12 Days of Phishmas: Staying vigilant during the festive season

With the festive season rapidly approaching, we start trying to speed through our to-do lists to wrap up for our time off. It’s likely our ability to recognise red flags may falter. Unfortunately, cybercriminals aren’t mentally writing their out of office emails. This is a prime time for them to strike when people’s guards are down. In December 2022, The Guardian and Arnold Clark were both hit with massive ransomware attacks immediately before Christmas.

Since 2019, almost 15,000 cyber-related data incidents have been reported.  Cyberattacks are now so prominent in the UK that the attitude is shifting from “if” to “when”. The risk of cyberattacks is high in all sectors, with 50% of businesses and 32% of charities experiencing some kind of cybersecurity breach or attack in the last 12 months. The most prominent method was through “phishing”, which affected 84% of the businesses and 83% of the charities who reported a breach.

What is phishing?

Phishing is a type of cyberattack in which attackers lure the victims into taking some sort of action which benefits the attacker. This could include divulging their personal data, installing a malicious file or clicking on a malicious link. This is most commonly done through fraudulent emails, messages, or websites which appear to be from real, reputable sources. We have all laughed at an obviously spam email, from those stating we’ve won a car to emails claiming to be from Jeff Bezos as our Prime payment has been missed and to just click the link. Unfortunately, as the awareness of phishing emails rises, cybercriminals have had to become more sophisticated.

Business Email Compromise, where cyber criminals take control of a business account and from there send huge quantities of emails to addresses in its inbox, means there is an increased likelihood of you receiving a malicious email from a known contact.  The use of AI to craft tailored phishing emails means the easy to spot email will become a thing of the past.

Top tips for staying vigilant

• Take your time reading emails
• Be sceptical of unsolicited emails, even from known contacts
• Check the sender’s email address
• Look for red flags
• Avoid clicking on suspicious links
• Verify requests for sensitive information
• If you’re unsure, ask for a second opinion
• Report suspicious emails to your IT department or security team
• Follow guidance of the National Cyber Security Centre

What do to if you experience a data breach

If you are unfortunate enough to fall victim to a phishing attack (or experience any other information security breach), we recommend that you immediately follow your own organisation’s internal information security management processes.

Successful phishing attacks are likely to lead to some sort of personal data breach. Certain data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. In some cases, the affected individuals must also be informed without undue delay. Even if the breach does not require to be notified to the ICO, you must still keep a record of it. If you fail to notify the ICO of a breach when required to do so, you may be fined up to £8.7 million or two per cent of your global turnover.

If you require any Data Protection advice, contact our Corporate, Commercial & Regulatory team.