In this blog, we will discuss phishing (unfortunately not the fun kind), exploring the different types of attacks, how to identify them, and how to deal with them. Did you know that over 80% of cyber attacks are related to phishing?
What is phishing?
Phishing is a simple yet effective form of a social engineering cyberattack in which hackers try to dupe victims into actions from which they can benefit. Most often, hackers try to access user information and bank details. When a phishing attack is successful the costs can be detrimental, so the dramatic rise in cases over the last year is a great cause of concern for both individuals and businesses.
Different types of phishing attack
A typical phishing attack involves a cybercriminal sending emails en mass. In fact, 96%of phishing attempts are done this way. The aim of these menacing emails is to stealing sensitive information or convincing victims to install malicious software. 'Deceptive phishing' is the most common type of phishing, referring to fraudulent activity contact with unsuspecting individuals to gain sensitive information. Other examples of phishing scams include...
- 'Spear phishing' refers to a targeted attempt to steal personal information from a targeted individual
- 'Vishing' refers to fraudulent phone calls or voicemails with the intent to access sensitive information from targets. Attackers might pose as your bank, for example
- 'Smishing' refers to the same as the previous point, but attempt to gain the information via text message
- 'Whaling' refers to a highly targeted phishing attack, usually at executive level
Phishing attempts can be really convincing, designed to appear as though they are from a trustworthy source. People of all ages and from all responsibility-levels can (and do) fall victim to them. The economic and personal costs can be immense.
Common motives of hackers are:
- Stealing your information
- Using your computer to mine bitcoins
- Targeting company networks which can be compromised so that they cannot operate or serve their customers, to then perform a ransomware attack, for example
These attacks can be highly disruptive.
7 ways to identify a phishing attack
There are some ways to check if an email is suspicious. Here are some key features to look out for.
1. Verify the sender - does their email address match who they claim to be?
This is one of the first things you should look at when you receive a suspicious email. Sometimes the ‘from’ address with be different from the display name. This is an obvious indication of a potential scam.
2. Look out for personalization - genuine companies usually have personalized messaging
A legitimate company will normally personalize a customer email. So look out for salutations such as ‘Dear Customer’, ‘Valued Customer’, or ‘To (your email address)’. If you receive an email that begins with one of these examples chances are it’s a phishing email. However, of course, details can eaisily be forged.
3. Is the company information provided on the message accurate?
Double-check contact information in the signature, a lack of contact details could be an indication of a scam.
Phishing attacks will use official company logos, so it can be hard to tell if the email is legitimate. If you have recently received an email from the company compare the two to see if they have the same branding. If you are still unsure, get in touch with the company to find out if they have recently sent out customer communications – but don’t use the contact details in the phishing email!
4. Is there a specific call to action?
Does the email contain messages with a sense of urgency? This is a typical characteristic of a phishing attempt. Here are some examples of phrasing commonly used:
- Act now before your account is suspended
- Don’t miss out on this great opportunity
- There has been an unauthorized login attempt on your account
If it does, think twice before following its instructions. You may well be falling into a phishing trap.
If the email asks for you to send over personal details, chances are it’s fraudulent. Keep your personal information safe and don’t provide any of your details, companies will not normally request this information via an email.
5. Poor spelling and grammar can be an indicator of a scam
Phishing emails aren’t known for exceptional spelling, so look out for spelling and grammar mistakes.
6. Often phishing emails include attachments
Phishing emails could be sent with attachments. If you were not expecting an email with an attachment, don’t open it! Attachments can contain malware that can damage files on your computer, steal passwords, and can even spy on you using your webcam and recording everything you type.
7. Don’t click the links!
Don’t click on suspicious links. Instead, hover your mouse over the link and ensure that it reveals the same link as the text. If you want to test the link open a new window and type in the URL, links may lead you to .exe files that are known to spread malicious software.
An advanced attacker may try and cover all of these points we have outlined above, so it is crucial to be cautious...
What should you do if you're a victim of phishing?
There are a few things you can do if you have completed a call to action in a phishing email:
- Update your passwords on all of your online accounts
- As soon as you can, contact the company or bank directly
- Close your accounts if you know they have been opened
- Regularly review your bank and credit card statements, check for any unusual charges and inquiries and report them
Cyber crime has become incredibly lucrative. Phishing is becoming increasingly common, targeting a wide range of industries and individuals. Due to its profitability, it is critical to be more vigilant than ever. With our world becoming increasingly digital, it is critical to make sure both you and your employees are prepared to identify and react to such threats.
For more information on how to protect your organization from phishing attacks read the NCSC guidance: https://www.ncsc.gov.uk/guidance/phishing