What is Phishing?
The term phishing is mainly used to describe attacks that arrive by email. These emails are created to look like it has come from a trusted source.
Phishing can either land in your inbox as part of an untargeted mass email campaign asking for sensitive information like bank details or encouraging the recipient to visit a fake website, or it could be as part of a phased targeted attack against your organisation where the attacker is after something more specific such as your sensitive data. Targeted campaigns tend to have a lot more thought and effort put into them by the attacker as they will have researched your employees and company to make the email sound more realistic. This is normally referred to as spear phishing.
It can be difficult to determine if an email is a phishing one by looking just at the content because some of them can be very well copied and software for attackers has become a lot more sophisticated. There are several things that you can look out for which will help you confirm whether the email should be trusted or not which is what we will cover in the next section.
How do you identify a phishing email?
Here are a few things that should be kept in mind when answering emails, it will help you to spot if it is a phishing attempt:
The message has been sent from a public domain:
Always make sure that you check the email address, no organisation will send emails from Gmail or Hotmail. The best way to check an organisation’s domain is to enter it into a search engine.
Spelling mistakes:
When you get emails from companies you will hardly see mistakes as most of them have departments to ensure spelling in official communication is correct. Criminals that are trying to phish don’t have the same types of resources and sometimes it shows in their work.
The email is unusually urgent:
Cybercriminals like to create panic in whatever they send out as this cloud’s judgement. Urgency takes a few forms like a restricted account, or you haven’t paid something on time. Look out for time-sensitive messages it’s most likely you become a phishing target.
Suspicious Links:
You can spot these links if the destination address does not match the context of the rest of the email. If the link is hidden it is best practice to hover over the button and check the link at the bottom of your browser.
Infected Attachments:
Until you know the email has been sent from a legitimate party, never open the attachment because as soon as you do it will release malware onto your device.
Current Events:
Are you expecting to see a message like this? Criminals often exploit current news stories, big events, or specific times of year (i.e. tax reporting) to make their scam seem a lot more relevant to you.
The importance of staff training
One of the main contributing factors to cyber incidents that is still a major concern for most organisations is human error. Having staff untrained while these sophisticated attacks take place puts your organisation at a big risk.
In a recent Financial Times article Dimitrie Dorgan, a senior fraud risk manager said that “in social engineering, the weakest link is the human using it.”
By improving the digital literacy within your workforce, you are lowering the risk of security threats but are also freeing up your IT team’s time as less of it will be spent on dealing with cybersecurity breaches. The threat landscape moves on so quickly that you need to keep the workforce up to date regularly, annual training won’t be sufficient anymore.
Want to know what topics you should consider when training your workforce? Click here to read our blog about Cyber Awareness Training.
Want to put that staff training into practice? Contact us to find out more about our phishing simulations.
For more guidance on the topic of phishing visit the guidance posted by The National Cyber Security Centre here.
