According to the 2018 Verizon Data Breach Investigations Report’s Phishing Statistics, 30% of phishing messages are opened by targeted users, and 12% of those users click on the malicious attachment or link.
In simple terms, phishing is a type of scam whereby cyber-criminals trick a target into doing what they want. Whether that be entering credentials into a fake website, clicking on a malicious link, or altering bank details so that payments go to fraudsters instead of the correct account.
Phishing is one of the oldest cyber threats in history as well as one of the most common forms of cyber-attack, and yet still one of the most effective. Not only is it easy to carry out but it is easy to fall for if targets do not stay vigilant. Businesses, of course, are a particularly worthwhile target to cyber-criminals.
As more and more people are using technology and therefore the internet to continue throughout the pandemic, criminals are seeing this as a special opportunity to release attacks on unsuspecting users. In April 2020, Security Boulevard found a 600% rise in phishing campaigns. Such criminals are using coronavirus to their advantage and are disgusting their emails to appear as if they are being sent by medical authorities such as the World Health Organisation (WHO) – a topical organisation amid the worldwide pandemic.
With so much uncertainty in the world economy in 2020/1, it has never been more important for businesses to stay protected from devastating attacks by learning about phishing and how scammers use it to exploit their victims. The effects of phishing attacks can be detrimental, let alone when the world isn’t amid a global pandemic. IBM reports that the average successful phishing attack costs a company an average of £3m.
By pooling on our knowledge of cyber-security over the past decade and what we have seen throughout the pandemic so far, we have put together this guide on phishing to provide you with useful information which will help prevent your business from becoming a victim.
What is phishing?
A phishing attack occurs when a scammer attempts to trick victims into giving away personal information. Data wanted by such scammers can range from personal or corporate emails and passwords, to financial information such as credit card details or online banking credentials. Once in the hands of cyber-criminals, it can be used for several reasons. For example, to be sold on the dark web (an overlay of networks that requires specific tools and software in order to gain access), to buy things, or for identity theft. In some cases, it is even used for blackmail or to embarrass victims.
Phishing is also a popular way for cyber-criminals to deliver malware to victims, by encouraging them to click on a link or download an attachment. Both actions would spread malware and other malicious content onto the device which could result in company data being held for ransom.
Anyone can be a target of phishing attack, and all it takes is an uniformed employee to click on a malicious link or enter their details into a fake webpage for your business to become the next victim.
How does a phishing attack work?
Over the years, we have all become familiar with the classic spam email and learnt how to dodge them. However, phishing emails can look deceivingly credible. Advances in technology have resulted in cyber-criminals becoming more sophisticated than ever before. As a result, they have found new ways to evolve old-age techniques and make their disguises even harder to uncover.
The precise mechanics of each scam varies. However, usually via email, phone or text, cyber-criminals will manipulate users into trusting them so that they hand over or enter valuable information. For example, the target may be tricked into clicking on a link which takes them to a fake web page. The aim here would be for the target to enter any personal information which can then be stolen. This method is regularly used with PayPal scammers, whereby they instruct targets to click on a link to rectify a discrepancy with their account. The link redirects to a fake PayPal login page which collects the victim’s credentials and sends them to the scammer.
Email tends to be most common method of performing phishing attacks due to the sheer number of emails that are sent every day. Experts estimate that 3.7 billion people sent around 269 billion emails every single day. Symantec research suggests that nearly one in every 2,00 of these emails are a phishing email, meaning roughly 135 million phishing attacks are attempted every day.
What about spear phishing?
Spear phishing is far more of an advanced and precise attack than regular phishing, which is more of a dragnet strategy. Fraudsters use social engineering techniques with spear phishing to aim messages at specific organisations or individuals. For example, cyber-criminals will collect information of their target over time, then craft the email with the target’s name, position, company and much more to deceive the recipient into thinking they have a connection with the sender. In these attacks they spoof the sender name so that it appears as if the email or text is coming from someone they trust, e.g. their company CEO or another executive.
A common example of spear phishing we see among businesses is when an employee receives an email from their ‘boss’ asking for them to process a bank transfer. It will almost always include some form of urgency and say that they are busy as this means someone is less likely to follow it up. While it appears to come from their ‘boss’, it is in fact a cyber-criminal who has spoofed the email. Emails like this should always be followed up with a phone call to your boss or the ‘sender’ if possible.
