Phishing attack: What is it, how bad is it and how you prevent it

Phishing Attacks are one of the most common forms of cyber security threats for businesses around the world. Heavily reliant on human error, these sophisticated email, text and social threats can cause not only financial loss but far-reaching reputational losses too.

But what are they, how bad are they exactly and how do you prevent them?

As part of our series of cybercrime informational blogs, we are going to take a closer look at phishing threats today.

What is a Phishing attack?

There’s a common confusion that Phishing is a form of malware, but it is actually the method of communication required to gain contact with a potential target or to directly gain information from someone. So not malicious software, but a malicious communication campaign that often hosts or links to malware sources.

Phishing scams are created in batches, allowing cyber criminals to reach millions of users in one hit and are often sent via email with infected links or files that trigger malware to infect your computer. This is not to be confused with Spear phishing, which is a campaign targeting a specific individual, business, or institution.

Phishing attacks can also misrepresent themselves as emails from legitimate companies or brands to gain your passwords, personal data, or credit card information. We’ve all seen those ‘Argos gift card’ or ‘UPS delivery payment’ emails hit our junk folders!

In recent years you may have noticed that this style of data theft has grown to include text messages, phone calls and even social media direct messages. Whichever method, the aim is always the same, acquiring access to your data, or making easy money from you.

How an email phishing scam works

Here’s what the flow of an email phishing scam could look like. Most mobile and text scams work in a very similar way.

Typically it will be staff who get hit by phishing scams. When they open their email, if they don’t suspect a potential phishing email, or your email system's filter doesn’t mark it as junk there are several ways the attacker can gain what they need.

• Your employee clicks on a link - this will take them to either a website that downloads malware software to their computer (known as a drive-by attack) or they enter their credentials onto the fake website.

• Your employee downloads a malware-infected attachment

• Or your employee replies to an email with business information

How damaging is a Phishing attack?

Research showed that in the US businesses who fell foul of the 1 in 99 emails that were phishing attacks were likely to see a 67% drop in productivity, an average of 54% data loss and of course reputational damage (reported to be 50%).

In the last 12 months, UK businesses reported an average estimated cost of £4,200 from cyber-attacks, rising to £19,400 for medium to large businesses.

When we consider reputational losses then we have to think of the long-term costs, not just in the case of those customers affected, but potential clients who hear about the hack from friends or press coverage.

Some of the most high-profile phishing attack cases include

• A Facebook and Google hit costing $100 million of which only $49.7 million was recovered - a scam lasting 2 years, saw both companies hit with a series of fake invoices from a cybercriminal posing as their supplier Quanta. This is a common attack type, so make sure to check invoices as they come in!

• Crelan Bank lost $75.8 million, with $0 recovered - Belgium bank Crelan lost a significant reserve amount due to a phisher taking control of a high-level executive’s email account and instructing employees to transfer money to an outside account. This was only discovered through an internal audit!

How common are Phishing attacks?

According to the Government here in the UK, 39% of businesses who identified their cyber-attack attempts in 2022, reported that 83% were phishing attempts.

Think about it. It’s not uncommon for you to get 4-5 spam emails a day. Most of them go to your junk folder, but a few make it to your inbox. Even the most commonly used email system, Office 365 has one-quarter of phishing emails bypass security. This proves that criminals understand email filters, so your defences need to be several layers deep.

The main types of phishing emails

• The fake invoice

• The government or tax email

• The bank email

• Billing issues

• An angry customer, supplier, or contact

• Account compromised scare

• Renew your details

• The ‘wire money to a friend’ email

• A content win

How to prevent Phishing attacks

Here are the steps we employ with our clients.

1. Configure your email accounts to reduce attacks via the settings

2. Use 2-factor authentication for all business email accounts, including the ‘info@’ contact email

3. Create a safe list of email addresses

4. Train staff to recognise the different types of phishing scam

5. Create a staff protocol for flagging and dealing with email attacks

6. If you use business mobiles, again create a protocol for scam alerts by phone, or text and train staff on how to deal with them

7. Make sure you have something similar set up for social media attacks too.

8. Check your business digital footprint regularly

9. Invest in good anti-virus software for your devices

10. Have your IT administrators scan your systems for malicious files regularly

Need help protecting your business against a Phishing attack?

The last thing you need on your plate is a phishing scam running wild in your business, causing unnecessary losses. Worse still a damaged reputation could take years to come back from, depending on your industry, so you need to treat potential threats seriously.

Outsourcing your cyber security to a professional team of IT experts will banish these worries from your business!

If you are in the Soho London area contact us today and let us handle all your IT support needs!