The best way to fight against attempts to compromise business accounts and identify malicious emails is to educate your staff on how to recognise the common tactics/factors.
These basic steps provide a good base of security to avoid having your account compromised
- Always use unique passwords for every account, and especially NEVER EVER use the same password for personal accounts as you do for a business account. Websites you may use on personal time (e.g. small online stores, video sharing sites, etc) can have security vulnerabilities and are often the target of hackers that steal password databases.
- Make sure your passwords are secure. A good base standard for a password is 8 characters, at least one capital letter, and at least 2 special characters (numbers or symbols).
- Don’t save passwords using the inbuilt save function on your browser (e.g. Google Chrome). These passwords can be very easily and quickly viewed on your computer by anyone who knows your computer login.
- If you do not recognise an address or do not believe you should be receiving an email from an address, especially if it involves personal or financial information, treat is with suspicion. Contact the sender if possible, you can also contact your IT and they can confirm for you whether the email is suspicious.
- Don’t log in to your business accounts on computers that you aren’t familiar with (e.g. a friend’s laptop or an internet café computer). Also try and avoid logging in to your business accounts when using public wifi (e.g. in a fast food restaurant or a shopping centre) as these are often insecure.
- Try to avoid entering your account details in to sites you don’t recognise or links you have received via email, these can often be faked sites designed to look like the real website but are actually just designed to steal your password after you enter it. Giveaways for these kinds of sites are misspellings of words, characters switched for other characters (e.g. a zero in place of an O in the address) and lack of a valid SSL certificate (indicated by the lack of a ‘HTTPS://’ before the websites name in the address bar)
You can also learn to recognise the telltale signs of a fake/malicious emails.
Some of these are as follows:
- A sense of urgency (e.g. “Please transfer $X.XX by THIS AFTERNOON or Y consequences”)
- Misspellings in the subject line and text
- Suspicious links to external sites (e.g. a link to a google drive document from someone who has never sent you any google drive documents before)
- The subject of the email is completely unrelated to your Job Role (e.g. it is regarding finance but you are in HR)
- There are people who you don’t recognise or are completely unrelated to you CC’d on the email
- Email was sent at suspicious hours (e.g. an email from a local business usually wouldn’t be sent at 1a.m)
- The email is trying to entice you or threatening consequences for not responding/not clicking on their link
These are just some of the general signs of a suspicious email.
A more thorough breakdown can be found at the following link.