top of page

Phishing Finance? If I was a criminal I would target them

Finance companies are a lucrative target for cybercriminals and the most common attack method is through the employees via phishing in all its many guises.

Couple at table looking at chart

The 2022 Cyber Security Breaches Survey found that 83% of cyber attacks on UK businesses were identified as phishing and with 63% of businesses saying that phishing attacks were the most disruptive cyber attack, all companies and employees need to be aware of this threat.


And its no wonder why finance companies are at risk; they hold the data that cyber criminals want the most, banking and personal data to enable them to get paid.


What is phishing?

Simply it’s a way to trick you into doing something. This could be providing your secret details such as your password or 2FA credentials, visiting a dodgy website or downloading a malware infested item.


There are lots of different terms for phishing, but you don’t really need to know them, you need to know two things. The attackers want you to do something, and that contact can be through any communication method, email, text, social media, QR codes, phone calls maybe even a casual conversation with a stranger.

Screenshot of phishing email
Example phishing email

Playing the odds or a targeted attack?

There are criminal groups who work on an odds basis; “If I send out 1 million emails, someone is bound to do what I want eventually”. These phishing attacks are usually quite generic and may be pretty easy to spot. Targeted attacks are much harder and can be extremely sophisticated with detailed information that you would think only the genuine person or company should know.


Where do they get information about me and/or company?

There is a wealth of places that information can be found on companies and their employees.

Where do they look?

What can they get?

Previous data breaches/ other criminals

Name, date of birth, IP address, home address, usernames, passwords, financial details

Company websites

Key personnel (CEO, MD), company structure, key partner companies, email addresses, telephone numbers, latest news, address

Social media channels

Connections, photos, family, personal life details such as holidays and hobbies, pet names

Internet search

Companies House information, press releases, out of work activities, latest news

Layered plates

What should I do?

Companies need to put in place a layered approached to phishing.

  • Make it harder for attacks to get to employees

    • Employ anti-spoofing (DMARK, SPF, DKIM) – you can check how if your settings are correct at the NCSC's Email Security Check

    • Understand what information is published that could be used to create targeted attacks. You might want to have a look at what a corporate internet investigation might highlight and haveibeenpwned.com to check what information in data breaches is already released about you and your employees

    • Filter or block incoming phishing emails using your email provider or specific service

  • Make employees less likely to fall for the phish and know how to report them

    • Regular training and discussion around phishing attacks. The ECRC can provide staff awareness training bespoke to your company and practices.

    • Have a clear guide about what staff should do if they receive a phish

  • Protect your company from undetected attacks

    • Consider technical defences – anti-malware, blocking extensions, disabling macros

    • Use a proxy service to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns

    • Set up 2FA/MFA wherever possible – this way that even if the password and username are compromised in a phishing attack the attacker still shouldn’t be able to get access to the system as they won’t have the 2nd verification factor – warning – attackers are now looking at how to phish the authentication code as well

    • Use a password manager or a single sign on method. Due to the autofill component, then user will get used to not having to fill in their password and may be more likely to question it when they must

  • Be able to respond quickly to attacks

    • Use a security logging system to pick up on those incidents that your users are not aware of. If you don’t have a logging system in place the NCSC has a free tool which enables companies to set up their own basic capability called logging made easy.

    • Have an incident plan ready and test it. It is almost guaranteed that one day a phishing email will slip in so what will you do about it. If you don’t already know make sure that you go away and think about it.

    • The ECRC has a free template you can download and use for your organisation if you haven’t got a plan yet and you can test your plan with Exercise in a box.

Further guidance and support

The ECRC is a police-led, not for profit organisation which companies can join for free.

Our core membership provides:

  • Threat alerts both regionally and nationally

  • Signposting to free tools and resources from both Policing and the NCSC

  • Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience




Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page