SMEs are continuously at risk of a cybersecurity attack that could potentially occur at any time and cause devastating and long-lasting effects on the company. Without the necessary procedures in place, an attack could see a firm lose its customers due to a lack of confidence in the business, experience severe data loss, or in the worst-case scenario, decline into liquidation.
Above all, many cyber-attacks occur through email. This happens when a hacker sends an email to a business that appears to be legitimate and contains links or attachments. Following such links triggers a malicious attack which can either be instant or camouflaged. There are many types of email attacks that users can receive and it’s imperative that professionals know exactly how to detect and react to these.
Firstly, spear phishing is one of the most common forms of cyber-attack. Spear phishing is an email sent by a hacker, impersonating a high-profile company such as a bank or a TV licensing business, usually requesting personal details online.
They will often ask for bank account details. To spot them, you must look out for the following:
1. The sender’s address – checking the sender’s address is crucial as this gives you the immediate warning signs that it is not a legitimate business. Look out for extra characters or a non-legitimate email for a professional business.
2. Links/attachments – hovering over links and attachments can highlight the destination URL without clicking the link in the first place.
3. Email format – malicious emails often contain spelling and grammatical errors and are signed without an email signature/footer.
Further to phishing attacks, whaling is a specific form of phishing which can be highly dangerous for a business. The objective is to imitate someone of high importance in a business such as a manager, director or CEO.
The end game is for the recipient to pay a sum of money to a specified bank account without getting caught. It does not contain any malicious links or email attachments but may contain a fake invoice which prompts the recipient to pay.
For instance, the accountant or bookkeeper in the business may receive an email from the director, CEO or manager, requesting they send payment for an attached invoice. The accountant will view the fake invoice and enter the payment details required which will therefore play into the hackers’ hands.
Before you make any payments, always:
1. Seek confirmation – always confirm with the manager or director if the payment should be authorized, especially when it is a large payment.
2. Check the sender – the email address may look legitimate, however clicking ‘reply’ will unveil the identity of the sender.
3. Language use and activity – fake emails can come via mobile phones and the language may be more informal/formal compared to how your boss usually communicates with you. Be wary of these factors before proceeding.
Cloning emails are almost the same as spear phishing. It's the method of taking a legitimate email from your inbox and replacing the links with malicious code that requests/demands payment. Cloning emails can often be tricky to spot, which is why you should take extra precaution when clicking any links within an email. To avoid falling victim to a scam email like this, you need to take these precautions:
1. Links and attachments – similar to spear phishing, you should hover over the links and attachments before clicking.
2. Follow up – if the email appears suspicious, for instance requesting specific details you've already given, use another means of communication (such as the telephone) to authenticate the email with the company sending it.
3. Sender – although the email may appear the exact same as what you previously received, the sender's address will give it away.
This type of phishing is somewhat like spear phishing. The common factor with deceptive phishing is using a subject line that requires a matter of urgency such as, “Your account has been suspended – rectify your account now!”. This way it gets the user to act immediately rather than viewing the email and coming back to it later, by instilling a sense of urgency and even fear within the user.
Once the user has clicked the link it will contain malware that either locks the computer and demands payment, or the user will openly input their personal details for the hacker to access. The best advice for avoiding these deceptive attacks is the same as all the other types of phishing advice given above: check links, attachments, and the email's format, and be particularly vigilant if the subject line makes the matter sound like an emergency.
Further to the advice provided above, always practice the following:
- Report any suspicious emails to your manager/IT support.
- Install reliable spam filter software to minimize the risk of phishing emails landing in your inbox.
- Prioritize training your employees in cybersecurity and phishing attacks so they become wary and vigilant of malicious emails that could potentially harm the business.
- If you are unsure of an email coming from a reputable source, always seek confirmation before going ahead.
About the Author
Danielle Skinner is a marketing executive at Aspect IT. Founded in 2003 by IT Professionals, Ian Howarth and Peter Dorotiak, offers a variety of IT services to businesses across Greater Manchester. Since its inception, the firm has assisted hundreds of SMEs with IT support, network security, web design, e-commerce and software development.