Deceptive Phishing |

The most common type of phishing scam is deceptive phishing, which refers to any attack where a fraudster impersonates a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users moving swiftly and completing the attackers’ request.

For example, the scammers might send out an attack email for Just Eat, instructing the target to click on a link to rectify a discrepancy with their account. In fact, the link leads to a fake Just Eat login page which is collecting all the details the user inserts and delivers them to the attackers. The success of a one of these deceptive phish emails, relays on realistic and closely the attack email resembles a legitimate company’s usual correspondence method.

Spear Phishing |

If you think of the traditional image of a fisherman aiming his spear at one specific fish, rather than just casting a baited hook to see who bites, you will see similarities between this, and techniques used by scammers. Spear Phishing occurs when attackers try to create a message or email aimed at a specific individual, by customising it with the target’s name, position, company, work phone number and other information to trick the recipient into believing that they have a connection with the sender. They must make the messaging appeal specifically to the target by tempting them with information that seems plausible as though, for example it is coming from their co-workers. The spear phisher might pretend to be the victim’s manager requesting a large bank transfer on short notice. The goal is to lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.

Spear-phishing is especially common on social media sites like LinkedIn, where attackers can easily find multiple sources of information to craft a targeted attack email. To protect against this type of scam, companies should invest in solutions that are capable of analysing inbound emails for known malicious links and email attachments.

Smishing and Vishing |

The term “vishing” stands for “Voice Phishing” and involves the use of the phone, whilst smashing stands for SMS or text messaging. Both attacks have the objective of collecting certain personal information. The hacker calls or texts the victim, pretending to be an operator, support centre or a bank with the intention of helping the victim with an issue they have noticed – for example with an unusual transaction from their bank account. The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – which is actually going into the criminal’s account live, without the victim even realising what has happened.

Whaling |

Denial of Service happens when a website becomes too overloaded with more traffic than it is built to handle. This results in the website preventing users from accessing it’s content, by shutting down completely. Naturally this can happen for a completely innocent reason, such as an over splurge in customers taking advantage of a ‘Black Friday Event’. However, nine times out of ten an overload in traffic will have malicious intentions. As a result, an organisation can lose access to their system and become unable to fulfil genuine requests.

Whaling attacks are even more targeted, taking aim at Senior Executives. The end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler. Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate staff.

Scams involving fake tax returns are an increasingly common. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, social Security numbers and bank account information.

To avoid the embarrassment of giving away your sensitive data to a fraudster, make use of available resources such as password managers and the phishing-detection system in your antivirus. Keep your eyes open, if a page comes with a suspicious looking link, if there’s no HTTPS lock in the address bar and it looks wrong in any way, don’t touch it! Trust your instincts!

Some top ways of protecting yourself include:

• Educate yourself and your team about phishing so that everyone understands what it is, how to detect it and how to protect themselves.

• Always check the authenticity of the link before you click on it. You can do this by hovering over the link, as this will tell you the real address, or copy and paste the link into a search engine.

• Be wary when opening attachments from senders you don’t know, as these might contain viruses designed to steal personal or financial information.

• Use AI to build a robust phishing detection system, that can keep up with security detection.

• Enrol strong two factor authentication and make it more difficult for phishers to compromise accounts and passwords.

• Don’t disclose any data if you are unsure, especially through cold calls and emails! It’s easy to panic when you’re on the phone and being told your bank account has had suspicious activity. Phishers often pretend to be someone else i.e. your bank or HMRC, which leads to their target believing they are talking to someone they can trust and ultimately hand over key information.

• Change your passwords – it’s best practice to change them every now and then and not use the same password for multiple accounts. If a hacker gets in to one, they can get into others!

• Be vigilant! If an email is badly worded or littered with spelling mistakes, it’s probably a scam. Legitimate companies will spend time crafting emails they send and they’re likely to proof-read them too, so bad grammar and dodgy spelling are likely to be picked up beforehand.