Protect Your Firm from Phishing Scams
Email scams, particularly ‘phishing’ attempts are nothing new, having been around for over 25 years. However, with a recent upsurge in reported cases, retaining our vigilance as an Alliance is paramount, as is continuing to communicate about the risks. The pandemic-era rise of online scams has continued, with threats both new and familiar, so enhancing protection has never been more important.
Malicious emails are not always as obvious as they used to be. A known scam is to pose as someone the recipient may know and trust within the same network or alliance of firms. The email will then suggest that a mutual acquaintance is in some need – for example, they are stuck at the airport, they have been robbed, they have a family emergency or similar. Of course, the only way to fix this “problem” is to wire this “mutual friend” a sum of money. While this may seem transparent on paper, the attempts can be both persistent and extraordinarily convincing.
Another scam that we have seen involves finding public-domain information about an individual, then using that information to claim, for example, that they owe someone money, or that the person has a parcel waiting for them that they must pay for. This may take the form of calls to your work phone, the targeting of your work email or your social media profiles. Again, the interconnectivity of an alliance and the sharing of information increase the risk of this ruse actually being successful. Scammers know that the commonly used methods are becoming well-known and get ever more creative.
The collaborative trust of the Praxity Alliance could indeed be a fertile hunting ground for scams such as these. Other alliances are reporting these attempts happening with greater regularity. They may appear to be harmless requests from a colleague or friend, but on closer inspection reveal themselves to be fraudulent and malicious, using fake email addresses to gain sensitive information.
Identifying a Phishing Attempt:
Recognising various types of phishing scams is the primary way to defend your business. These scams can include a range of tactics, spanning from financial appeals to seemingly legitimate service providers requesting your engagement in specific tasks.
Check the email address:
Firstly, when receiving an email that is unusual, or requesting any unsolicited favour or task, double check the email address attached to the account. If it has not come from the individual’s usual domain, it may be an attempt to benefit from your firm. Some attempts use email addresses that are one or two characters different to the original owners, so keep a look out for unusual or unexpected characters.
Contact your Service Providers:
If an unsolicited email lands in your inbox from a service provider, particularly if this email requests that you open a link or scan a QR code, double check the link by hovering over it and viewing the website address before clicking. It’s always good practice to check these before you open them, as it may be an attempt to steal your password or other sensitive information. Never download software, click links or scan QR codes without first taking a pause.
Official requests from providers are highly unlikely to ask for personal information via email or require you to complete a task you have not requested. They will rarely ask that you enable macros, adjust security settings, or install applications. If in doubt, contact your service provider via the usual channels and ask them to confirm the email is from their team before completing any requests.
What Member Firms are Doing
Praxity member firms have long recognised the need to have safeguards in place. UK firm Shorts has put in measures to protect its IP address, with increased monitoring and auditing. It has also introduced Domain Name System filtering to provide an extra layer in the fight against malware. This provides keyword blocks to unsavoury types of websites, while helping to monitor internet traffic.
Further to this, in a move that turns phishing methods against their users, the firm has introduced a ‘honeypot’ tool, a network-attached system which provides a decoy to lure cyber attackers away from legitimate targets. The system detects, deflects and studies attempted hacks on dummy services with poor security, not only turning hackers away from core systems, but finding the methods they use.
Brazilian member firm VBR has developed a joint venture with Israeli consultancy CyberTeam 360, to devising a range of “treatments” for companies of all sizes and at different stages of their cybersecurity journey, from evaluation of the current security status through to protection of data from advanced attacks. This includes an evaluation tool, an advanced ‘Quick Cyber Security Assessment’ tool with a tailored treatment plan for improvements, as well as a virtual Chief Information Security Officer (vCISO) to manage cyber security on a customisable, scalable basis.
Almost all firms will have cybersecurity measures in place, with the whole industry recognising a need to stay a step ahead of criminal activity.
Protecting Against Phishing Attempts:
There are simple inroads that you can take to help protect your firm and your work -
Email Filters and Scanners
Most email services now employ advanced filters that can identify potential phishing emails by analysing the sender's address, content, and links. These tools can automatically divert suspicious emails away from your inbox, giving you an extra layer of protection. Some attempts can slip through these defences, so adopting a second level of security is highly advised.
Antivirus and security suites are the digital bodyguards for your devices, scanning websites, emails, and downloads for potential threats, including phishing attempts. There are multiple options for security software that your company can implement, with many specialisations.
Multi-Factor Authentication (MFA)
MFA adds an extra lock to your accounts. Even if someone manages to steal your password, they can't access your account without an additional authentication step, such as a text message, fingerprint scan or app-generated code.
Keep Software Updated
Latest versions of software have the latest security measures installed. Regularly update your operating system and security software to ensure you have the latest defences against emerging threats.
If you suspect that an email is a phishing attempt, the first thing to do is mark the email as a scam. This will help train your email providers' filtering system on how to identify these types of emails, whilst also blocking future attempts from this account.
Do not open any links or complete any tasks requested by email if you are suspicious. If in doubt, it is always best to double check the authenticity of the email by contacting the sender through another method, i.e., text, phone call or office email address. Checking the email address against the authentic one, or hovering your cursor over any links, might verify that all is not what it purports to be.
Report the attempt to your server provider or IT maintenance team. They will be able to block the account from your company’s server to prevent colleagues receiving similar attempts from the same individual. However, they will not always be able to prevent attempts reaching your inbox, so it’s important to tell your colleagues about the warning signs.
Imagine your device as a door to your office; you would not leave it wide open to thieves. A computer, smartphone or tablet should remain secured, with the latest tools protecting it. By staying aware and vigilant, using appropriate security tools and adopting smart online habits, your firm can navigate the digital landscape with confidence.
For more information about cybersecurity measures, scams and phishing, read Praxity’s Thought Leadership piece here.