How to protect your business from phishing scams?

Phishing scams are one of the most common types of cyber-attack. Here’s how to protect your business from a phishing attack.

What is a Phishing Scam?

It’s a type of cyber attack that uses fake email or text messages to trick people into divulging sensitive information. Scammers then use this information to get access to your computer systems, business records or to deploy other cyber-attacks like Ransomware. Some phishing attacks also try to convince their targets to transfer funds directly to them.

How do they work?

Most phishing messages try to trick the reader into believing they are from a reputable source, some of the most common of these are:

  • Banks or credit card companies, like American Express, HSBC or NatWest
  • Payment services like Paypal, Visa or MasterCard
  • eCommerce sites like Amazon
  • Entertainment service like iTunes, Spotify or Netflix

They do this by mirroring the company’s branding in their messages, for example using their logos, so that they appear legitimate. These messages usually ask the reader to click on a link or to contact a fake telephone number to allow the scammers to get access to sensitive information. Phishing attackers then either use this information themselves or sell it on to other scammers to make money.

Types of phishing attacks

Types of Phishing Attacks

If anyone visits your premises, public liability insurance may cover you for:

Email phishing

This is where scammers send large numbers of emails to trick the recipient into divulging sensitive information. Email phishing might be one of the oldest types of phishing but it’s still very common and successfully tricks people into sharing data they want kept private. Email phishing is frequently used in partnership with other types of phishing or cyber attacks and is often a way scammers identify the targets of future follow up attacks.

SMS phishing or SMiShing

This is where scammers use text messages or other direct messages rather than emails to trick you. These SMS messages are usually brief and designed to panic you into either clicking a link to a fake website or into replying with sensitive information. They’re often formatted as a fake alert or warning message urging you to act, or as a fake transaction confirmation for a transfer that has never happened.

Voice phishing or Vishing

This is where scammers either:

  • Direct you to call a scam telephone number
  • Call your phone number

Vishing often uses recorded messages which are designed to cause panic and get you to act without thinking. For example, the message might say something like:

“We’ve detected fraud on your credit card and blocked your account. Please call this number immediately.”

When they get you on the call, they then pretend to be from a legitimate source e.g. your credit card company, to extract the information they’re after. For example, in 2019 a string of Metro Bank customers received vishing calls impersonating Metro Bank, with one business customer losing £90,000 from their account as a result.

Domain phishing

This is where a scammer creates a fake website with very similar domain names to their legitimate counterparts. Domain phishing is often partnered with email, SMS or voice phishing to get you to the fake website and handover your details. These fake websites are often made to look as similar as possible to the real thing to try and avoid arousing suspicion.

Whaling

This is a targeted attack on business owners and executives, typically:

  • CEOs
  • CFOs
  • COOs

They usually aim to get the target to authorise large wire transfers to the attacker, or to share high value business information. Whaling attacks are often harder to detect because more time is spent creating fake websites or gathering information e.g. from social media accounts on their target. In 2016, Snapchat fell victim to a whaling attack when a member of staff shared HR information after getting a fake email impersonating their CEO Evan Spiegel.

How big a problem are phishing scams?

Phishing has been around for a long time but there is little sign of it dying out, if anything it’s becoming a bigger problem. The 2018 FBI Internet Crime report estimated victim losses in the U.S. at over $48 million, and this was just from cases that were referred to its Internet Crime Complaint Centre. Phishing attacks can also target almost anyone, ranging from SMEs to global multinational businesses, so regardless of the size of your business it’s worth taking precautions.

How to protect your business?

While phishing attacks are evolving all the time, there are steps you can take to protect your business. One of the best tools to fight phishing is training your staff on how spot them, whether that’s something you choose to do yourself or by getting expert help.

Human error remains one of the biggest contributors to a successful phishing attack, all it takes is a member of staff to make one mistake and cyber criminals can get access to your data. You can find a list of training schemes that have been assessed and vetted by GCHQ on the GCHQ website. We’ve also pulled together a step by step guide on cyber security and data breach prevention to help you limit the risk as much as possible.

Does cyber insurance cover phishing scams?

Yes, most policies offer cover if your business falls foul of a phishing attack. While a cyber insurance policy won’t stop or reduce your risk of being hit by a phishing attack it could prove financially essential if the worst does happen. A decent cyber insurance policy should cover you for:

  • Revenue loss
  • Legal fees
  • Reputational damage
  • Loss of staff

For example, if your business was forced to stop trading following an attack your cyber insurance policy would pay for the loss of income, so you’re not left out of pocket. Equally, if your customer records were accessed by a cyber criminal following a phishing attack you could be sued.

Here a comprehensive cyber policy would absorb the cost of your defence and potentially and compensation payments you have to make. Read our guide: what does cyber insurance cover, for a more detailed look at the protection a comprehensive cyber policy could offer your business.

Phishing FAQs

Phishing emails come in all shapes and sizes, but some things to look out for are:

  • Poor spelling and grammar, not all phishing emails are poorly written, but many still are, so if there any simple errors be extra cautious.
  • It creates a sense of urgency e.g. saying money has been taken from your account
  • It includes suspicious attachments, e.g. fake invoices for purchases you have not made.
  • It includes links trying to get you click to a phishing site – e.g. Your verification has failed, click below to resolve the issue.
  • Sender email addresses setup to mimic well-known brands, for example paypal@fakemail21.com.

You should try not to open phishing emails and never click on any of the links inside them.

Instead you should mark them as spam or move them to your junk folder rather than just deleting them. If your email system has a spam reporting option, then you should use this as well.

The name originates from hackers fishing for leads and data. The spelling is linked to early hackers being called “Phreaks” and thus online fishing for data started to be referred to phishing.

No, it can be through any type of electronic communication, including SMS texts, instant messages and even phone calls.

Spear phishing is targeted at a specific individual, rather than sent out en-masse.

Spear phishing attacks can be much harder to spot because that use individual information like your name and other personal details that are less likely to be included in standard phishing attacks.

Martin Lane
Written by Martin Lane, Head of Content
Martin is an experienced writer in the financial services sector previously serving as Managing Editor at money.co.uk with regular guest slots on BBC Radio 4 and featured in the national press.

Cyber insurance buying guide for SME’s

2020

BUYING GUIDE FOR CYBER INSURANCE

Free for a limited time