Today, we’re talking about phishing – what it is and how to avoid it. It’s part 4 of the series for European CyberSecurity month. Catch other installments here:
Passwords | Backups | Updates | Phishing
Ah… sittin’ on the dock of the bay, fishing pole in one hand, beer in the other…. Sounds nice, but nope. That’s not the type of fishing we’re talking about today.
Phishing is a type of security attack based on social engineering. Executed through phone calls, emails and websites, it’s a threat to every business’s cybersecurity. The cyber-criminal simply pretends to be someone else; your bank, or your insurance provider, or maybe even your boss.
The goal is to obtain your personal or account information, make you download an attachment (that then installs malware on your device) or take some other action that benefits them and harms your business.
3 Types of phishing attacks
- CEO fraud is a phishing attack whereby the attackers spoof a company’s email accounts. They send instructions to accounts departments, or perhaps HR, and request employees to process wire transfers or forward sensitive information. In 2015, Belgian bank, Crelan, fell victim to this particular brand of phishing to the tune of about €70 million.
- Deceptive phishing is a phishing attack whereby an email seems to come from a legitimate source, such as your bank. It urges you to click on a link to log in and update some personal details. However, the link directs to something the criminals have set up to collect your login credentials. Often the emails are formatted very well to reflect the site the attackers are spoofing. Closer examination of where the link is actually pointing, and the actual sender email address (not just the name) will usually alert you that something might be going on. Checking with your provider directly, or manually visiting your provider’s website through typing the usual address into your browser are good ways to double-check on an email’s legitimacy.
- Vishing is a phishing attack carried out over the phone. Attackers once again pretend to be representatives of a legitimate provider. They are looking for your details, or perhaps for you to make a credit card payment. A provider won’t call for sensitive information, and if you’re being pressured at all into giving information over the phone, you’ll know that something’s up. It’s best to hang up and contact your provider through any regular channels you use and find out if it’s actually them looking for this information.
4 Ways to identify a phishing email
- Phishing emails often will have no personal details included. Instead of “Dear Mr. Smith”, it may have something like “Dear Valued Customer”.
- The email will often have an element of urgency included. Maybe it will say that you need to take action within an hour or you’ll be locked out of your accounts.
- The email might ask that you click on a link to update your personal information, or to download an attachment. Clicking links or downloading attachments can be dangerous unless you’re certain it comes from a safe source. If a link looks suspicious, don’t click. Hovering your mouse over the linked text will show the actual link destination in a little pop-up. In phishing emails, often the text of the link in the body of the email won’t match with the actual destination. If you aren’t expecting an attachment and the sender is unknown, don’t download it.
- Take a closer look at the sender’s email address. It might be something like firstname.lastname@example.org. In this case, it differs only in the domain extension – .om rather than .com.
Other steps to help avoid phishing
- Have internal procedures in place for handling requests for sending money.
- Train staff on how to deal with visitors to the office.
- Check online accounts regularly. Follow up on anything that looks to be outside your norms.
- Keep browsers and anti-virus software up to date.
KnowBe4.com has a great free resource that you can share with your employees on ways to spot social engineering attempts.
Conclusion / TL;DR
Phishing is a type of security attack whereby the attacker impersonates a legitimate person or entity in the hopes of tricking the receiver into taking action to benefit the attacker and harm the individual or company. Keep yourself and your staff informed about the types of phishing attacks to minimise the chances of falling victim to one of these scams.
LumenVA offers virtual assistance and flexible, remote support for businesses. Based in Waterford, Ireland and assisting clients around the world. Check out the services page to see how LumenVA can help you get stuff done.