At Cultrix, we keep a close eye on developing risks and threats to businesses so that we can put any necessary measure in place, and distribute the appropriate advice.

Phishing attacks on the rise – how to stay safe

Our role is to protect you

We provide IT support to enable businesses to operate effectively, safely and compliantly. But no amount of IT support can protect you from a phishing attack.

Just because you have IT support doesn't mean you are 100% secure, because there's no such thing. Security is, and always will be, best endeavours, because phishing can take place without ever needing access to your device.

What is phishing?

Phishing is where cybercriminals trick victims into handing over sensitive information, money, or installing malware. Often, they do this via malicious emails that appear to be from trusted senders, but sometimes use other means. For more information, please see?https://www.itgovernance.co.uk/phishing.

Our advice

We are seeing an increase in phishing attacks in which clients receive emails, texts, calls or even letters pretending to be from a supplier or client.

Be vigilant

If a client or supplier contacts you saying they are changing their bank account details, asking for information you hold about them, request money transferring to an account, a password reset, or anything else that involves their data, access, or other assets, our best advice is:

Pick up the phone and confirm with them that they did send that instruction and that the details provided are correct - do not take their request at face value.

Ask yourself,?"How do I know this person is who they say they are?".

Things not to do

  • Don't ring the phone number provided in the email signature unless you know it's correct, as that could have been changed too. 
  • Don't reply to a suspect email asking for confirmation - we're seeing a lot of scams where the criminals are writing from an address that appears to be a trusted sender which changes when you hit reply, or appears to be from a trusted sender but contains an easy-to-miss typo. It could even come from the correct email address if the person at the other end has had their account compromised. 
  • If you receive an email about one of your accounts saying things like your mailbox is full, you need to review a transaction, change your password, release something from quarantine, or any number of other things that require you to login somewhere, don’t automatically trust the link in the email - go directly to the service provider's website in your browser and login.

“What else can I do?”

  • If you or your staff access company data (including emails) on other devices, such as, phones, tablets, and home computers, not covered by your IT support agreement then we recommend they are added to it to ensure the fundamentals are covered and additional security policies applied. 
  • Enable two-factor/multi-factor authentication (2FA/MFA) on your logins wherever possible, especially email. By providing a secondary credential in addition to your password you increase the protection on your accounts. 
  • If you use the same password for more than one service, or have written it down or saved it in anything other than a password manager, you are putting that login, and whatever it provides access to, at risk. A password manager helps ensure your logins to all your accounts are different, complex, and unknown to you; a team account can even allow you to share credentials for certain services with multiple team members without them ever knowing what the password is. 
  • There are additional spam filtering products on the market that enhance email phishing protection. 
  • Phishing training, simulations and reporting on an ongoing basis can help educate your team.

Further information

It’s important for all businesses and organisations to be aware that scammers are getting incredibly sophisticated and brazen in their methods.

If you have any questions about your setup and vulnerabilities, want to check anything with regard to any aspect of cybersecurity, get in touch with us or your own IT support provider.

Remember: prevention is the only cure; once the money or data is gone in a phishing attack, there's no guarantee you'll get it back and even if you do, there's a longer lasting impact on your reputation.