How to protect your business against phishing scams

You may be familiar with the term ‘phishing’ when it comes to keeping an eye on your personal emails, and making sure you’re not being scammed by a fraudulent email encouraging you to share personal data, but have you thought about your business?

Whilst most email and business IT platforms have security controls in place to catch most phishing emails, there are still a small percentage that get through. So, it’s important that your staff can recognise these and report them.

Cybercriminals have become much smarter in their approach and they use several “Social Engineering” techniques to bypass security controls. For example, typing “financial director insert_company_name” into Google and you will more than likely get a name. With this information a fake email can be sent to other employees within the same company encouraging them to either click on a link or download a document, that has malicious content.

An email is more likely to be actioned (clicked on/download content) by an employees if it has supposedly come from someone within the business, particularly someone senior.

Identifying phishing emails

A key indicator to a phishing email, is that it will create a sense of urgency by requiring you to do something immediately. The most popular subject lines for these types of emails are Urgent, Request, Important, Payment and Attention.

Of course, cybercriminals will also use branded emails to tempt you into taking the bait. Receiving an email saying that your Amazon/Netflix/PayPal/Apple etc. account is about to be disabled, is a classic scam technique. During the COVID-19 pandemic, there has also been an increase in fake emails from HMRC offering COVID tax refunds and the World Health Organisation or NHS offering accelerated vaccinations (at a cost).

It’s important to educate your employees around what ‘Phishing’ is, how businesses can be targeted, how to identify these emails and how to report them. You may also want to get your IT teams to apply a banner to all external emails coming in to the business with a banner, highlighting that the email was generated externally – see the example below.  

How can you report a Phishing email?

If you are unsure whether an email is genuine or not, it’s better to be safe than sorry. Within Outlook, there’s an easy way to assess if the email has malicious intent – this is known as the PhishAlarm® which is a button that appears on the top right-hand side of Outlook or within the email itself. In the web version, just click on the 3 dots on the top right-hand side of the email, labelled “More Actions” and then select “Report Phish”:

Once this button has been clicked, follow the prompts and the email will be removed from your mailbox to be analysed and categorised. When this is complete, you will be notified whether the email is a threat or not. If it is not a threat, the email will be returned to your Junk folder in your mailbox. This procedure is the same for group mailboxes. By reporting an email, you are helping to identify further instances of the same email, getting them removed and protecting the organisation.

If the add-in on Outlook isn’t there, you can enable this yourself by following the guidelines on Microsoft.