Phishing Awareness

What is Phishing?

Phishing is a type of cyber crime whereby hackers impersonate an individual, organisation or charity and send fraudulent emails, text messages or phone calls to potential victims. These communications encourage targets to take a second action, such as following a link to a website, giving sensitive information or sending money.

Phishing attacks can bypass cyber security measures, so employees must be cautious about following links in emails or giving any information over the phone.

Some common types of phishing attacks are:

Email phishing: The most common type of phishing attack. Cyber criminals impersonate companies or charities in an email, directing potential victims to click a link and enter personal information or pay for something. Any data entered can be seen by cyber criminals, including passwords.

Spear phishing: Spear phishing is a targeted form of email phishing. Cyber criminals already have some information about the target, such as their name, place of employment or job title. This allows the criminal to create more authentic-sounding messages to trick the target.

Whaling: A form of spear phishing, whaling is where cyber criminals target senior executives and high-ranking managers. These messages convey a sense of urgency, usually to transfer funds quickly.

Smishing: Cyber criminals send text messages posing as a company or charity. These messages work much the same way as email phishing.

Vishing: Cyber criminals call their targets and attempt to get them to give information, such as account credentials or credit card details, over the phone.

Angler phishing: Cyber criminals use social media to get information, encouraging targets to visit a fake website or download malware.

The most sophisticated attempts will utilise personal information. This includes referring to the target by name and using information such as their job title or place of work to lend credibility to the attack.

How do cyber criminals steal your information?

Phishing attacks via email will contain a link, either to a website or a software download package.

Spoof websites impersonate genuine webpages, such as a login portal for Microsoft Outlook. However, any information entered into these pages can be ‘phished’ by cyber criminals. Login details, bank account numbers and other sensitive data is exposed as soon as the target types it, which can then be used to launch further attacks.

Emails can also replicate invoices, or otherwise encourage targets to send money to what they assume is a legitimate account. These emails usually convey a sense of urgency, tricking the target to make the transaction before they can properly think about it.

The most harmful effects of a phishing attack:

Data loss

As mentioned above, any information given over the phone or entered into a spoof website can be used by cyber criminals to carry out further attacks, such as using compromised login credentials to gain access to internal company networks.

From there, hackers can steal sensitive data on employees, partners and customers, holding it to ransom or selling it to other cyber criminals on the dark web.

Monetary loss

Phishing attacks can be hugely damaging financially. Victims may send money to what they believe is a legitimate account of a customer or partner, but is instead an account held by cyber criminals.

Beyond monetary loss directly through the phishing attack, businesses may face financial penalties if they are found to be in breach of GDPR. These fines can be high, especially for small businesses that operate on tight budgets.

Reputational loss

People are increasingly wary of businesses that misuse or mishandle their sensitive information. Beyond fines from breaching GDPR, companies that suffer a data breach may lose the trust of the general public, leading to further financial issues as customers engage different services.

How to avoid phishing attempts:

• Emails that have a sense of urgency to try and rush the user into doing something out of the ordinary should be treated as suspicious.
• Always validate through another means of communication – don’t click on links in SMS/Email. For instance, if someone directs you to send money over the phone, hang up and ring the bank. If something doesn’t seem right – ask!
• Hover over the link in emails to see the web domain, and make sure that matches the link.
• It’s easy to fake an email address. Hover over the source email and check that the source email is legitimate.
• Be wary of attachments – this can be PDF/HTML/EXE, and double-check invoices and order confirmations are expected and genuine.
• Don’t trust that it’s Microsoft ringing to fix issues on your computer!
• Be wary of people over the phone or through email using trusted tools, such as Microsoft Remote, as these can be misused by hackers.

Sample email for employees

Employers looking to inform their employees about the threat of phishing can use the sample email below as a template:

To [employee]

Phishing attacks are becoming more dangerous. Professional, legitimate-sounding emails are landing in employee inboxes at businesses like ours, encouraging them to click links to spoof websites or download malicious software.

Any information you enter onto a website or give over the phone can be used by cyber criminals to disrupt operations and cause data or financial losses.

As phishing attacks can bypass cyber security measures, you must remain vigilant and cautious of every email you open. Be wary of following links or opening attachments; if something doesn’t seem right, ask.

For more information about phishing attacks and advice on how to spot them, read this blog post by our security partner AAG.

Stay safe, and remain vigilant.

[company/director/manager]