by The Computing Australia Group | As businesses rely more on technology and are increasingly more “internet facing”, solid cybersecurity measures are important. Businesses are under constant attack from everyone – governments, criminals, hackers and even teenagers.
Phishing is one of the most common tools used by those who try to get access to your systems. Small businesses are particularly vulnerable, as they feel cybersecurity is costly, and consequently don’t have robust security in place. However, a cyber-attack can create problems for your business reputation and cost you irreparable damage. It isn’t time to put your head in the sand! There are some cost-effective steps that you can take.
There are several things that individuals and small businesses in Perth can do to protect themselves, including the ‘essential eight’. Our cybersecurity team helps you understand phishing and how you can protect your business from it.
What is phishing?
Phishing is a type of online fraud used to steal user data like login credentials, credit card numbers, or other sensitive data by cybercriminals pretending to be a legitimate organisation. The data is later used to access other important accounts leading to identity theft and financial loss.
How does it work?
Phishing usually occurs in the form of a fraudulent email, text message or instant message. The email or message is from a cybercriminal masquerading as a trusted source and looks like a real message, including the logo of the sender. It can be a message to confirm or renew your account, update payment details or other information, or other similar instructions which look very valid. The recipient is tricked into clicking the link which causes malware to be installed on the user’s system or reveal user information to the attacker.
What are the reasons for phishing attacks to be so successful?
Here are some of the reasons why victims keep falling for phishing attacks.
- Lack of security awareness
- Phishing tools are widespread and available at low cost
- Malware is becoming more complex
- Increase in personalised attacks
- Lack of cybersecurity measures
Types of phishing attacks?
Understanding the different types of phishing attacks is important to help you protect your business from it.Email phishing
This is the most common type. A criminal sends out an email with malicious links to a large number of random people, usually in the thousands.Characteristics
- Sent to a large number of people.
- Looks very similar to legitimate sender, including logos, language, tone, formats, and signatures.
- Clickable links look very similar to the actual links but contain a small variation of the domain. For example, the original link xyz.org/renewal is changed to xyz.orgrenewal.com.
- Message creates a sense of urgency tricking users into immediate action without giving them much time to think. Usual messages are account renewals, payment detail updating, blocked billing, stopping of services etc.
Spear phishing
In this type of attack, the criminal targets a specific organization or individual. The attacker would have researched the victim and would have good knowledge about the communication channels and organizational structure of the entity or online habits of the individual.Characteristics
- Email mimics the official communication template, including text and signatures.
- Usually from a higher authority to a subordinate.
- Usually asks a user to open a password-protected document. The p/w maybe employee id, or account number in the case of individuals.
- The purpose is to usually carry out an advanced persistent threat, with the criminal remaining detected for a substantial period.
Smishing and vishing
Characteristics
- Bait victim through phone call (vishing) or SMS (smishing)
- Criminals usually approach victims by posing as an investigator, insurance agent, bank agent etc.
- Message will contain a false sense of urgency
- Deceive victims to share their sensitive data through solicitation, send money to criminal accounts or download malicious software
Angler phishing
Characteristics
- Scammers use phishing attack sites, fraudulent URLs, posts, and tweets to deceive targets into downloading malware or sharing sensitive information.
- Scammers reach out to disgruntled customers who have complained about a product or service on social media as authorities involved with the company.
Different phishing techniques
Website Imitations
Deactivation notifications
“Your subscription is expiring”
“Renew your subscription”
“Your account will be deactivated on…”
The above messages create a sense of urgency in you, right? That’s precisely what phishers use against you. These kinds of deactivation alert emails are among the most common techniques they use to obtain your data. These messages will mainly include malicious links that take you to fake sites. You will be asked to share your banking information or enter the old password to create the new one.
Offering technical support
Monetary reward or donation messages
How can you protect your small business from phishing?
- Cybersecurity Audit - The first step is to perform a thorough cybersecurity audit. As cybercrimes get increasingly sophisticated, it is advisable to take professional help. Computing Australia has been providing cybersecurity audits for businesses in Perth and keeping them safe from cyberattacks for many years.
- Adopt and enforce a comprehensive security policy.
- Update antivirus and other security systems regularly.
- Use encryption for all online messages and encrypt sensitive data.
- Deploy filters to detect and block malicious links and websites.
- Educate employees about the need for strictly following security protocols, including 2FA and strict password management.
What is ‘The Essential Eight’?
- Application controls – to prevent the execution of malicious programs.
- Configure Microsoft Office macro settings – to allow only vetted macros from trusted locations.
- Patch applications – within 48 hours to mitigate systems with high-risk vulnerabilities.
- User application hardening – to block and disable unnecessary features.
- Restrict administrative privileges – based on user duties.
- Multi-factor authentication – for all users.
- Patch operating systems – including network devices with extreme risk vulnerabilities within 48 hours.
- Daily backups – to ensure access to information in the event of a cybersecurity incident.
Computing Australia Security for Small businesses in Perth
A phishing attack can cause irreparable losses for victims. For small businesses, it can cause financial losses, loss of reputation and customer trust. A phishing attack can also quickly turn into a major cybersecurity event, which can paralyze a business. Protect your business now. Talk to our cybersecurity experts right away.
Jargon Buster
Advanced Persistent Threat – a cyber-attack where a criminal gains access to a system or network and remains there for a prolonged without being detected
Malicious Links – a link created for the purpose of a cyberattack.
2 FA – 2 Factor Authorisation – Access is granted only after two steps of authentication. You will need to provide two pieces of evidence to establish your identity. This is also known as MFA (Multi-factor authentication).
Article originally published on 07/08/2020
Revised by Blake Parry on 06/07/2021
Added new sections:
How does it work?
What are the reasons for phishing attacks to be so successful?
Different phishing techniques
