Protect your business from being used for phishing scams
Learn how to stop scammers from using your business or technology to send out phishing scams.
What it is
Phishing is a type of email scam. Online attackers can use your brand or your IT systems to make it look like a phishing email comes from your business.
How to protect your business
-
Install updates
Updating your operating systems and
whenever patches are released means any identified security vulnerabilities will be fixed. If you don’t install patches when they’re released, scammers could exploit any known vulnerabilities to gain access to your website or your business workstation. They could use that access to create aa set of instructions for your computer, made up of code. Apps, games, and browsers are all examples of software.
page on your website or send an email from your workstation.when a scammer pretends to be someone else, like a bank or NZ Post, usually via email, trying to get your personal information or even money.
-
Set up two-factor authentication
Protect your email, administrator account and any other key accounts, with
.a security setting that requires extra pieces of information, aside from your password, to access your account, such as a text message code or fingerprint
-
Register similar domain names
When you register a
name for your website, think about registering other, similar domain names too. It’s not expensive to do and could stop online attackers from using similar domain names to your business to front aA unique address for websites. For example, in 'www.example.com', the 'example' part is the domain.
attack.when a scammer pretends to be someone else, like a bank or NZ Post, usually via email, trying to get your personal information or even money.
-
Keep an eye on your website
Monitor your website – if you’re familiar with what’s on there, you’ll notice if something changes when it shouldn’t. Then, if someone gains access to your website and tries to use it to host a phishing page or
, you’ll know.refers to viruses and other pieces of software than can infect your devices. Short for 'malicious software'
-
Educate your staff
Train your staff to know what to look out for. Make sure they know to report any suspicious activity on their workstation – for example, if they get strange emails or pop ups, or find odd applications running.
Educate your staff about online security
Think about implementing a social media policy for your business to help guide staff on what they can or can't share about their work – this can limit the amount of information a potential attacker can gather.
-
Double check unusual requests
If you get an email request that you're not expecting, or that seems strange, contact the sender another way – by phone or in person – to double check it.
Don’t click on web links sent by someone you don’t know, or that seem out of character for someone you do know.
-
Check your security measures
Ensure that appropriate security measures are in place for your organisation.
Think about:
-
Software designed to find and remove viruses from your device, and stop new ones getting in.
-
A piece of software that enforces rules about what data a device can send or receive. Often used to prevent malware from entering a device or network.
-
/updates policy
a system to make sure all latest software fixes have been made.
-
A set of rules to sort and block emails containing certain words, links, or attachments.
-
Software designed to remove or block spam messages.
- limiting access to external websites within your network
- segmenting highly privileged accounts (like administrator and root accounts)
- documenting and testing processes for dealing with security incidents
- how you monitor and react to security events.
-
-
Create an incident response plan
No matter how prepared you are, sometimes things go wrong. Knowing what to do during an attack is important – you’ll need a plan to help you get through what can be a stressful time. Check out our incident response planning guide to see how to make sure you're prepared.
Get help
If you think your business brand or systems are being used to send out a phishing attack:
- trigger your incident response plan
- report it to your IT department immediately.
If you are unsure what else to do, report it to CERT NZ. We’ll:
- investigate the phishing page, to understand where the web server is hosted and where the domain name is registered
- confirm whether the scammer has compromised your legitimate website, or set up a new domain name and replicated it
- try to make contact with the hosting or domain name owner and have the phishing page taken down.