Ask the expert: answering the internet’s most common Phishing questions

Phishing attacks account for 83% of cyber breaches in the UK, they remain a huge risk for organisations in the UK, I am ramsac’s lead cybersecurity consultant, and in this blog, I answer all the most common questions about phishing emails.

Q) Why should I care about phishing emails?

Attackers cast a wide net to find vulnerable organisations regardless of size or industry. In the UK, money is paid from a corporate account to a criminal’s account every 15 minutes of each working day. Attackers target employees using phishing emails to gain access to an organisation’s network, the resulting data breaches can be hugely damaging for a business.  The cost of a data breach to Small and Medium Businesses (SMBs) ranges from £7,000-£186,000 in the UK, and 60 percent of small and medium-sized organisations cease to exist within six months of a cyber-attack.

Q) How can I identify a phishing email?

Phishing emails are rarely entirely faultless, there are usually 1 or more mistakes or indicators that the email is malicious. The below list is not exhaustive but represents the main indicators of a phishing email

  • Check the “from” address – is it different from usual, are there subtle spelling errors or is the user using a Hotmail or Gmail account?
  • Be suspicious of untidy design.
  • Look out for spelling mistakes.
  • Look out for emails that try to create a sense of urgency to make you rush into taking a decision (like clicking on a link or downloading a file).
  • If it’s too good to be true, it probably is.
  • Consider context – were you expecting this email?
  • Always question any email that is asking you to make a payment, even if it appears to be from someone you know.
  • Confirm any payment via an alternative source, like a phone call or face to face conversation (if possible) with the person requesting the payment

Q) What should I do if I receive a phishing email?

Follow the IT security policy in your organisation for responding to this. The IT policy should contain steps such as:

  • Do not click on any links
     
  • Do not download any file
  • Do not reply to the email
  • Do not give out personal information
  • Do not forward it to another staff member
  • Do not carry out any request asked by the sender
  • Inform the relevant authorities in your organisation about this
  • Sensitise the rest of your colleagues to watch out for a similar email

Q) What should I do if I have clicked on a link in a phishing email?

Follow the IT security policy in your organisation for responding to this. The IT policy should contain steps such as:

  • Disconnect your device from the network and put it on aeroplane mode or disable wireless immediately
  • Do not delete the email
  • Do not turn off your device, leave it turned on to ensure any evidence is preserved
  • Inform your IT team and relevant leader in your organisation 

Q) What should I do if I have clicked on a link in a phishing email and entered my credentials?

Follow the IT security policy in your organisation for responding to this. The IT policy should contain steps such as:

  • In addition to all the steps shown above, you should also change your password immediately using another device

Q) What should I do if I receive a phishing email from a known contact who has been compromised?

  • Consider context – were you expecting this email?
  • Consider if the email is trying to create a sense of urgency to make you rush into taking a decision (like clicking on a link or downloading a file).
  • Always question any email that is asking you to make a payment, even if it appears to be from someone you know.
  • Do not respond to the email
  • Do not carry out any request asked by the sender
  • Inform the IT team and relevant leader within your organisation
  • Find an alternative means of communicating with the known contact, such as a direct phone call using a number you already know, to establish validity.

Q) How do I isolate my device?

  • Remove the network cable from your device if present
  • Put your device on aeroplane mode by clicking on the network icon in the task bar on the bottom of your screen. (see image below)
  • Alternatively turn off WIFI and Bluetooth located in the task bar on the bottom of your screen

Q) Who should I inform when I receive a phishing email?

Notify the relevant authority within in your organisation this could be the IT support desk, IT manager, Cybersecurity officer or the leader with responsibility for IT or data protection.

Q) What can an organisation do to protect against phishing emails?

Your organisation should have an IT Security policy, which all employees should receive training on, in order to know what to do if they receive or click a phishing email.

All organisations need to be training end users on the importance of vigilance, and should be giving end users the skills to recognise a potential phishing email.

There should be clear guidance, particularly for finance teams, around how to handle payment requests that are received via email. Ideally there should always be a two stage verification process that includes at least one stage that isn’t dependent on an email or text message.

