What is ‘Phishing’ and how do I recognise it?
Phishing is a cyber attack that uses a hack disguised within an email or website and is used to change, destroy or steal data. It’s one of the oldest types of cyberattacks, dating back to the 1990s, and it’s still one of the most widespread and destructive, with techniques becoming increasingly sophisticated and harder to detect. Usually carried out online, the goal of a ‘Phish’ is to trick the recipient with a hook, for example sending an email, enticing the target into believing that the message they have received is genuine and something they want — for example a request from their bank, or a notification from someone in their company. This is normally followed by a link to click on or an attachment to download.
The key to running a phishing scam is creating a convincing replica of a secure website, that the target trusts. When you enter your username and password on a fraudulent site, you are effectively giving the scammers full access to your account and login details. To keep you from realizing you’ve been scammed, they sometimes pass the credentials along to the real site, so that it looks like you’re logged in normally. Your suspicions may only come when you find that your bank account is empty, or that you can’t log into your email and your friends are getting spam from you. Cyber-attacks typically target technology and computer information, with organisations posing as a higher risk compared to single users. If the security measures in place aren’t strong enough to protect our devices, anyone can become infected.
Top 4 Types of Phishing Attack
Deceptive Phishing |
The most common type of phishing scam is deceptive phishing, which refers to any attack where a fraudster impersonates a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users moving swiftly and completing the attackers’ request.
For example, the scammers might send out an attack email for Just Eat, instructing the target to click on a link in order to rectify a discrepancy with their account. In actual fact, the link leads to a fake Just Eat login page which is collecting all the details the user inserts and delivers them to the attackers. The success of a one of these deceptive phish emails, relays on realistic and closely the attack email resembles a legitimate company’s usual correspondence method.
Spear Phishing |
If you think of the traditional image of a fisherman aiming his spear at one specific fish, rather than just casting a baited hook to see who bites, you will see similarities between this and techniques used by scammers. Spear Phishing occurs when attackers try to create a message or email aimed at a specific individual, by customising it with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. They have to make the messaging appeal specifically to the target by tempting them with information that seems plausible as though, for example it is coming from their co-workers. The spear phisher might pretend to be the victim’s manager requesting a large bank transfer on short notice. The goal is to lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.
Spear-phishing is especially common on social media sites like LinkedIn, where attackers can easily find multiple sources of information to craft a targeted attack email. To protect against this type of scam, companies should invest in solutions that are capable of analyzing inbound emails for known malicious links and email attachments.
Smishing and Vishing |
The term “vishing” stands for “Voice Phishing” and involves the use of the phone, whilst smashing stands for SMS or text messaging. Both attacks have the objective of collecting certain personal information. The hacker calls or texts the victim, pretending to be an operator, support center or a bank with the intention of helping the victim with an issue they have noticed – for example with an unusual transaction from their bank account. The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – which is actually going in to the criminal’s account live, without the victim even realising what has happened.
Denial of Service happens when a website becomes too over loaded with more traffic than it is built to handle. This results in the website preventing users from accessing it’s content, by shutting down completely. Naturally this can happen for a completely innocent reason, such as an over splurge in customers taking advantage of a ‘Black Friday Event’. However, nine times out of ten an overload in traffic will have malicious intentions. As a result, an organisation can lose access to their system and become unable to fulfil genuine requests.
Whaling attacks are even more targeted, taking aim at Senior Executives. The end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler. Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate staff.
Scams involving fake tax returns are an increasingly common. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, social Security numbers and bank account information.
Spotting The Signs
To avoid the embarrassment of giving away your sensitive data to a fraudster, make use of available resources such as password managers and the phishing-detection system in your antivirus. Keep your eyes open, if a page comes with a suspicious looking link, if there’s no HTTPS lock in the address bar and it looks wrong in any way, don’t touch it! Trust your instincts!
- Educate yourself and your team about phishing so that everyone understands what it is, how to detect it and how to protect themselves.
- Always check the authenticity of the link before you click on it. You can do this by hovering over the link, as this will tell you the real address, or copy and paste the link into a search engine.
- Be wary when opening attachments from senders you don’t know, as these might contain viruses designed to steal personal or financial information.
- Use AI to build a robust phishing detection system, that can keep up with security detection.
- Enrol strong two factor authentication and make it more difficult for phishers to compromise accounts and passwords.
- Don’t disclose any data if you are unsure, especially through cold calls and emails! It’s easy to panic when you’re on the phone and being told your bank account has had suspicious activity. Phishers often pretend to be someone else i.e your bank or HMRC, which leads to their target believing they are talking to someone they can trust and ultimately hand over key information.
- Change your passwords – it’s best practice to change them every now and then and not use the same password for multiple accounts. If a hacker gets in to one, they can get in to others!
- Be vigilant! If an email is badly-worded or littered with spelling mistakes it’s probably a scam. Legitimate companies will spend time crafting emails they send and they’re likely to proof-read them too, so bad grammar and dodgy spelling are likely to be picked up before hand.