In our latest cyber security deep dive, we’re looking at phishing:
– What it is.
– Why it’s still a threat.
– And what to do about it.
Phishing is one of the most common forms of cyber-attack and one of the most effective. In fact 91% of cyber-attacks begin with an email (even if the final breach used other methods). Not only that but 1 in 5 attacks are successful. Even if one of your employees fell foul to a phishing attack it could spell disaster for your business. The chances are you’ve probably heard of phishing before, but you may not have all the information you need. We’ve got all that here.
What is phishing?
Phishing attacks usually come in the form of an email, mimicking something you trust. They’re so called because they act as bait for unsuspecting victims to get caught in a scam. Like other social engineering attacks, they play on your trust to get you to take an action you wouldn’t otherwise take, like hand over personal information or even money.
They usually fall into two categories: Mass Phishing and Spear Phishing.
Mass Phishing attacks involve hundreds or thousands of emails with a common theme being sent to various individuals or companies. They will be generic and will probably be related to a company that a lot of people use. For example, it might tell you your subscription to a service like Netflix has expired and you need to update your payment details. It will then take you to a fake page to fill those out. Many will ignore it, but criminals are hoping a few people will be caught in the net.
Spear Phishing on the other hand is highly targeted. It will personalise and target emails at individuals that they have some data on. This provides a level of access and means they can heighten the ruse.The access they gain may be used to steal information or money directly or launch further social engineering attacks. Either way, they can be harder to spot.
Why is awareness of Phishing still important
Maybe you’re thinking Phishing sounds like something from the past. Surely, with the advancement of technology, ‘low-tech’ approaches like this are no longer effective? But it’s precisely because of that low-tech approach, that they remain a popular choice of cyber-attack for criminals. Yes, very few people are going to fall for a poorly worded email from a foreign prince, offering vast sums of wealth but these days Phishing emails are more convincing than that. And there’s more of them out there than ever. Spam emails accounted for over 45% of email traffic in 2021 and that’s just the ones that were detected.
Phishing attacks today are effective because they try to catch out victims with common everyday behaviour, rather than unbelievable promises. The message these days is more likely to be along the lines of ‘Your account has been suspended’, ‘Postage needs paying’ or ‘Your tax return has not been filed’ etc. They also imitate believable brands and organisations from domestic services like the NHS and Royal Mail to well-known brands such as Apple, Amazon and Microsoft. They’re hoping you won’t second guess the appearance of these names and logos and won’t think twice when they ask you to do something that is believable.
As we mentioned in our blog on social engineering, we can get better at defending against software and technology, but humans will always be a weak link.
What are the risks of Phishing to your business?
The potential rewards for cyber criminals from this kind of attack are significant so they will continue to happen. But what does this mean for the average business? Of course, the most obvious risk is financial loss. This could come through giving away access to bank details, making payments to another account or ransomware that results in a ransom being paid. We wrote about ransomware in our other post.
Another danger is data loss, which apart from being a nuisance and leaving you open to future attacks, could also land you in hot water with GDPR regulations. An indirect result of such an attack is potential reputational damage to your business. If someone within your business is being impersonated and the criminal launches a spear phishing campaign against suppliers or customers, it’s not going to be a good look.
What to look for to prevent phishing
Of course, not all hope is lost. We’ve provided strategies to prevent cyber-attacks of this nature before, but we’ll recap some of the things to look out for. Broadly speaking it comes down to the individual vigilance of your staff when it comes to this kind of attack.
They need to be looking at:
- The senders email address. Does it look legitimate or does it have too many words and punctuation marks?
- Email subject line. Is there one? Does it make sense or give anything away?
- Other recipients. Almost any marketing or communication email from an organisation is highly unlikely to have other recipients named on the email. This should all be hidden. So, if other email addresses are located under BCC treat the email with caution.
- The design. How well is it designed? Are there clear faults that give it away?
- Attachments. You should preview and check any attachments that come with an email. If you don’t recognise the file type, it’s probably best not to deal with it.
- Context. Question whether you were expecting this email and if not, do the claims they’re making add up. If it’s something sensitive you’re more likely to get an actual letter than an email.
You should also check links and only click on something if you’re certain it can be trusted. Your antivirus software should at least protect you from anything that could cause you an immediate threat.
Won’t my spam filter stop this from getting through?
You might question whether you would ever get an email like this, considering most email clients and cyber security software have in built filters for spam emails. Of course, as we hinted above, this isn’t always enough. If it’s a targeted attack, that’s been initiated by hacking someone else’s computer, the email may be legitimate. If there aren’t any links that might be seen as malicious (it goes to an apparently legitimate certified site) then it might slip under the radar. You should always check, if you think something looks fishy.
In conclusion, be vigilant and if you’re unsure about anything that appears to have come from within your organisation, get up and check with a real person! Whatever you do, don’t reply, asking for proof. If it’s a truly targeted attack, there’s probably someone on the other end who will simply attempt to keep up the ruse.
We hope you never get caught out by one of these attacks but if you feel you need extra protection or help with your cyber security, we’d be happy to chat.