When you hear the word ‘Phishing’, you might think it refers to the relaxing hobby or sport of catching a fish with a hook or worm. You might be close if you consider that with Phishing, you are the fish and email is the hook or worm.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
The most widely used Phish in my experience comes in the form of email and is commonly an individual impersonating another member of the business. A common fish is where they try to get a manager to transfer funds for “an urgent payment”, or change invoicing details of a known supplier.
A phishing email’s goal is to get you to do something or to take an action, like click a link in the email, respond to the email or open an attachment. Phishing emails are hard to stop from an IT perspective because they are usually just plain text emails. They don’t usually have viruses but could have a link in the email that if clicked could download malicious software to you PC or business network and lock you out of your own data. The same is true of attachments to emails. It could be virus free, but could contain a link that if clicked can cause you problems.
Defending yourself against Phishing
The best defence is education and simple IT supports. It is important to educate your staff of the dangers of Phishing and how it operates. Your staff are your “human firewall” and are your best protection if educated, otherwise they could be your greatest risk. You should also have a Firewall, Virus Software on all devices and some filtering software to filter out the obvious emails that are Viruses, Phishes, Junk or spam.
If you use a product like Microsoft Office 365 to manage your email, you can place a header in each email to let you know if an email has originated outside your business or organisation. That will at least help you see if someone is trying to impersonate another member of your staff. There is also lots of software, including cloud based solutions that will allow you to train and phish your staff to help improve their resistance to clicking on emails.
If you have concerns, you should speak to your IT support or IT third party support company to ensure you have the necessary controls in place to minimise attacks. You could also look at getting Cyber Essentials Accreditation for peace of mind, this is used by lots of Irish companies to ensure they have the basics right.