By Anne Sorensen
An increase in online activity, during the Coronavirus pandemic has seen a huge explosion in internet traffic and cybercrime alike.
Cybercrime has become a powerful tool for criminals looking to steal personal data and extort money. The speed, anonymity and convenience of the internet has enabled criminals to launch highly targeted attacks with very little effort and cost.
Phishing continues to be the most common form of cyber-attack due its simplicity, effectiveness and high return on investment. In fact, 91% of all cyber-attacks start with a phishing email and it’s the most successful and dangerous of all cyber-attacks.
So, what exactly is phishing?
A phishing attack is a form of social engineering by which cyber criminals attempt to trick individuals by creating and sending fake emails that appear to be from an authentic source, such as a business or colleague. The email might ask you to confirm personal account information such as a password or prompt you to open a malicious attachment that infects your computer with a virus or malware.
It has evolved from its early days of tricking people with scams of Nigerian prince’s and requests for emergency medical treatment. The phishing attacks taking place today are sophisticated, targeted and increasingly difficult to spot.
Cyber criminals use phishing to:
- Obtain your personally identifiable information (PII) or business data
- Upload malware or ransomware to your device(s)
- Impersonate a trusted person or business to request money
This allows them to:
- Exploit your data for money
- Encrypt or destroy your data
- Steal passwords, usernames and more
All it takes is for an employee to:
- Click a malicious link or attachment
- Enter sensitive information
- Fall for a false corporate email
A successful phishing attack can result in:
- Identity theft
- Sensitive data theft
- Client information theft
- Loss of usernames and passwords
- Loss of intellectual property
- Theft of funds
- Reputational damage
- Unauthorised transactions from phishing
- Credit card fraud
- Malware and ransomware
- Future malware attacks
- Data sold to criminal third parties
It is vital that businesses take steps to ensure they are doing all they can to educate staff on the dangers of phishing attacks and to train employees how to effectively recognise a phishing attempt.
Spotting the red flags
Identifying a phishing email has become a lot harder than it used to be, as criminals have honed their skills and become more sophisticated in their attack methods. The phishing emails that we receive in our inbox are increasingly well written, personalised, contain the logos and language of brands we know and trust and are crafted in such a way that it is difficult to distinguish between an official email and a dodgy one.
Here are 6 ways to spot phishing attacks and avoid getting hooked.
- Mismatches in the sender name, domain or hyperlinks in the body: It is often the case that a phishing email will come from an address that appears to be genuine. Criminals aim to trick recipients by including the name of a legitimate company within the structure of email and web addresses. If you only glance at these details they can look very real but if you take a moment to actually examine the email address you may find that it’s a bogus variation intended to appear authentic ‒ for example: @thereal.itnaturaIly.com as opposed to @itnaturally.com. Malicious links can also be concealed with the body of email text, often alongside genuine ones. Before clicking on links, hover over and inspect each one first.
- A request for personal information: Keep an eye out for emails requesting you to confirm personal information that you would never usually provide, such as banking details or login credentials. Do not reply or click any links and if you think there’s a possibility that the email is genuine, you should search online and contact the organization directly – do not use any communication method provided in the email.
- Poor spelling and grammar: Read the email and check for spelling and grammatical mistakes, as well as strange turns of phrase. Emails from legitimate companies will have been constructed by professional writers and exhaustively checked for spelling, grammar, and legality errors. If you have received an unexpected email from a company, and it is riddled with mistakes, this can be a strong indicator it is a phish.
- The use of threatening or urgent language: Ensure that you take the time to really think about whether an email is asking something reasonable of you. If you are unsure, contact the company through other methods.
- Unexpected or unsolicited correspondence: Alarm bells should be ringing if you receive an email from a company out of the blue that contains an unexpected attachment or content, especially if it relates to something unexpected – for example winning a prize for a contest you didn’t enter.
- When in doubt, throw it out: Links in emails are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
For more on Phishing, read our previous blog Phishing: Your Employees are the First Line of Defence