Phishing email scams are when fraudsters pose as legitimate organisations to dupe people into sharing their personal information with them. The information is then used to access important accounts and can result in identity theft and financial loss. Sadly, there’s no simple way to prevent fraudsters from doing this, but as a company there are steps you can take to mitigate the risk of cybercriminals fraudulently targeting your organisation.
1. Filter or block incoming phishing emails
Emails coming into your employees’ inboxes should be checked for spam, phishing and malware. You can do this by adding filtering/blocking controls to your email server. Filtering usually sends incoming emails to your junk/spam folder, while blocking means the email won’t get delivered at all.
If you use a cloud-based email provider, like Outlook, make sure its filtering/blocking service meets your organisation’s needs, and that it’s switched on as default for all your users.
2. Encourage employees to be vigilant
There’s no failsafe way to stop phishing emails, so it’s worth educating your employees on what to look out for should a rogue email land in their inbox. Common signs of phishing emails include:
- Weird email addresses that don’t feature the name of the company that’s supposedly sent the email
- Urgent requests for action – for example, ‘Your Amazon account has been hacked. Click on the link now to update your personal information.’
- Suspicious links in the body of the email. You can use a URL checker (see panel below) to check and see if a URL is legitimate or not
- Emails with bad grammar and spelling mistakes
See the National Cyber Security Centre (NCSC) website for more ways to spot a scam email.
If an employee does receive a suspicious email in their inbox (not their junk or spam folders as these have already been filtered), encourage them to report it. They can do so by forwarding it to [email protected]. You should also encourage them to make your IT team aware of any phishing scams so that they are aware that the company’s technical defences have been compromised.
Remember, training can help users spot phishing emails, but no amount of training can help them spot every email. Don’t put all the responsibility for the prevention of phishing on your employees’ shoulders.
3. Protect your devices from malware
Malware stands for malicious software and often cybercriminals will attempt to install it on your devices through links in phishing emails.
Prevent attackers from exploiting vulnerabilities in your organisation by making sure your company is running the latest version of any software and only uses supported devices. For more on this, see the NCSC’s Device Security Guidance.
You can also help employees to avoid clicking on malicious websites by making sure they’re working on the most up to date version of their browser. Organisations should also run security software to block attempts to click through to websites that have been identified as hosting malware or phishing campaigns.
4. Protect your accounts with effective login procedures
Cybercriminals often try to target businesses through a user’s login details. Make sure your company’s login processes are robust and resistant to phishing. Add security to user logins by asking for two-factor authentication. Also, make sure you suspend email accounts that are no longer active.
Password managers are also a useful way to ensure staff use unique and difficult to guess passwords to access work accounts online. Please note however that some password managers, like all software, might have vulnerabilities, so do your research before you introduce one to your organisation. See the Password manager buyer’s guide.
You should also keep the number of people with access to important company information online to an absolute minimum.
5. Apply anti-spoofing controls
The government are encouraging organisations to set up Domain-based Message Authentication, Reporting and Conformance (DMARC), which is an email standard that protects company domains from unauthorised access and usage. The benefits of doing this are that it helps prevent cybercrime, it improves trust in the emails your company sends, and it gives you access to reports on the legitimate and fraudulent use of your domains.
We recommend you speak to your IT team/person about the practicalities of implementing this, and remember to whitelist the genuine sources of emails for your domain, such as ecommerce and newsletter systems.
These tips should help mitigate against some of the risk of your company being subject to a phishing attack. Remember, there’s no one fool-proof way to do this, the NCSC therefore recommend you take a multi-layered approach.
For more information, see the NCSC website.
Unsure whether a URL is legitimate?
These handy tools can help you if a site has been listed for having been detected as containing malicious software or scams: