Phishing attacks aren’t a new threat but they are a common and growing one. Australian Competition & Consumer Commission reports show Australians reported 25,000 phishing scams in 2019, with a total of 167,697 attacks costing a massive AU$634 million. They are simple and incredibly effective attacks – but there are measures you can put in place to protect your business and employees.
What is a Phishing Attack?
The first step in preventing these attacks is to be able to recognise them quickly.
A phishing attack is one in which an attacker sends out a malicious email to as many people as possible, with recipients sometimes numbering in the millions. The email will not look malicious at all. In fact, sophisticated phishing attack emails look like professional communications from banks, financial services providers, taxation offices, and other trustworthy sources. They will have the right branding, use professional language and do everything they can to look just like the real thing.
The aim is then to get the user to input private financial information, either claiming a problem with their account or a chance to access a new service. This information is then used to drain these bank accounts.
A spear phishing attack is a little different in that it uses similar methods but targets specific businesses rather than masses of private individuals, attempting to gain access to business accounts and customer financial information – often with devastating results.
Distinguishing Characteristics of a Phishing Attack
As a result of phishing attacks that look so much like genuine communications, it is standard policy for businesses never to ask for the following information by phone, email, text or any other medium:
- Your username, Personal Identification Number (PIN), security questions and answers.
- Private personal, business, client and financial information including any card numbers, credit card details or account information.
- An immediate payment (phishing attacks often give you little time to think, pressuring you to act and make a payment to avoid a service being cut off, a penalty, etc.)
- Asking you to input any personal, business, client or financial information into a third-party website.
Because these scams look so professional and legitimate, knowing what a legitimate business cannot ask for is one of the best ways to avoid an attack. This is an essential area to focus on for employee security training.
What to Do If You are Contacted by a Suspected Phishing Scam
Another important focus for employee security training is what to do if you are unsure about the legitimacy of a professional communication. Tips include:
- Make contact – Some phishing emails are sent off legitimate accounts of existing vendors or contacts who have been hacked. If an email arrives asking for any information or payments, or to download something from a link(as we covered above), the best course of action is to phone the vendor in person and confirm the email – they may be unaware that their account has been compromised. You should also talk to your IT department if you get a suspicious email.
- Spam filters –A sophisticated spam filter will be able to detect and filter out the vast majority of phishing attacks. These messages should be regularly cleared off email servers.
- Don’t click links – Before you click a link on an email for an article, website or video, hover your mouse button above it. This will show the actual web address this will take you to. This may look similar to the real address but usually has spelling errors, odd numbers and so forth. Never click on a suspicious link.
- Use your IT security policy – All businesses, large and small, should have an IT policy in place to offer resources in the event of a suspected phishing attack. This should include who to contact directly and how to contact them, as well as sets your IT team will take to respond to alerts as well as breaches. Your IT security policy should also limit who in your organisation has the ability to access client and business financial account information, ensuring that if your organisation is targeted, the risk is limited to only a few people.
What to Do in the Event of a Breach
If someone in your organisation falls victim to a spear phishing attack, call your IT security specialist immediately to protect critical private financial and client data. At the same time, you should report it to your banks to prevent compromised accounts from being drained. You should also:
- Report the scam to the ACCC. You can do this via the Scamwatch page.
- Lodge a report with the Australian Cyber Security Centre through ReportCyber.
- For personal phishing scams, you can also contact IDCare on 1300 432 273 or via idcare.org for support and guidance.
Your First Line of Defence – Your Managed IT Services Partner
An experienced IT security provider like Milan Industries has the experience, expertise and solutions in place to provide businesses of every size with comprehensive security against phishing attacks, malware and ransomware attacks. Not only can we implement comprehensive IT security policies and solutions, we can also train your employees on safe computer use and cybercrime prevention. For more information, please contact us today.