Emails looking Phishy? Here’s how to keep your business safe from cybercrime in a pandemic.

Every day, cybercriminals are attacking millions of homeworkers across the UK via email, SMS and calls. Any one of these attacks (named phishing, smishing and vishing) could compromise a company’s entire digital infrastructure and financial security. In April, Google reported blocking 100 million scam emails per day (18% of which were COVID-19 scams). Those were just the ones that didn’t reach users’ inboxes.

In this article, we will outline some of the greatest threats to your business in the new remote environment that we’re all adjusting to. We’ll also give you some key tips on how to keep your information and employees safe.

Phishing – What’s the Con?

Phishing emails usually purport to come from a legitimate source, such as an employer, bank or HMRC. They urge recipients to click on links directing them to web portals which have been totally manufactured by fraudsters but resemble a legitimate organisation’s website.

Recipients are then asked to enter a password into the portal, at which point an unlimited quantity of their information can be seized by cybercriminals, and malware is usually installed on their computer or mobile device.

If the recipient has access to any of your organisation’s confidential information – such as email accounts, passwords, bank details and intellectual property – all of this information will be stolen too.

How can you protect your business?

Basic phishing attacks barely resemble the legitimate organisation they purport to represent and are extremely easy to spot and avoid. However, more sophisticated attacks can present recipients with near exact replicas of legitimate communications. It is vitally important that you advise your employees to take the following steps to protect themselves (and your organisation) from phishing:

• Check for spelling mistakes and factual inaccuracies in the email – professional communications would never contain these errors.
• Check the sender’s email address – does it link back to a legitimate organisation’s website? For example, there is a subtle but very clear difference between Frances.Murray@rosenblatt-law.com and Frances.Murray@rosenblaat-law.com.
• Contact the legitimate organisation in question and ask them if they have sent you the email.
• Think about whether the email is genuine. Would the purported sender write like that? Was their email expected?
• Remain aware that no reputable organisation will send any of your employees an unsolicited email asking for immediate electronic payment.
• Are the emails personal? Emails beginning ‘Dear Client’ or ‘Dearest Client’ are 99.9999% likely to be from a scammer.
• Verify any requests for a payment from your company accounts with your Accounts team.
• Update your internal security to the highest possible standards. Poorly secured email accounts are some of the most vulnerable to phishing attacks.

You should also offer your employees specialist training to identify security threats to your business.

Smishing – What’s the Con?

Smishing is a phishing attack made by SMS rather than email. These texts often claim to come from the recipient’s mobile network provider and dispute a recent payment. During this pandemic, texts from GOV.UK have also been targeted by cybercriminals.

As so many companies make confidential information accessible through employees’ work phones, these attacks can compromise your internal security just as easily and devastatingly as fraudulent emails.

How can you protect your business?

Much of the security advice regarding phishing is also relevant for smishing texts. It is also important to consider:

• Is the text coming from a recognised number? If the legitimate organisation would normally contact you from a different number, that is a big red flag.
• Does the link look credible? Does the legitimate organisation’s website resemble the link? There is a huge difference between gov.uk and www.G0v732.uk.
• Before clicking on any link, encourage your employees to email the legitimate organisation to check if the message is authorised. Phone lines could be compromised by fraudsters in one of these attacks, so communicating in writing to verify the text message is critically important.
• Urge your employees not to reply to any text messages that they believe may be part of a scam. Everyone gets nervous when they become victims of these attacks. It is vital to remain calm and refuse to engage with the cybercriminals.
• Encrypt any confidential information stored on or accessible through your employees’ work phones to the highest standards.

Vishing – What’s the Con?

Rejecting fraudulent phone calls has been one of the most irritating tasks for business owners and their staff for many decades. Vishing attacks are more sinister and a lot more dangerous than typical fraudulent cold calls. In one of the worst cases of vishing, £200,000 was stolen from a business.

Criminals impersonate legitimate organisations and even business owners when calling staff (usually company secretaries or members of your Accounts team). These fraudsters also hack the telephone line of the legitimate individual/organisation. An employee phones to seek authorisation for a requested payment and receives it – from the fraudsters!

Organisations as well known and trusted as Nationwide have become targets of vishing.

How can you protect your business?

Safety from vishing relies heavily on your staff remaining calm and not panicking if they receive an unsolicited call requesting payment. Ask them to:

• Email your Accounts team to seek authorisation for any payments.
• Email the legitimate organisation in question to check if the call is genuine.
• Think about whether they are expecting the call. If it’s completely out of the blue – it’s almost certainly a scam.
• Ask for details about the alleged transaction – what work has been supplied to justify the payment? When was it agreed? Who agreed it? Ask the caller for details of the project in question, before seeking authorisation for any payments.
• Ask the caller to make their request in writing via email. Then you can see if their email address is credible. FlAmerideR71749@hotmail.uk is probably not going to be one of your clients.
• Never phone the legitimate organisation after receiving an unsolicited call that purports to come from them and demands immediate payment. Always contact them in writing.

Insider Threat – What’s the risk?

Even the best-intentioned employees can fall victim to scams and unintentionally compromise your security. On other occasions, employees might steal any aspect of your IP or any part of your mailing lists or contact books for their own purposes. Perhaps they want to sell your information or use it to start a competing business? This is an aspect of employee relations that no employer wants to deal with.

You trust your employees and hope that they would always look after your interests, just as you look after theirs every day. However, you should always prepare for the worst-case scenario to become your worst-case reality.

How to protect your business?

• Provide your employees with training on staying safe online and protecting themselves from the scams mentioned above.
• Only give your employees access to confidential information which is essential for them to work productively.
• Protect your most sensitive information with the highest level of password-encryption.
• Require employees accessing sensitive information to permit your IT team to monitor their activity while they are reviewing the information in question.
• Monitor any downloads of sensitive information.
• Make sure that your employment contracts and any associated Non-Disclosure Agreements give you swift recourse to relief (including injunctive relief) if a breach is threatened or suspected.

How will your employees know if contact from NHS Test and Trace is genuine?

• Calls from Test and Trace come from 0300 013 5000. Calls from all other numbers claiming to represent Test and Trace are fraudulent.
• All texts come from the protected sender ID ‘NHStracing’. Texts from all other numbers are a con.
• Test and Trace will never contact people from a withheld number.
• The service is free, so contact tracers will never request a payment in any communications with individuals.
• Test and Trace will only ask your employees to disclose their recent contacts if those employees test positive for Coronavirus (COVID-19). Any calls or messages requesting these details in advance of a test are from scammers.
• The only official website for NHS Test and Trace is https://contact-tracing.phe.gov.uk/. Any other website claiming to represent Test and Trace is not genuine.

Ultimately, implementing comprehensive training programmes and robust security, together with limiting access to sensitive information helps your organisation to build the strongest wall of defence against this new age of cybercrime. Every organisation should remain alert to these security risks, no matter your size. Phishing, smishing and vishing attacks pose unprecedented commercial and personal risks to us all.