What is phishing?
Phishing is a social engineering technique that attempts to trick users into disclosing sensitive data. Originally, the goal of this was just to access and steal personal and corporate information, but as time has progressed, cybercriminals now have other motives to phish.
A huge threat that phishing now poses is to trick individuals into launching malicious files on their computers. This can happen by simply clicking a link to an authentic looking but bogus and affected website that allows the cyber attacker to take over the workplace systems. From this, scammers can go on to do other things to sabotage the system, like installing malware (such as ransomware software).
When was the first phishing attack?
Back in the mid-1990’s when ‘dial-up’ was the only internet access option, a group of hackers posed as AOL employees to steal users log-in credentials and hijack their accounts, enabling the hackers to use the internet for free.
Obviously, cyber criminals want a lot more than free internet access nowadays.
Who is at risk from phishing attacks?
The simple answer is, everyone! Practically every individual and business in the world is susceptible to phishing. In a business context, since the easiest access and entry to corporate computer networks is offered through company employees, they are the ones who are the most vulnerable. This obviously includes management too. Absolutely no-one is out of bounds when it comes to phishing attacks because scammers rely on human error in order for them to work.
Even though phishing attacks have been happening for decades, it’s due to this gullibility that phishing still works. The best way to avoid and prevent successful phishing attacks is to be armed with the correct knowledge that can help you identify and report them quickly.
How to identify phishing emails
At first glance, phishing emails can look like they’ve been sent from somewhere that is used and trusted. Things such as an online website, app or shop you use, your bank or credit card company or mobile phone provider. However, by looking for the telltale signs listed below, you can be more aware and able to defend yourself and your company.
- Does the email have a sense of urgency?
Scammers know that most people don’t act immediately, they like to go away and think about things before making decisions. Scammers don’t want to give time; they want people to act quickly because mistakes are much more likely to be made this way. Bear this is mind because nearly all phishing emails will create a sense of urgency, by telling some sort of story that something must be acted upon now!
Examples of these may include:
- An online bill or an invoice is either due or overdue and needs to paid, now.
- There’s a problem with an account or some payment information
- There’s been suspicious activity or log-in attempts on an account
- There’s been a service outage on an application and the user must log back in
- Does the email address look suspicious, or sent from a public email domain?
Always check the sender of the email because that’s a sure-fire way of recognising if it doesn’t feel legitimate. For example, no business will send an email that ends in ‘@gmail.com’. Business emails should reflect the business domain. (FYI:Genuine emails from Google will read ‘@google.com’.)
The domain should be affiliated with the sender. For example, using our business domain, a genuine email from us would read: information@bpnl.co.uk. If the email domain isn’t affiliated with the sender/business, alarms bells should be ringing.
- Is the domain misspelt?
Furthermore, check to see if the domain has been spelt correctly. It’s worth being very thorough here because anyone can buy a domain name. For example, infomation@bprl.co.uk looks very similar to our genuine business domain at a quick glance, but on closer inspection you can see that it’s not (b-p-r-l, rather than b-p-n-l).
- Does the email include suspicious links or attachments?
Although we’re focusing on emails in this article, other forms of phishing scams can come through phone calls, text messages and social media posts. Whatever form they come in, they’ll always include some sort of call to action. In emails, this might be a link to a bogus website or an infected attachment that you’re instructed to download.
Be very wary of any action being asked of you and think about the above listed points. If you suspect anything malicious, report it quickly to your IT department.
- Is the email poorly written?
When scammers are crafting phishing emails, a spell checker or translation tool may have been used if English isn’t their first language. Everybody makes typos from time to time, but there’s a noticeable difference between common typos and suspicious grammatical errors that a possible native speaker wouldn’t make. So, if you’re reading the message and it’s giving you all the right words, but not in the right grammatical context, be aware!
What to do if think you’ve fallen victim to a phishing attack
If you think you’ve fallen victim to a phishing attack, you must report it to your IT department as quickly as possible. They should have protocols in place to deal with the issue.
The world of cyber threats is ever evolving and phishing is just one part. If you are interested in learning more about the different elements of social engineering or how our IT services can help protect your business, please don’t hesitate to get in touch with us. We’d be happy to help.