How to protect your business and clients from phishing scams
Phishing scams are on the rise as remote working becomes the norm, but there are a number of workable strategies advisers can adopt to protect their business and clients from the threat of these fake offers.
Remote working and a greater reliance on emails and the internet amid the global health pandemic has fuelled the rise of cybercrime, including the practice of phishing.
On the latest numbers, $851 million was lost to scams in 2020, according to the Australian Competition & Consumer Commission’s (ACCC) Scam Watch report. This included internet scams with a notable increase in phishing – up 75% compared with 2019.
The data is based on consumers, but for businesses the threat of phishing is also real for both their staff and clients as offices shift to the home.
“The workforce is no longer supported by an office environment that includes staff policies and procedures,” StickmanCyber founder and Chief Cyber Security Officer Ajay Unni says.
Unni says workers are now balancing the challenges of working and raising a family during this work-from-home environment, potentially making them vulnerable to phishing attacks.
Phishing is typically a practice that involves hackers impersonating a business, a supplier to the business or an associate in order to get money through fake offers. This is done primarily through emails.
“Staff are unable to immediately check with their colleagues whether an email is valid or not and inadvertently click on the suspect email, falling prey to a phishing attack,” says Unni.
Working closely with Australia’s small and medium sized financial advisory businesses, Unni has seen a significant rise in phishing campaigns.
“In any given month, we get a number of calls where these hackers who gain access to business emails would contact the CEO or financial controller requesting a transfer of funds. These attacks can be either overseas or within Australia,” he says.
Citing data from the Australian Cyber Security Centre (ACSC), Unni highlights that 62% of small businesses have experienced a cyber-security incident such as phishing in 2020. According to the same industry data, the impact on businesses is real with $300 million spent on cybercrime to protect them and their clients.
EY Financial Services Cybersecurity Partner, Jacqueline Kernot works with big banks in ensuring their cyber security systems remain secure. She believes that the wider financial services industry including advice firms are more prone to phishing than other industries.
“There is greater requirement in financial services to share data. Moreover, the velocity of funds constantly being transferred between accounts creates useful information for attackers,” Kernot says.
“With COVID, we have also seen the complete collapse of industries in countries less fortunate than Australia. This has added to the rise of cybercrime and particularly exposed financial services.”
There are however a number of workable strategies that advisers and businesses can adopt to secure their businesses and clients against phishing attacks.
Staff training
In protecting a business and its clients, frontline staff are your first defence, Kernot says. Here training and awareness is key particularly as data beaches are often caused by human error.
The Office of the Australian Information Commissioner revealed that the second largest source of data breaches in 2020 was human error, up 18%. The common example of this human error was due to information being emailed to the wrong person—representing 45% of human error breaches.
There is no substitute for good training and awareness, argues Unni. He believes staff should be trained in such a way that being alerted to email scams becomes second nature—similar to how people are now made aware and encouraged to sanitise and wash their hands for 20 seconds following COVID.
EY’s Kernot also recommends that training must be done in a proactive way. If a staff member does fall for a scam, rather than blame the employee, she recommends organisations have the correct training and processes in place to swiftly address the issue and ensure lessons are learned from the incident.
An effective strategy to reinforce this training is through phishing drills, according to Unni. These drills involve testing staff by sending a test phishing campaign from a CEO or a line manager. Unni says this not only boosts the awareness of phishing but also provides the business with a better understanding of how their staff would respond to suspicious emails. However, the content of the emails should be carefully considered, given the potential for adverse employee and public reaction, as has occurred in some phishing simulations.
With remote working expected to remain the norm for at least a number of months, Kernot also recommends businesses provide access to a day’s training with their tech specialists. “Training staff on simple security checks and controls can really be effective.”
Password authentication
Multi-factor authentication passwords for email systems are also an effective way to stave off phishing attacks.
A business can also provide their clients and vendors accesses to their systems using multi-factor authentication and enforce complex passwords.
“People tend to re-use passwords. It was only recently that one of our clients had their business compromised because the CFO used the same password for all the work systems, Kernot says, adding that companies can also implement relatively inexpensive password management systems for their employees and clients.
“It may be 2021 but people are still using sticky yellow notes to remember their password. Having a system that helps staff not forget their passwords helps protect your workforce.”
Using the right technology
According to the ACSC survey, half of small and medium sized businesses spend less than $500 dollars annually on cyber security.
For Unni, prevention is better than cure, and he adds that businesses do not have to outlay a huge amount of investment to ensure their systems meet the ‘hygiene standards’ in cyber security, protecting both the organisation and its clients.
“It is very important that businesses invest in cyber security. Cyber criminals are themselves investing in technology to drive even more sophisticated attacks. Business that invest in cyber security will help them stay head of the game,” Unni says.
In particular, he highlights that by using software such as Microsoft 365, Google Email and Google Workplace, firms can access security configurations that can prevent, detect and even warn of a potential phishing email.
Similarly, Unni urges businesses to alert their clients to ‘switch on’ these security mechanisms when using those platforms.
While smaller business might not have the capability to build tech defence systems like the big banks, Kernot says there are viable options available.
“Using applications and services that are hosted in the cloud are effective ways to protect against attacks,” she says. Echoing Unni’s views, Kernot says businesses like Microsoft also provide cloud hosting email services, a software she uses for a not-for-profit business she chairs.
“I certainly don’t get any phishing emails [from using the service].”
Kernot also suggests that businesses should take the opportunity to always ask their outsourced service provider about the security controls they provide.
Client newsletters
Kernot and Unni both see an opportunity for businesses to provide regular client and staff newsletter alerts on cyber security including the latest scams.
“It’s an effective way for advisers to further engage with their clients,” Kernot says, adding that businesses can even use the information from the ACSC in their client notes.
“The ACSC is a government industry partnership for small businesses. Much of the information and support they provide is free for businesses. It can provide a valuable resource for the industry,” Kernot says.
A holistic approach
It is important that businesses recognise that effective protection against cybercrime such as phishing goes beyond technology, according to Unni.
“A holistic approach to cyber security needs to be adopted. Advisers can better manage their client and business risks by ensuring processes and systems remain robust supported by a trained workforce and the right technology.”