You should consider carrying out simulated phishing attacks and relevant training, using a service such as Knowbe4 or Sophos Phish Threat.

You should have clear instructions for all users on what to do if they realise they may have become a victim.

You should ensure you’re carrying out training on a regular basis to keep the subject at the front of peoples minds.

Q) How should an organisation respond to a phishing attack?

As soon as your IT team have been notified, they should:

  • Check if more than one device has been affected
  • Isolate all affected devices by disconnecting devices from the network and putting them on aeroplane mode immediately
  • Change account passwords immediately, or temporarily lock out the affected user accounts whilst an investigation takes place.
  •  Investigate the phishing incident or attack and determine what information might have been breached. Review the security of all potentially impacted accounts. For example, if an impacted user has bank login details, it might be appropriate to change banking passwords as well as the Microsoft account password.
  • Consider whether a data breach has happened and if so, whether you should be notifying the ICO and/or your contact base who’s details may also have been breached.
  • Consider the PR implications and plan your communication strategy.
  • Carry out a full reviews of the incident, consider whether a forensic level assessment of the attack might be required.
  • Ensure that all traces of the attack have been completely cleaned, passwords changed and a full clean up complete, before restoring the user/device.
  • Implement remediation strategies and safeguard against future attacks (Phishing simulation, IT Security Policy, Security Awareness training etc).

Q) Who should an organisation notify when a phishing email or text is received?

  • Depending on the Cyber Incident Response policy within your organisation, the phishing email should be forwarded to the National Cyber Security Centre (NCSC) on [email protected]. NCSC will investigate it
  • Forward any text message to 7726, this is an easy, free service you can use to report suspicious texts or calls you might receive on your mobile, it alerts your mobile provider to investigate the number and potentially block it, if it’s found to be a nuisance. will inform your service provider
  • If a data breach has occurred it is important the breach is reported to the Information Commissioners Office (ICO). The ICO is the UK body that is responsible for prosecuting organisations that fail to keep data safe. The GDPR introduced a duty on all organisations to report certain types of personal data breaches to the relevant supervisory authority. Failing to do so can result in heavy fines and penalties and an investigation by ICO.

Q) How can ramsac help?

The Phish Threat training from ramsac is a great way of increasing cybersecurity awareness. By testing which of your employees can spot a phishing email and which are fooled by them.
We will carry out random simulated phishing attacks, ensuring that every user receives a very realistic phishing email at least 4 times a year. The emails mimic phishing emails from well-known brands such as LinkedIn and Microsoft, and If the user clicks on a link they will be taken to a safe web page, that highlights what they have just clicked on and offers guidance on how to spot attacks in the future.

Worried about your IT security?

Speak to us today about your cybersecurity concerns.

Related Posts

  • Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year

    Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year

    Cybersecurity

    secure+ has detected and responded to over 8000 security alerts in its first year [...]

    Read article

  • MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.

    MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.

    Cybersecurity

    MFA Fatigue is a problem organisations need to be aware of, in this blog we break down why and what organisations can do to combat it. [...]

    Read article

  • Data Protection Day – Protecting your information on social media.

    Data Protection Day – Protecting your information on social media.

    Cybersecurity

    The 28th of January is Data Protection day, to mark this day we have created a blog with tips on how people can keep their personal data safe on [...]

    Read article

  • Cybersecurity – The importance of Testing & Training

    Cybersecurity – The importance of Testing & Training

    Cybersecurity

    Many organisations offer cybersecurity training to their staff, but training and testing as a combined strategy provides a much stronger defence against cybercrime. [...]

    Read article

  • Man-in-the-Middle (MITM) attack – Cyber secure series

    Man-in-the-Middle (MITM) attack – Cyber secure series

    Cybersecurity

    Man-in-the-middle attacks mean an attacker has intercepted communications between two people and has altered them in some way. Learn more today. [...]

    Read article

  • Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Cybersecurity

    In this blog, we'll explore the concept of the ICO Regulatory Sandbox and its objectives in the data protection landscape in the UK [...]

    Read article