It’s the most wonderful time of the year – for cybercriminals. They pocketed more than £10 million during last year’s festive shopping period, when we’re all bombarded by promotional emails and brand giveaways. But the threat extends to more than British consumers; it also impacts businesses.
The Government’s National Cyber Security Centre (NCSC), part of intelligence agency GCHQ, is warning that this year may see AI-generated cyberattacks, allowing scammers to produce more convincing scam emails, adverts and websites than ever before. And that’s something the public is aware of: 72% of consumers are worried that AI will make online fraud easier.
How to detect a phishing scam
We used to issue advice about how to identify a phishing email by looking for poor grammar or spelling, unusual sender email addresses, or design that feels out of kilter with the brand it’s supposed to be from. That advice still stands – but it’s also worth looking a little deeper for the hallmarks of social engineering techniques as scams grow in volume and sophistication.
Look out for:
- A sense of urgency – do you have a limited time to respond? Are you being threatened with negative consequences or cost if you don’t act immediately?
- Scarcity tactics – is what the message is offering in short supply? Are they using fear of missing out on a good deal to get you to respond quickly?
- Signs of relevance – unfortunately, Black Friday is a prime example of this. Is the message tied to something happening in the news or a specific time of year? Are they trying to bypass your usual diligence by looking like a seasonal promotion?
Never click a link in an email or download an attachment if you have even an inkling that something ‘seems off’. As consumers, we’re all naturally looking for a bargain coming into the festive season, but if something sounds too good to be true, it probably is.
The average consumer lost £649 in last year’s festive scamming season, but the true cost to businesses is thought to be far higher. ‘Bring your own devices’ (BYOD), where employees use their own devices to access company networks and systems or having personal email accounts set up on company devices are both significant risks to your business. If an employee falls victim to a phishing scam, for instance, they may also give hackers an open door to your business data, which can prove catastrophic. And, if you’re part of a supply chain, it can create a gateway to other businesses.
What you can do to protect your business this Christmas
It might be helpful to think of your defences against common scams as two-pronged. First, you need to tighten up systems, access and permissions, and policies. Next, you need to talk to your teams about their role in keeping your business secure.
Changes you can make
- Make sure multi-factor authentication or two-step verification is in place on all your systems and apps, regardless of how niche they are in your organisation
- Set stringent password rules, including maximum sophistication, and where possible set them to be changed every 30 days
- Set policies and access controls to block personal email accounts on company mail apps and limit what personal devices have access to on your networks. We can help you do this through things like secure VPNs
- Run a spoof phishing campaign to see how vulnerable your teams are to social engineering tactics – something we can help you do
- Talk to your people about the following ways they can help keep your business secure…
Changes your people can make
- Get familiar with the social engineering tactics scammers use to lower your defences, and be vigilant. If you see something that rings alarm bells, speak to your IT department without forwarding the email or message, or clicking any links or attachments
- Where possible, don’t use your personal devices to access company networks, apps or data. Keep work and home life separate with your technology, to avoid giving hackers an easy hop into the business if you fall victim to cybercrime personally
- If you do need to use your own devices for company work, speak to IT about how to do it securely
- Don’t add your personal email accounts to company devices, and don’t send company data back and forth to your personal emails. If you need to be able to access something more conveniently, talk to IT about how to do it securely
Don’t give cybercriminals the satisfaction of a great Christmas. By circulating this advice to your people, you can help them stay safe online this festive season, as well as minimising the risks of cybercrime spilling over into your business. We’re here to help – just drop us a line or give us a call for some advice and practical support on keeping systems secure.