How businesses can protect themselves from phishing scams

Authored by Allianz

Over half of adults admit to having been targeted in a phishing scam and recent macroeconomic events such as the Covid-19 pandemic and cost of living crisis have only exacerbated the situation. But what exactly is ‘phishing’, how do you recognise it, and what’s the best way to avoid being caught out?

What is 'phishing'?

Phishing is a type of social engineering which involves sending a fraudulent message (generally an email but potentially also a text, website, advert or phone call) designed to trick individuals into revealing sensitive information and/ or data, or to deploy malicious software on the victim’s infrastructure.

It’s not just individuals who can fall victim to phishing; according to government data, phishing attacks on businesses have risen from 72% to 83% in the last 12 months.

Why should businesses be aware of phishing?

Organisations of any size can be targeted by a phishing attack. If carried out successfully, phishing can have severe consequences for a business, including:

• business disruption, with systems disabled and staff unable to work
• loss of intellectual property and data
• reputational damage
• a drop in company value, with diminished investor confidence
• regulatory fines and financial penalties where data privacy laws have been compromised.

Of all the types of breaches and attacks reported by organisations, the most common by far is phishing. (Cyber Security Breaches Survey 2022)

How to recognise a phishing scam

Cyber criminals are using increasingly sophisticated methods to deploy phishing attacks. When being on the alert for phishing attempts, the following can be a sign:

• a 'dodgy' or unrecognisable looking domain name
• a claim of authority (e.g. posing as a solicitor or government department)
• poor spelling or grammar
• suspicious attachments or links
• a sense of urgency (being given a limited time to respond)
• a request for sensititve information

How can businesses protect themselves?

Employee education

A key part of mitigating successful phishing attempts is to educate employees on how best to recognise phishing and what to do in the case of an attack. It’s recommended to run training on this and ensure staff are clear on how to report a suspected attack. Naturally, remote workers should be included in any such training.

Password tools and policies

Businesses can make use of password manager tools and encourage the use of strong passwords with special characters, with regular expiration dates.

Use multi-factor authentication for company systems

This involves requiring a user to successfully provide (at least) two pieces of evidence in order to verify their identity and log in, such as a password and one time access code.

Carry out phishing simulations

Companies can run mock phishing tests where they send an email to employees designed to mirror a typical phishing attempt. This measures staff awareness levels and can indicate a need for further training/education.

How can brokers help in the fight against phishing

Brokers can act as a ‘first line of defence’ in fighting fraud. By helping to educate customers on types of fraud and reporting any instances through the appropriate channels, insurers and brokers can continue to make it tougher for cyber criminals to succeed.