During the UK lockdown, many aspects of our lives and society have ground to halt. Unfortunately, despite the current global crisis, there is one that certainly hasn’t slowed: email scams! Cybercriminals often pray on the vulnerable and people’s good-nature, and so, of course, Covid-19 provides the perfect catalyst for them.
Preventing users from clicking the links in these phishing emails is crucial and will obviously reduce the amount of damage done to your business. An effective antivirus solution will stop anything dodgy before it reaches your systems, as will a business-grade firewall solution.
Another essential tool to add to your armoury is Microsoft 365 Advanced Threat Protection (ATP). If an email manages to bypass your antivirus and firewall, ATP will scan all links and attachments and privately investigate them: if either are found to be insecure or malicious, they will be detonated, whilst genuine ones will appear as normal.
Whilst technology will give you peace of mind, and do most of the work for you, nothing can replace vigilance.
The vast majority of us have received a spam email and known almost instantly that it’s a scam, but this isn’t always the case. Cybercriminals are very good at making emails seem legitimate.
A recent example of this was an email that appeared to come from HMRC about a tax rebate due to Covid-19. The email asked you to click a link in order to claim your rebate. The link took you to a webpage that asked you to input your tax and financial information in order to receive your money.
Similarly, cybercriminals are praying on users who are using technology that is new to them. Here at Risc, our ATP recently caught a phishing email sent to our MD that was designed to look like a Teams chat message update, inviting him to click on a link to reply to the message. If we didn’t have ATP in place, it’s likely this could have landed in a user’s inbox and fooled them.
In both of these instances, a spoofing tool was used to make the email appear to be from a genuine address. Both emails also looked very genuine, using the actual logos and layout of a genuine HMRC or Teams email. So what could you have done if you’d received something like these in your inbox?
A good rule of thumb is to avoid anything money-related from emails: so, anything telling you to click a link to claim money, input your bank details, or to make a payment should be avoided. These aren’t legitimate! HMRC would never advise you of a potential tax refund or request your details by email!
You should also operate under a “better to be safe than sorry” ideology. If users aren’t sure if something is genuine, it’s much better to check with the IT team than is it to click and find out.
Ensure your staff know what to do if they do end up with a dodgy email in their inbox. Should they report it as spam to Microsoft or your antivirus solution? Should they report it to the IT team? Should they just delete it? Establish a protocol and ensure everybody knows about it, and knows how to follow it.
And lastly, have an effective, tried and tested, recovery plan in place that will help your business recover if it does all go wrong. If a user does click that dodgy link, you need to be able to recover quickly and effectively. The 3-in-1 solution from Redstor is perfect for this.
Staff education is imperative because if employers and employees know that scams are happening, understand that they can look realistic, and know what to do if they think they’ve received one of these scams, then it’s much more likely you won’t fall victim.