the mouse pointer over a link to see if it is real. If an email claims to come from, say, Google, but the domain name says something else, you should report it as a phishing attack.

Suspicious Attachments
Most file sharing at work now happens through tools like SharePoint, OneDrive, and Dropbox that help people work together. So, internal emails with attachments should always be treated with suspicion, especially if they have an extension that you don’t recognise or that is often associated with malware (.zip, .exe, .scr, etc.).

Emails that ask for login information, payment details, or sensitive information.
Always be careful with emails from unknown or unexpected senders that ask for login information, payment information, or other sensitive information. Spear phishers can make fake login pages that look like the real ones and then send an email with a link to the fake page. When a recipient is sent to a login page or told that a payment is due, they shouldn’t enter any information unless they are 100% sure that the email is real.

Emails that are too good to be true
Emails that seem too good to be true are those that try to get the recipient to click on a link or open an attachment by saying there will be some kind of reward. If the email comes from someone you don’t know or if you didn’t ask for the email, it’s probably a phishing email.

3. Defend your business from phishing

Preventing cyberattacks is now one of every company’s top priorities. It will be less likely for cybercriminals to phish unsuspecting recipients using your identity if you protect your company from brand abuse. In this manner, you can protect your clients’ information and uphold a stellar reputation with them.
Intrusion detection software is a priority, as is a modern platform to filter dubious emails before they reach employees.

You should also take steps to be more watchful of how others use your branding online, even though it is difficult to completely prevent theft or other unauthorised uses of your branding. Your business can keep an eye out on the Internet for copyright violations of your brand by other businesses or even imitators of your branding. Additionally, you can set up alerts so that you get emails whenever someone makes a new website that misappropriates your brand.

4. Immediately address phishing incidents

The reporting centre for fraud and cybercrime in England, Wales, and Northern Ireland is called Action Fraud. It gathers information about fraud and sends it to the National Fraud Intelligence Bureau for police analysis.
You can call Action Fraud at 0300 123 2040 or report it online if there has been an attempt to steal your money or personal information. If you reside in Scotland, you can contact the police directly by dialling 101 to report a scam.

You can also contact the police by dialling 101 if your money was stolen because of a scam. Even if the con artists were unsuccessful, you can still report a scam attempt.
Even though not every report prompts a police investigation, any details you provide will aid in painting a more accurate picture of how scams operate and their perpetrators.