We’ve all heard about the shocking rise of successful data breaches in companies of all sizes. In this blog post, we take a look at what social engineering and phishing are and provide tips on how to protect your business from falling victim to these scams.
So, what is Social Engineering?
It is a strategy to attack people using psychological manipulation tactics and the emotional aspects of decision making. It is different from traditional cyber-attacks because it is mostly non-technical and relies on conning people into divulging sensitive information to someone they trust.
While fraudsters are getting wilier and more creative with the way they execute this, the oldest and perhaps most successful tactic is phishing. In fact, according to Verizon's annual Data Breach Investigations Report, social engineering attacks, including phishing, are responsible for 93% of successful data breaches.
What does a Phishing Attack look like?
A phishing attack typically imitates someone you know and trust with an urgent call to action attached to it such as an invoice payment. It is an attempt to deceive you into divulging sensitive information to an impersonator or steal funds.
Some of the most popular ways to carry out a phishing attack are domain spoofing and lookalike domain use. Domain spoofing is using an unprotected domain to send emails from the exact domain of a company and a lookalike domain is when a similar domain to your company’s is purchased and used in an attack.
Tips to be safe
Slow Down: Phishing attacks rely on people making quick decisions without digging deeper. They want you to act first and think later. Do not let the task at hand and the urgency of it deter you from checking the details.
Verify the details: You may spend a few extra minutes verifying the facts, but always do your own research. If you receive an email from a colleague to do something urgently, give them a call and double-check the details. Or if it’s an email from a company you use, go to their website using a search engine.
Fight it with Tech
Even after all the training and education about potential attacks, there’s only so much you can do manually to stay safe and keep social engineers at bay. A single click on an email can leave your organisation vulnerable. Here’s one other fundamental standard that you can proactively deploy to reduce the risk of a phishing attack on your organisation.
DMARC is a protocol that prevents unauthorised use of your domain. On the flip side of this, if your organisation does not have DMARC deployed anyone can send an email using the exact domain of your company. Deploying DMARC has been recommended by the NCSC for all businesses and it was even mandated for all UK government agencies. Your organisation can deploy a DMARC policy easily, using free tools offered by organisations such as the Global Cyber Alliance, but if your organisation uses multiple emailing tools such as G Suite, Mailchimp or SendGrid we recommend using a DMARC solution such as OnDMARC which is free for charities and sole traders.
These tools give you step by step actions to reach full DMARC protection. Check An Invoice also has a feature called “Thread Check” that checks the chain of emails an invoice was sent from to make sure no lookalike domains or unsafe contact were used. We will also soon be adding supplier DMARC audit as a feature so you can audit all your suppliers for DMARC compliance and receive supplier risk scores.
Check An Invoice
Check An Invoice is an invoice fraud prevention company. At Check An Invoice we provide businesses of all sizes the ability to automatically check each invoice for fraud before it is paid. We extract and cross-reference the invoice data with your supplier records and government records to make sure they match. We also check the email chain the invoice was sent from to make sure no lookalike domains or unsafe contacts sent the invoice. Check an invoice is available from £30 a month.
About the Author
Jay Singh is the CEO and Co-Founder of Check An Invoice. He has a passion for all things cybersecurity and previously worked at Red Sift where he helped businesses of all sizes secure themselves against phishing attacks. Jay also served as an ambassador for the Global Cyber Alliance and held senior positions at ResponseiQ and Crikle Platforms.