What it is
Phishing is a type of email scam. Online attackers can use your brand or your IT systems to make it look like a phishing email comes from your business.
How to protect your business from being used for phishing attacks
Updating your operating systems and software whenever patches are released means any identified security vulnerabilities will be fixed. If you don’t install patches when they’re released, scammers could exploit any known vulnerabilities to gain access to your website or your business work station. They could use that access to create a phishing page on your website or send an email from your work station.
Set up two-factor authentication
Protect your email, administrator account and any other key accounts, with multi-factor authentication.
Register similar domain names
When you register a domain name for your website, think about registering other, similar domain names too. It’s not expensive to do, and could stop online attackers from using similar domain names to your business to front a phishing attack.
Keep an eye on your website
Monitor your website – if you’re familiar with what’s on there, you’ll notice if something changes when it shouldn’t. Then, if someone gains access to your website and tries to use it to host a phishing page or malware, you’ll know.
Educate your staff
Train your staff to know what to look out for. Make sure they know to report any suspicious activity on their work station – for example, if they get strange emails or pop ups, or find odd applications running.
Think about implementing a social media policy for your business to help guide staff on what they can or can't share about their work – this can limit the amount of information a potential attacker can gather.
Double check unusual requests
If you get an email request that you're not expecting, or that seems strange, contact the sender another way – by phone or in person – to double check it.
Don’t click on web links sent by someone you don’t know, or that seem out of character for someone you do know.
Check your security measures
Ensure that appropriate security measures are in place for your organisation.
- patch management/updates policy
- email filtering
- limiting access to external websites within your network
- segmenting highly privileged accounts (like administrator and root accounts)
- documenting and testing processes for dealing with security incidents
- how you monitor and react to security events.
Create an incident response plan
No matter how prepared you are, sometimes things go wrong. Knowing what to do during an attack is important – you’ll need a plan to help you get through what can be a stressful time. Check out our incident response planning guide to see how to make sure you're prepared.
If you think your business brand or systems are being used to send out a phishing attack:
- trigger your incident response plan
- report it to your IT department immediately.
If you are unsure what else to do, report it to CERT NZ. We’ll:
- investigate the phishing page, to understand where the web server is hosted and where the domain name is registered
- confirm whether the scammer has compromised your legitimate website, or set up a new domain name and replicated it
- try to make contact with the hosting or domain name owner and have the phishing page taken down.