The rise of the internet and our ever-growing reliance on the convenience it provides has spawned a digital language, with a raft of new terms and slang entering the common vernacular – so much so that an emoji was named the Oxford Languages Word of the Year in 2015.
Another word – a real word – has emerged that leaves us with a distinctly less cheery expression on our face: phishing. This combination of ‘phreaking’ – an early form of hacking that involved reverse engineering phones to make free calls – and ‘fishing’ uses the analogy of an angler (the Cybercriminal) throwing a baited hook (the malicious email) into the sea of internet users and hoping the recipient bites.
The sheer volume of emails that are sent globally each day – around 306.4 billion – means they are the attack vector of choice for most Cybercriminals. After all, we don’t have time to forensically analyse every single message that lands in our inbox – and it’s this complacency that ‘phishers’ attempt to exploit.
What is a phishing scam?
These are one of the easiest forms of cyber-attack to carry out – at least 3.4 billion fake emails are sent around the world every day – and one of the easiest to fall for. The Cybercriminal sends fake emails to thousands of potential victims purporting to be from a legitimate business such a bank or client – 96% of phishing attacks arrive by email, although the scammer may also cast their net using social media or text message (vishing) too. Having opened the message, targets are typically instructed to click on malicious links or attachments that direct them to websites or documents that have been created to appear legitimate. Depending on the technique being deployed, they are then duped into:
• Providing sensitive information, such as login credentials or credit card details
• Sending money to individuals or organisations
• Downloading malware
Typical examples of phishing emails include:
• The scammer claiming your bank is verifying customer records due to a technical error that wiped out customer data
• Alerting you about ‘unauthorised or suspicious activity on your account’ and asking you to confirm your credit card or bank details
• Installing a Trojan via a malicious email attachment or ad, allowing them to exploit loopholes and obtain sensitive information
Spear phishing attacks
Phishing emails are sent to a huge number of recipients at random, with the expectation that only a small amount will respond. Spear phishing attacks on the other hand are more targeted. They are carefully designed and crafted to get a specific individual from your business to respond to a trusted source. The scammer selects a target within your business using social media or other public information, before crafting a fake email that’s tailored for them, increasing the chances of fooling the recipient and divulging sensitive information, sending money or downloading malware.
How to identify phishing scams
Phishing emails are getting increasingly sophisticated and harder to spot – even for the most tech-savvy users. No matter how robust your business’s Cybersecurity strategy is, or how forensic your mindset is, you will be exposed to phishing emails at some point, and it will be on more than one occasion. You might not always be able to stop them being sent, but you can empower your employees to identify them using these five top tips:
• The message is sent from a public email domain – legitimate organisations won’t send emails from an address that ends @gmail.com, @yahoo.com, @hotmail.com etc.
• The domain name is misspelt – your employees’ need to be eagle-eyed because what appears to be a legitimate email address might have a subtle difference in its makeup.
• The email is poorly written – you can often spot a phishing email because it contains poor spelling and grammar.
• It includes suspicious attachments or links – phishing emails typically contain an infected attachment that you’re asked to download or a link to a bogus website.
• The message attempts to create a sense of urgency – scammers use attention-grabbing words in phishing email subject lines such as: urgent, request, important, payment, attention.
• It asks for personal details, or bank details, which all UK banks have confirmed they would never ask for via email.
Phishing defences: a multi-layered approach
Don’t just rely on your employees’ being able to identify phishing emails. While this is crucial, it should also form as part of a comprehensive strategy that considers three other layers of mitigation:
- Make it awkward for attackers to reach your users
- Don’t let your email addresses be a resource for attackers:
- Consider using anti-spoofing controls
- Reduce the information available to attackers:
- Consider what information you need to share on your website
- Help your staff understand their digital footprint
- Consider the information you share with third parties
- Filter or block incoming phishing emails:
- Check all incoming emails for spam and malware.
- Protect your business against the impact of undetected phishing emails
- Protect your devices from malware:
- Ensure software and devices are always kept up to date with the latest patches
- Limit administrator accounts to users who need privileges
- Protect your users from malicious websites:
- Deploy anti-virus software
- Encourage users to use up-to-date browsers
- Protect accounts with effective authentication and authorisation:
- Consider setting up two-step verification
- Consider using password managers
- Respond quickly to attacks
- Detect incidents quickly:
- Ensure employees know how they can report incidents
- Consider implementing a security logging system to flag incidents your users are unaware of
- Establish an incident response plan and practice it – from reporting an incident internally and scanning for malware and changing passwords to reporting an incident externally
Report all attacks
Don’t punish employees if they get caught out – it happens to the most eagle eyed of us at some point. Foster a positive security culture that encourages them to ask for help if they think they might be a victim of phishing. If you believe that your business has been targeted by a successful attack, you should report this through the Action Fraud website – the UK’s national fraud and cybercrime reporting centre – then share the findings with your employees to understand and learn from the experience. Many businesses apply the ‘it won’t happen to us’ mentality, but even some of the largest businesses and household names have fallen victim to phishing scams, so it is essential that you learn, adapt and protect your business from the inevitable.