Why employees are more at risk of a phishing attack in 2019 than ever before
For SME owners, cyber-security is usually right at the top of your support shopping list. Never has this been more apparent than in recent months – where reports of data breaches and ransomware attacks have hit the UK headlines.
In August, the government issued a warning after people had received emails purporting to originate within the Ministry of Defence, attempting to make contact or seeking money. It’s exactly this kind of social engineering which cyber-criminals are employing, in order to hook their victims.
By playing to the public’s trust of those in senior positions, SME’s need to be savvy to a new breed of attacker – those which are relying on the ‘Colonel Effect’.
What is the ‘Colonel Effect’?
In short, this is a technique which exploits the chain-of-command within an organisation, by leading a lower-ranked employee to believe they are required to give their personal or financial information to a senior member of the team.
The hierarchical nature of almost every business makes them an ideal target for a phishing attack. And, by helpfully ‘adverting’ the operational structure online – whether on a company website or personal social media page – cyber-criminals have all the information they need to launch their attack.
How do phishing attacks work?
Usually, an email will be delivered to the employees as though it’s been sent from the CEO or a member or the HR team. The content asks the recipient to share details to a new supplier, or transfer money into an account.
By playing on human behaviour rather than weaknesses in technical infrastructure, cyber-criminals can coerce individuals to impart their personal details, by posing as a person in a position of power.
How can I stop a phishing attack in my business?
The success of a phishing attack using the ‘Colonel Effect’ principle is very reliant on a business having poor internal communication or a smarter organisation where the employees will be familiar with the MD, but might not necessarily have an open line of communication with them.
Indeed, more robust cyber-security software can help SMEs to combat the problem, it’s also vital to have internal measures in place which can assist in flagging, addressing and communicating potential threats.
- Internal communications – empowering employees to question a suspicious email will provide an extra level of protection. Ensure your team know who the go-to person is if they feel concerned.
- Check your links – it’s always worth typing the URL directly into your browser to be sure the name or link in the message doesn’t divert you to a nasty website.
- Look at the email address – although, at first glance, an email might look genuine, you’ll usually spot some anomalies if you look closer. The formatting of the sender’s account is often a giveaway – it will mimic the style but not be the same. Your email may be firstname.lastname@example.org and the scammer may use something as similar as email@example.com.
- Avoid public Wi-Fi – whether you’re between meetings on public transport, or taking a break in a café, never use unknown or public Wi-Fi without a password. Insecure connections provide cyber-criminals with a prime picking when it comes to attacks, as they can unwittingly redirect you to phishing pages while you surf the internet.
- Bolster your basics – Make sure your IT provider is looking after all elements of your cyber-security. Keep all systems current with the latest security patches and updates, and install a spam filter to capture any unwanted mail.
If – after all that – you’re still unsure whether an email is genuine, play it safe and never enter your personal details. If you think you’ve input your name and password into a fake portal, immediately change your password.
For more advice on cyber-security, read our dedicated web page where you can also request a free cyber-security audit for your business.