In a typical phishing attack, scammers send fake messages to thousands of people, asking for sensitive information (such as bank details), or containing links to fake websites. They can be sent by text, social media or phone but are commonly received via email. Approaches include sending an invoice for a service that wasn’t used, with malware automatically installed (without anyone’s knowledge) on the computer when the attachment is opened. Another is to trick staff into transferring money or information by sending emails that look authentic. Phishing emails can be hard to identify and unfortunately some will still get past even the most observant users. However, there are some steps that can be taken to lessen the risk of a phishing attack succeeding.
Configuring staff accounts to have the lowest level of user access required to do their role will reduce the potential damage of a phishing attack. Only use accounts with administrator privileges for IT admin tasks, such as installing authorised software or updating security settings. Using two factor authentication, where provided, can also prevent an IT security breach as even if passwords have been compromised, the attacker will not have access to the second method of authentication.
Making staff aware of the methods used by phishing attacks, and what to do if they receive suspicious email communications, will also protect against IT security breaches. Often the spelling, grammar and punctuation are poor. Others will try to create official looking emails by including logos and graphics but the design and quality of these can also be poor. It is extremely unlikely that banking organisations will ask for login details or passwords by phone or by email, and staff should also be wary of clicking on any links in emails that claim to lead directly to a login page for a bank or other supplier.
Be aware that publicly available information about your practice and staff can be used to make phishing messages more convincing. This is often gleaned from your website and any social media accounts (known as your 'digital footprint').
You may also wish to consider setting up a Domain-based Message Authentication, Reporting and Conformance (DMARC). The DMARC stops phishers from spoofing your domains (e.g. making their emails appear to originate from your organisation).
Configure your practice’s IT systems to reduce the impact of successful phishing attacks
• Ensure that staff IT accounts only have the level of access required for their role.
• Provide administrative accounts with extra permissions only to those members of staff who need them and ensure these are only used for administration of the IT system.
• Enable two-factor authentication where this is offered (e.g. for online banking or email access).
Use email filtering services to send phishing emails to spam/junk folders [1].
• Be aware that email filtering services are not fool proof, and some suspicious emails may still reach your inbox. Legitimate emails may also be flagged as spam and may be missed.
Train staff to recognise potential phishing attacks and what to do if they suspect the practice has been targeted. [2]
• Try not to blame staff if they unwittingly fall for a phishing scam as it can discourage them from reporting any future attacks.
• Take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
• If you believe that your practice has been the victim of online fraud, scams or extortion, contact Police Scotland on 101. Action Fraud is the fraud and cybercrime reporting centre for the rest of the UK.
Check your digital footprint and ensure that your website and any social media accounts only include essential details about the practice.