Shooting phish in a barrel - 4 ways to protect your company

Our customer’s often ask us to ‘take a look at’ a suspicious email that’s been received and we’re only too happy to do so. There are lots of mechanisms in place to block infected emails (i.e. emails with attachments that themselves are infected) and also spam emails.

But if an email is sent that contains an uninfected attachment, then it will pass the antivirus test. If the email has been sent to only one recipient and contains few ‘trigger’ words or phrases that would automatically mark it as spam, then it has a reasonable chance of reaching the end user.

Take a look at the email below. This is a real message received by one of our customers (though the names have been changed). It did contain an attachment, as detailed in the message, but the attachment was not infected.

This is a phishing email in its purest form. The sender’s address (as shown on the top line) was wrong and is immediately suspicious, but we’re suspicious types and not everyone would notice this. The phrase “Faster Payment Services” is a little clunky perhaps, but everything else looks plausible and reasonable. The addition of “Sent from my iPad” is a nice touch as it reinforces the message if the member of staff knows that the sender does use an iPad (and lots of people do). It also explains the brevity of the message.

The biggest clue that this is a scam is the request itself. Would the boss forward an invoice to the office for immediate payment?

It’s difficult to develop technical solutions that can prevent this type of attack from succeeding. But there are procedural changes that can you can make to reduce your firm’s vulnerability.

1.       Print a copy of the example above and stick it on the staff notice board. Some people see these messages every day but those who don’t are the ones that are most vulnerable.

2.       Encourage your staff to double up on decisions. The scammers are trying to bounce your staff in to making a snap judgement. Having a culture of double-checking with a colleague reduces the risk considerably.

3.       Schedule bank payments a day behind. It’s rare that an invoice needs to be paid immediately, so make the default position be that’s it’s scheduled to be paid the following day and insist on verbal management approval otherwise.

4.       Reward staff who detect these attempts and publicise this within your company.

Phishing is the single most common attack that small businesses face. Tactics may change and awareness amongst your staff is your best defence.