A recent survey reported that 90% of organisations had been subject to a phishing attack. You may have heard of ‘phishing’ but do not know what is it? By the end of this article you will understand what phishing is and the dangers of the scam.
What is phishing?
In short, phishing is a type of cyber attack that tricks people into:
- Clicking on a malicious link
- Disclosing confidential information
- Transferring money
When would I come across a phishing scam?
Any form of communication, including, text, email, letter and telephone. Scammers will use whatever channel that works, so the list goes on and it will continue to adapt.
What do phishing attacks look like?
Phishing attacks are usually under the guise of a reputable, trustworthy, household brands; Microsoft, Amazon, WhatsApp, Facebook, Outlook, Apple, Paypal, Netflix recently topped the most impersonated brands in phishing attacks. Coronavirus related phishing attacks have also been prevalent recently.
Why do scammers impersonate famous brands?
Scammers imitate trustworthy brands or government agencies because you are more likely to trust and follow their instructions. Combine this 'authority' with a message that creates urgency or emotion such as panic (payment failed), elation (register to claim tax back) or may satisfy your desires or if something is in short supply (fast track for coronavirus test/vaccine), and you can see how it is very easy to have a knee-jerk reaction and click on that dodgy link!
Aside from famous, everyday brands, you may be receive phishing scams from someone you know or a local business that you have been in contact with. When an individual is hacked, a hacker could send phishing scams to all contacts in their address book in the guise of the victim. If you receive a random email or Facebook message from a friend or relative asking to transfer money, definitely speak to them directly to double check the authenticity!
Many businesses fall victim to cyber attacks or data breaches. Similarly to the individual attack, you may get a malicious email or message from a business that you know.
Different types of phishing attacks
On a base level, there are two different types of phishing attacks; un-targeted and targeted (spear).
An un-targeted phishing attack will cast out some ‘bait’ to a large number of people. The cyber attacker's aim is to get anybody to click a malicious link that has usually been delivered by email.
As the title suggests, the attackers will not target a particular person or business. As the attack targets anybody, it makes the attacks quick to create and execute. The contents of phishing attacks change on a regular basis due to them having a short life before they get compromised and blocked. The majority of the time they are easy to spot and have a low success rate. Some may feel personal attacks and could even incorporate blackmail, but have been mass sent.
Targeted (spear) phishing
As you have probably guessed already ‘targeted (spear) phishing’ is an attack that will target a particular user or business. These attacks can take months to plan and execute as they take extensive research. The carefully thought out attacks will be highly personalised.
Imagine two people are fishing at a pool. A fisherman (untargeted phishing) will be trying to catch a fish in the pool. Meanwhile, a spear-fisher (targeted phishing) will be trying to catch a specific fish.
If you regularly use email, there’s a high chance you have received a phishing scam. Below are some real-life examples of phishing attacks, also read our article where the 'tells' of a phishing email are more closely examined.
The classic phishing email is being told you’ve won a too good to be true prize or amount of money? That’s because it is too good to be true. They are fake, they just want your bank account details and should be deleted as soon as you get them. Another method of getting bank details is by alerting people to a missed payment or problem with an online account. Often these E-mails will look like they’re coming from a bank or mobile phone provider telling the user they need to log in with their details. These E-mails will contain malicious links that should not be clicked under any circumstance.
Tells of a phishing attack
Some phishing scams are more obvious to spot than others. If you receive an email telling you have won an extortionate amount of money from an offshore bank account, it’s going to be fake. But what should you look for if the scams are more sophisticated and complex?
This is one of the main giveaways when it comes to phishing attacks. Would a multi-million-pound professional company really send an email littered with spelling and grammatical errors? We are a nation of skim readers and often miss even the most basic errors. If an email seems important, always double-check the authenticity.
As you can see with the above example the email, there are numerous grammatical errors:
- the vehicle holder had break the terms of parking’
- ‘Refference number’
- ‘if you think there are any mistake‘ (how ironic!)
Strange looking email address
Always be wary of unknown email addresses. Phishing attacks will usually be sent from rogue email addresses. Take a look at the example below:
Be careful - scammers are using exact domains in email
But do be careful, hackers are getting ever more sophisticated. The image below is an email, spoofing Microsoft Outlook. It uses the exact domain, and was recently used in a spearing attack to attain victim's Microsoft 365 login details/credentials.
The majority of phishing scams direct you to click on a link. Simply clicking on a link can be enough to cause damage. Your computer can be unknowingly infected with malware. Malware can log your movements and essential steal your data.
This can easily be prevented though. If you hover over a link within an email, the address that you would be set to (if you were to click) can be previewed. Before proceeding to click, alway view the address. Quite often it's very evident that you are being taken to a very different url to what is advertised.
Ideally you should never click a link within an email - it's best practise to contact the business directly. Search for the company directly in Google and contact them using their direct contact details. Always question links in emails, especially when you are not expecting them.
What should I do if I receive a phishing or suspicious email, call or text message?
- Always report/flag phishing emails.
- Forward the email to the Suspicious Email Reporting Service, email@example.com if you're unsure whether the email is legit. They can certify whether the email is a scam or not.
- Always work closely with your IT department or IT support to ensure you are working as a team to combat cyber threats.
- Text messages can be forward to 7726, a free-of-charge service that enables your provider to investigate the origin of the text. They will let you know if you need to do anything if it does turn out to be a scam.
- And of course delete/block any scam messages!
What should I do if I have already responded?
- Report it to your IT department or IT support if this has taken place at work.
- If you have given away any login details - contact the service provider. For example, if you have provided bank details, contact your bank, or if you have logged into your PayPal account, then get in touch with PayPal.
- Open up your anti-virus software if you have click on a link and let it do its work.
- Change your password if you have disclosed it. If you use the same email and login details for other account, change them too.
- If you have lost any money, then report it as a crime to Action Fraud (in England, Wales and Northern Ireland) and let your bank know.
If you’re looking to make your business cyber safe, remember to lean on an expert and ask lots of questions. Hopefully we have answered many of your questions about phishing in this article today.
Speak to an expert
If you still have questions about your business' cybersecurity, then why not schedule some time with one of our experts.
Sign up to our newsletter
If you want to keep up to date with the latest cybersecurity tips, then subscribe to our newsletter: