FREE Secure Score Assessment for Cyber Security Awareness Month
Book now
layer 1 layer 2 layer 3 layer 4 layer 5 abstract shapes

Phishing: Protect your business against the most common form of cyber-attack

Posted 4th July 2023

Phishing attacks continue to plague businesses and individuals, with cyber criminals seemingly tireless in their attempts to capture passwords, harvest personal information, steal money and infect business systems.  

According to the latest government statistics, 83% of all identified cyber-attacks on UK businesses in 2022 were some form of phishing attack. This type of social engineering attack – where attackers target individuals within companies using fake domains to try and capture personal information, passwords or money – was also considered the most disruptive type of attack by 63% of businesses.  

And while the initial attack can be disruptive enough, phishing attacks can have much wider consequences for businesses – according to IBM, phishing was the second most common cause of data breach in 2022, with an average recovery cost of $4.91m. 

Most businesses are aware of the threat posed by phishing and have taken steps to mitigate the risks. But as hackers use more elaborate methods to target users, and users become more vulnerable through remote and hybrid working, businesses need to prioritise proactive cyber defence, not only educating their teams around the various phishing techniques, but ensuring robust protection for endpoints and best-practice cyber security with Cyber Essentials certification.  

What are the different types of phishing attack?  

Phishing 

Thousands of users are simultaneously targeted via email, using fake domains that mimic real organisations to steal passwords, money, account access or other personal information.  

Spear phishing 

Essentially phishing 2.0, these attacks are less generic and typically incorporate personal details such as the victim’s name, job role or place of work in order to seem more authentic and foster trust. 

Whaling 

Potentially one of the most lucrative types of phishing attack for cybercriminals, whaling targets senior executives and their login details, which the criminal then uses to make unauthorised bank and wire transfers to their chosen account. Enabling multi-factor authentication across all financial authorisation processes helps combat whaling attempts. 

Angler phishing 

Carried out over social media, usually via instant message or a post that encourages users to download malware or share sensitive information. Angler attacks can be highly targeted, because criminals exploit the information victims have shared on social media to make messages more personal and appear more trustworthy. A strong and clearly communicated social media policy is important to combat angler attacks. 

Vishing 

Not all phishing happens online – vishing attacks see criminals telephoning their victims, often pretending to be technical support, claiming the user’s account has been breached and asking them to ‘confirm’ their credentials. Often, caller ID will have been manipulated to look like the call is coming from a recognised area code. Cloud-based telephone systems can help combat vishing, with the ability to flag up suspicious caller IDs. 

Smishing 

Text messages are used to send malicious links to victims. These links typically trigger a malicious app download, present the user with a data-stealing form, or persuade them to contact a fake tech support and divulge their personal details. Awareness training around unknown phone numbers and account information sharing protocols are the best lines of defence against smishing. 

Man-in-the-Middle attacks 

This type of attack generally involves three parties: the victim, an unsuspecting third party, and the attacker. The attacker will usually intercept a genuine communication between the other two parties, either eavesdropping on a telephone conversation and stealing the victim’s credentials or intercepting and possibly altering emails or chat to redirect the victim to a fake website, where they are persuaded to input their details.  

Content spoofing 

This type of attack sees a hacker present a fake but legitimate-looking website to the victim, with the aim of capturing their credentials. If the user submits sensitive information that relates to business processes or workflows, this can have serious consequences for the organisation. Web app filtering is a critical security measure, and awareness training can help users identify malicious websites. 

Link manipulation 

Another way cyber-criminals have of mining user credentials is by making a fake website look like a legitimate one by altering the parameters of the URL. They will then send a legitimate-looking email to the victim, encouraging them to visit the fake website. If users click the link, it will often trigger the installation of malicious code to the victim’s hardware, which can go on to infect all business systems. 

Pharming 

Pharming is a more technical type of phishing attack and can be difficult to detect. Rather than targeting users directly, pharming targets DNS servers, translating readable domain names into IP addresses to locate visitors to devices. The aim here is to redirect visitors to fake websites so they can steal the user’s visitor data. 

How to combat phishing attacks 

Prioritise training and awareness 

Because phishing works by preying on human vulnerabilities and emotions, the first and best line of defence against this type of attack is a workforce that is educated, aware and trained in staying safe online. You can install firewalls, limit access and draw up the strictest security policies and procedures, but all it takes is for one worker to click on one link in a phishing email and a cyber-criminal can breach your systems and bring your business to its knees. Your teams are the gatekeepers to your systems, and they need to be trained in how to perform that role effectively. 

Cyber security and awareness training for teams should be in-depth and regular, and at the very least should include training around how to identify and respond to potential attacks, and what to do if they accidentally click on a malicious link. 

With the rise in remote working and BOYD policies, teams should feel equipped and empowered to work safely from anywhere, whether that’s with practical tools like anti-virus, firewall and endpoint protection, awareness around the latest attacks, or training on the importance of regularly updating passwords on home WiFi networks and personal devices.  

Businesses also need to ensure they are fostering a culture of open and honest communication so that, in the event somebody does fall victim to a phishing attack, they feel confident and able to tell somebody about it. Reassure your teams they can come to you if something happens, and reiterate the importance of them doing so. 

By prioritising education, promoting strong cyber security practices and fostering a culture of awareness and open communication, businesses can significantly reduce the risks posed by phishing attacks and fortify the overall security of their systems. 

Protect your endpoints 

The increased number of connected devices in the workplace has undoubtedly made life easier for teams and brought benefits for businesses, but these are all additional endpoints which, if unprotected, leave networks and systems vulnerable. Ensuring all endpoints are protected against attack means securing all the devices, desktops and laptops users can access business networks from.  

Endpoint security has evolved massively in recent years, from traditional anti-virus installed on individual desktops to network-wide, cloud-based protection against sophisticated malware and evolving zero-day threats. Endpoint Detection and Response (EDR) solutions can be deployed across all devices to quickly detect, analyse, block and contain phishing attacks in progress, and they work with other security technologies to enhance threat visibility, speed detection and ultimately help businesses better defend themselves. 

Cyber Essentials certification 

The UK’s National Cyber Security Centre provides fantastic guidance for businesses around protecting themselves against common cyber threats, including a 10 Steps to Cyber Security framework to keep systems, data and users safe, and specific advice for small businesses 

For most businesses, one of the surest ways to ensure resilience in the face of an increasing cyber threat is to seek Cyber Essentials certification. This government-backed scheme ensures cybersecurity best practices are being deployed across the organisation, with the certification process giving businesses an opportunity to identify any weakness or vulnerabilities and take steps to shore up their defences.  

Cyber Essentials covers everything from firewalls and access control to configuration and malware protection, and ensures that, in the event someone in your team does fall victim to a phishing attack, the fallout can be contained and the impact minimised. 

As a Cyber Essentials certification body, BCN can help your business get ready for assessment. We’ll perform an audit of your entire IT infrastructure, identifying any vulnerabilities or issues in your systems so these can be addressed prior to the formal audit. We believe Cyber Essentials certification is the best way for businesses to defend themselves against a growing cyberthreat while offering assurance to customers and partners that take cyber security seriously. 

Start your journey to accreditation and better cybersecurity today

Register for a Cyber Essentials readiness assessment.

Get in touch down down down