In our ongoing series with the National Cyber Security Centre, this blog offers guidance on how to identify and report suspected phishing scams to keep your small business safe online.
How to identify and report suspected phishing emails
Training your users – particularly in the form of phishing simulations – is the layer that is often over-emphasised in phishing defence. Your users cannot compensate for cyber security weaknesses elsewhere. Responding to emails and clicking on links is a huge part of the modern workplace, so it's unrealistic to expect users to remain vigilant all the time.
Spotting phishing emails is hard, and spear-phishing is even harder to detect. Even experts from the NCSC struggle. The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.
How do I do this?
Make it clear that phishing messages can be difficult to spot, and you don't expect people to be able to identify them 100% of the time. Never punish users who are struggling to recognise phishing emails; it's a bad idea for many reasons. Users who fear reprisals will not report mistakes promptly, if at all.
Training should encourage your users' willingness to report future incidents, and reassure them that it is OK to ask for further support when something looks suspicious. This message needs buy-in across all departments including HR, support and senior management.
Ensure that your users understand the nature of the threat posed by phishing, especially those departments that may be more vulnerable to it. Customer-facing departments may receive high volumes of unsolicited emails, whereas staff authorised to access sensitive information, manage financial assets, or administer IT systems will be of greater interest to an attacker (and may be the target of a sophisticated spear-phishing campaign). Ensure these more vulnerable staff are aware of the risks, and offer them additional support.
Help your users spot the common features of phishing messages, such as urgency or authority cues that pressure the user to act. CPNI’s ‘Don’t Take the Bait!’ campaign provides a range of materials to deliver security messages on this topic.
Using phishing simulations will not make your organisation more secure. Some companies have user training that gets the participants to craft their own phishing email, giving them a much richer view of the techniques used. Others are experimenting with workshops, quizzes and gamification, making a friendly competition between peers (rather than an 'us vs them' situation with security).
Make it easier for your users to recognise fraudulent requests
Attackers can exploit processes to trick users into handing over information (including passwords) or making unauthorised payments. Consider which processes could be mimicked by attackers, and how to review and improve them so phishing attacks are easier to spot.
In addition, think about how the emails you send to suppliers and customers will be received. Can your recipients easily distinguish your genuine email from a phishing attack? After all, their users (like yours) cannot be expected to look for and recognise every sign of phishing. Don't assume providing personal information will verify your identity; stolen or researched information is used by phishers to make their emails more convincing.
How do I do this?
Ensure staff are familiar with the normal ways of working for key tasks (such as how payments are made), so they're better equipped to recognise unusual requests.
Make processes more resistant to phishing by ensuring that all-important email requests are verified using a second type of communication (such as SMS message, a phone call, logging into an account, or confirmation by post or in-person). Other examples of changing processes include using a different login method, or sharing files through an access-controlled cloud account, rather than sending files as attachments.
Think about how your outgoing communications appear to suppliers and customers. Is the recipient expecting an email, and will they recognise your email address? Do they have any way of knowing if links are genuine?
Consider telling your suppliers or customers what to look out for (such as 'we will never ask for your password', or 'our bank details will not change at any point'). This gives the recipient another chance to detect a phish.
Create an environment that encourages users to report phishing attempts
Building a culture where users can report phishing attempts (including ones that are clicked on) gives you vital information about what types of phishing attacks are being used. You can also learn what type of emails are getting mistaken for phishing, and what impact this might be having on your organisation.
How do I do this?
Have an effective process for users to report they think a phishing attempt may have made it past your organisation’s technical defences. Is the process clear, simple and convenient to use? Do users have confidence that reports will be acted on?
Quickly provide feedback on what action has been taken, and make it clear that their contributions make a difference.
Think about how you can use informal communication channels (through colleagues, teams, or internal message boards) to create an environment where it is easy for users to ‘ask out loud’ for support and guidance when they may be faced with a phishing attempt.
Avoid creating a punishment or blame-oriented culture around phishing. It is important that users feel supported to come forward even when they have ‘clicked’ and later believe that something may be suspicious.