How to avoid phishing scams this Cyber Security Awareness Month

As we approach the 10th European Cyber Security Awareness Month, it’s never been more important to ensure that your organisation’s digital landscape is as secure as possible.

Attacks are becoming more complex and costly to rectify, especially as the average total cost of a data breach increased by nearly 10% year over year. This year's campaign, ‘Think Before U Click’ #ThinkB4UClick, focuses on the damages that can come from phishing scams and ransomware attacks. Whilst these might be rudimentary concerns for IT teams, it is worth restating that rigorous cyber security requires everyone with access to a company email to remain vigilant.

‘There’s plenty of phish in the sea’

Phishing attacks, specifically, are still one of the biggest concerns for IT and cyber security professionals, with 75% believing that hybrid work models have expanded the range of attacks and success rate of cyber criminals. Particularly with the new technologies that organisations have had to embrace to adapt during the pandemic, these traditional attack methods can cause huge amounts of damage to digital environments.

Phishing is not a new concept, but in recent years, additional complications have developed as cyber criminals get smarter and more sophisticated. Andy Bates, Practice Director for Security at Node4 has noticed that bad actors “can now impersonate you without even hacking into your system. We are all trained (subliminally or actively) to spot a fake email address – when a 0 is used instead of an O, for example – but if a message came from a proper email address, you are much more likely to believe it and fall into their trap”.

“Ransomware and phishing continue to grow in volume, with attacks launched by socio-political groups fighting on either side of the Ukraine war inevitably spilling over into commercial and public sector organisations”, Chris Cooper, Cyber Security Practice Director at Six Degrees, adds. This is a current issue that will require modern solutions to combat as threats evolve, and in an increasingly hostile world, businesses will need to ensure that their staff are prepared.

Get your team hooked

Although these attacks might be damaging, there are steps that can be taken to reduce the impact should the worst happen. Education and awareness of phishing threats should be an integral part of the corporate calendar.

“Today’s environment has made this a necessity for all organisations, no matter the size or tenure. By further educating employees and executive management on the importance of data security and governance, companies can be better protected against potential threats”, suggests Jeff Sizemore, Chief Governance Officer at Egnyte. Although cyber security might not be the most exciting topic to get motivated about, being cyber aware should become a badge of honour, especially when employees understand that they can become the first line of defence for the business.

However, it’s not just down to staff to keep the business secure. Richard Barretto, CISO at Progress, believes that “security leaders should empower and support their IT and Engineering teams to prioritise patching of infrastructure and endpoint devices before malicious threat actors can exploit them”. By scanning incoming emails, internal systems can help to build a picture of current threats and prevent malware from reaching staff inboxes.

John Grancarich, EVP of Strategy at HelpSystems, adds that “at the end of the day, the smarter you can make a system to detect and prevent a threat the safer you and your organisation will be. While phishing attacks are always going to evolve like any threat vector, the more often we can spend that one brief moment clicking 'Report Phish' makes the entire system smarter not just for you but for everyone else as well. A smarter system is a safer system”.

Back to basics

If you’re starting to analyse your security risk for the first time, Gary Lynam, Director of ERM Advisory at Protecht, suggests that companies “should strongly consider the ISO 27000 series of security standards and best practices. The standards offer a systematic approach to information security risk management around people, processes and technology. Smart security practices, risk assessment, compliance management and operational resilience will help businesses minimise attack surfaces and recover quickly if attackers get through".

Ultimately, the best way to become as secure as possible against phishing attacks is to join employee advocacy with digital preparedness. As a part of your Cyber Security Awareness Month training, the European Cyber Security Awareness Month organisation suggests that you cover key signs of foul play, such as;

1. Poorly written sentences - does the spelling and tone suit what you’d expect from the “source”?

2. Is there a generic greeting? - most scammers will be unlikely to include your name in their emails. Instead, be aware of “Dear Customer” or “Dear Sir/Madam”.

3. Links and attachments are dangerous - cyber criminals often include links or attachments that contain malware. If you’re not sure of the source, don’t click.

4. If you’re unsure, block - if it feels wrong, it probably is wrong. Never reply to suspicious senders, block the address and, if possible, report the email as phishing so future threats can be sent straight to spam.

Always have a copy

Finally, whilst it’s best practice to try and prevent the impact of malware, it’s almost impossible to completely remove the risk. Christopher Rogers, Technology Evangelist at Zerto, a Hewlett Packard Enterprise company, notes that “businesses need backup and disaster recovery plans that ensure that they can recover quickly and minimise disruption and data loss - limiting downtime and restoring operations in a matter of seconds or minutes, rather than days or weeks. When it comes to cybersecurity, protection alone is not enough, and a recovery plan should be an essential part of every cyber strategy”.

Overall, we can never truly reduce the risk of phishing and malware attacks, but by ensuring that both the organisation and employees are prepared, the impact of these attacks can be significantly reduced.

Agreement delivers Okta’s identity-first Zero Trust security solution to the channel in France, Spain, Portugal, Italy and Greece — a vital security tool in an era of remote work.
The new offering leverages Wipro’s recent acquisitions in the consulting space and brings clients an end-to-end solution at a time of heightened cyber risks.
Panzura has launched a new comprehensive data management solution for customers that work in sensitive data environments, such as public sector, healthcare, and financial services. Because the service makes both the snapshots and the data immutable, ransomware attacks can’t damage files in the Panzura global file system. Instead, attacks are shrugged off by quickly reverting to seconds-old data blocks to reassemble uninfected files. Through a new strategic agreement, this new solution, as well as all of Panzura’s other workloads, will run on Amazon Web Services (AWS).
Signings cover significant expansion in Philippines, Saudi Arabia, Poland, Czech Republic, Gulf States, Emirates, Middle East, North Africa, Cyprus and Turkey.
UK professional services organisations are subject to more than three cyberattacks every week, with 60% expecting the total number of successful attacks to increase over the next year.
The UK arm of international defence and security company, Leonardo, has selected Rizikon, Crossword Cybersecurity’s supplier assurance and third party risk management platform, to assist in their assessment of cyber risk in their supply chain.
Trend Micro has revealed that 32% of global organizations have had customer records compromised multiple times over the past 12 months as they struggle to profile and defend an expanding attack surface.
Sophos has published its 2023 Threat Report. The report details how the cyberthreat landscape has reached a new level of commercialization and convenience for would-be attackers, with nearly all barriers to entry for committing cybercrime removed through the expansion of cybercrime-as-a-service. The report also addresses how ransomware remains one of the greatest cybercrime threats to organizations with operators innovating their extortion tactics, as well as how demand for stolen credentials continues to grow.