Phishing Attacks: Key advice for SMEs
Phishing attacks, where cybercriminals mimic legitimate sources via emails or social media, are prevalent in Australian sectors like government, healthcare, and IT. These have seen financial losses of between $45,000 and $97,000 incurred by SME’s.
For businesses of all sizes, risk is inevitable. How you manage those risks can set you apart in your industry. With increasing cybercrime, SMEs will always prove to be a lucrative target.
The Ticking Clock
Download our whitepaper to get your Comprehensive Guide to Navigating a Business Email Compromise (BEC) Crisis
Download our Whitepaper
Steps you can take to prevent phishing attacks
Educate Your Employees And Staff
To protect against phishing, it’s vital to empower your team and clients with knowledge.
- Educate them on recognizing phishing signs and the risks involved.
- Share best practices for avoiding and reporting such attacks.
- Give clear guidelines on how to verify the authenticity of emails and messages from your company.
Implement a Robust Email Security System
A sound email security system can help you filter out spam and malicious emails and prevent them from reaching your customers or staff. You should:
- Use encryption, authentication, and digital signatures to secure your email communications.
- Implement rule-based filtering to remove unverified and unwanted emails and texts.
- Monitor your email domains and addresses for any signs of spoofing or compromise.
Create a Strong Password Policy
It’s essential to strengthen your defence against phishing with robust passwords. Encourage your team and clients to:
- Use complex, unique passwords for each account, mixing numbers, characters, and symbols.
- Change passwords regularly and keep them confidential.
Boost your defence against phishing by advocating for complex, regularly updated passwords and implementing a password manager across your organization for enhanced security.
Account Compromise
Target Employee
Can include a combination of malicious cyber tactics including phishing and malware to gain access to an employee with financial responsibility.
Goal of Attacker
To compromise an employee’s legitimate business email to send invoices to outside vendors and request money to a fraudulent bank account.
Signs to look out for
- Unrecognised sent or deleted emails
- Mismatch of bank details on invoices
Lawyer Impersonation
Target Employee
This attack initially targets lawyers to penetrate a business on the law firm’s client list.
Goal of Attacker
To compromise a legitimate law firm’s email account to access their client list and request billed hours to be paid to a fraudulent bank account.
Signs to look out for
- Out of the blue request for lawyers fees
- Different bank details than previous transfer
- Unusual tone in email or a sense of urgency for payment.
Many of the above scams have similar attack features but are usually delivered searching for a different goal of compromise. These may include more BEC scams as cyber-attacks and criminals become more sophisticated.
How do you defend against BEC Attacks?
The best line of defence starts with ensuring all employees, from top to bottom, understand the kind of risks that are out there. On top of this, it’s essential to have a range of tight-knit security controls and policies in place to mitigate incoming threats.
Here are some tips to secure your business against BEC attacks.
- Secure your domain by ditching free web-based emails for a company domain
- Add layers of security for email accounts through Multi-Factor Authentication (MFA)
- Be cautious of unknown emails, links, and attachments
- Guard your domain by registering variations of your business name to protect against spoofing
- Always verify every sender’s address for irregularities
- Forward emails where possible, including relevant cc’d parties
- Limit oversharing on social media and websites
- Verify transfers before sending with trusted contacts
- Watch for abrupt changes in customer or vendor habits
- Keep up to date with scam types and trending cyber attack vectors
Conclusion
As technology and cyber criminals evolve, SMEs must adapt to the ever-changing cyber threat landscape. Fostering a cyber-secure and conscious culture within your team is critical in protecting your business from cybercriminals. You should also pair this with a concrete incident response plan.
In essence, the emphasis on cyber resilience underscores the Australian government’s commitment to ensuring business continuity and protecting its citizens’ digital assets and information. The digital future is bright only if we do our due diligence.
Want to protect your company against Phishing attacks? Get in touch with our team at LEAP Strategies today.