Although these types of scams take more effort, there is normally a bigger potential payback for fraudsters. It is spear phishing attacks that have been used as entry point for a number of high-profile cyber-attacks and breaches. For instance, only recently did we see Twitter confirm its employees were tricked into giving hackers their credentials, which gave them access to the accounts of Bill Gates Jeff Bezos, Joe Biden, and others.
What about Business Email Compromise?
If you’re a business, there is also the chance that cyber-criminals will attempt to appear as your business to scam customers and others close to you. Known as Business Email Compromise (BEC), this form of targeted phishing attack has been on the rise over recent years and has been very successful.
The impacts of BEC can go far beyond monetary loss – the reputational damage is far more concerning. For example, if an email appeared to have come from your business which scammed a customer or installed malware onto their device, they may no longer trust you and pass on their bad experience onto others. In a study of 2,000 survey participants, nearly 87% said they would not (or were not very likely to) do business with a company that has faced a data breach involving credit or debit card information.
Fortunately, as part of our commitment to providing proactive IT support, we introduced Domain-based Message Authentication, Reporting & Conformance (DMARC) to our portfolio of services. Since then, it has been successful in helping prevent cyber-criminals from appearing as businesses. You can find out more about it here.
How can you stay protected?
Regardless of the technology or target, deception will always be at the core of phishing attacks. Therefore, training, training and more training on phishing attacks and how to spot one is key when trying to stay protected.
While some phishing emails are so sophisticated that even the message looks authentic, there are some key giveaways which will make it clear that it is in fact an attempted attack. Some of these include:
- Legitimate organisations won’t request sensitive information via email
- Most organisations will not send you an email requesting passwords, credit card details, or anything else personal, nor will them send you a link from which you need to login. So, if you receive an unsolicited email from an organisation including a link or attachment which asks you to provide sensitive data, the chances are it is a scam.
- Legitimate organisations will usually call you by your name
- Typically, phishing emails will use generic greetings such as “Dear valued member”, “Dear account holder” or “Dear customer”. However, some hackers avoid this all together or with spear phishing will use first name, so it is always worth checking other elements of the email. More on that is below.
- Legitimate organisations have domain emails
- Don’t just check the name of the person sending the email – these can easily be changed. Check the email address by hovering your mouse over the ‘from’ address. If these do not match and the ‘from’ address looks shady or has alterations, it is probably a phishing email.
- Legitimate organisations know how to spell
- Probably one of the easiest give-aways – if an email has bad grammar and spelling. Emails from legitimate organisations are normally well written. According to experts, there’s actually purpose behind this. Scammers prey on those uneducated, believing them to be less observant and therefore, easier targets.
- Legitimate organisations don’t send unsolicited attachments
- In general terms, authentic organisations won’t randomly send you an email with an attachment but would instead direct you to download documents or files on their own website. However, this isn’t always the case. Ensure you keep an eye out for high-risk attachment file types which include .exe, .scr and .zip. If in doubt, contact the company using contact information from their website.
- Legitimate organisation links match legitimate URLs
- Just because a link says it will take you somewhere, doesn’t mean it actual will. By hovering over the link you can double check the URL. If the link doesn’t seem correct or match the context of the email, don’t click on it.
Phishing may be one of the longest standing cyber-threats, but it remains one of the most prevalent threats for two reasons – it is easy to carry out, and it works because there are still plenty of people who use internet simply unaware of the threats they are faced with.
So, no matter if you have the most secure security protections in place, all it takes is one untrained employee to be caught out by a phishing attempt. Even some of the most advanced users can make mistakes on occasion. Cyber-security training for your workforce will never be a wasted investment, and by following the simple tips, knowledge and advice outlined in this guide, you too can help to minimise the threat to your organisation.
entrustIT have over 16 years of experience in the cyber security sector. We have helped many businesses over this time to protect against phishing attacks and prevent the devasting impacts they can have if successful. Whether that be using our knowledge to provide training for you and your employees or implementing security solutions such as DMARC, we can proactively assist you throughout the pandemic and beyond.
Please get in touch with a member of the team on 0330 002 0045 or email enquiries@entrustit.co.uk if you think you could benefit.
