What is phishing and how can you protect yourself/your business against it?
Phishing is a fraudulent attempt to obtain personal information via email, typically by masquerading as a reputable company and directing users to enter personal information into fake websites or by getting the user to download a malicious attachment.
Phishing emails are certainly not a new trend. The first phishing attempt was recorded in 1990, and despite broad coverage in the press most data breaches are still caused by phishing. Phishing scams are becoming increasing sophisticated, so we need to be more vigilant. Think you could spot a phishing email? Why not find out with Googles handy phishing quiz.
There are several different tactics cyber criminals use to lure you in. Below is a short description of each type.
Spear phishing is a targeted attempt steal data from specific individuals, businesses or organisations. This is how it works: An email is received that looks as though it has come from a trustworthy source, this email specifically addresses the victim. The email usually contains a link, this either leads to a spoofed website where the victim is fooled into entering passwords, account numbers, pins etc, or asks the user to download an attachment which installs malware onto their computer.
Clone phishing involves taking a previously delivered, legitimate email in order to clone it, replacing the content with malicious links or attachments. These cloned emails can be difficult to identify as the victim is likely to already receive emails from the “same” company. This is then delivered with a spoofed email address and can look identical to the original version.
Whaling attacks are aimed at high-profile employees such as CEO’s in order to steal sensitive information from a company, often manipulating victims into sending a high-value wire transfer to the attacker. These highly targeted emails often use business terminology and industry knowledge which can make them very tricky to spot.
7 ways to avoid phishing scams
- Never give confidential information over email
Be wary of emails asking for confidential information such as bank details or account passwords. Legitimate organisations would never ask for such sensitive information via email.
- Don’t panic
If you are asked to do something urgently then calmly contact the organisation separately via a known channel to double check the message. Threats and urgent deadlines are often a sign of phishing so tread cautiously.
- Be wary of suspicious or shortened links
Hover over suspicious links before clicking on them. Hovering over the link will reveal its true destination and if it doesn’t match the URL you can see in the email then don’t click on it. Also, be wary of shortened links as these don’t offer any link locations when you hover over them. Legitimate companies are aware of how suspicious these links look and usually don’t use them.
- Think twice before downloading
Only open attachments from a trusted source. If you receive an attachment you weren’t expecting or if you aren’t sure what it contains then think twice before downloading.
- Use two-factor authentication
To protect yourself against any fraudulent activity, enable two-factor authentication whenever possible. This security process requires two methods of verification to access your account.
- Create strong passwords
Use strong passwords and try your best to use different passwords for different accounts.
- Report anything phishy to your IT service provider
Your IT provider can verify if an email is legitimate and educate your team to detect these threats going forward.