Phishing starts with a fraudulent email or other communication that is designed to lure a victim. The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information, often on a scam website. Sometimes malware is also downloaded onto the target’s computer.
The growth of phishing attacks in both frequency and sophistication have spiked due to Coronavirus and pose a significant threat to both individuals and organisations.
It’s important that you know how to spot some of the most common phishing scams if you are to protect personal and corporate information.
The most common phishing technique that hackers will use is to send a message purporting to be from one of your genuine service providers and asking you to re-send personal information or log-in through a different portal. Often, the emails will come with a sense of urgency – warning either of potential charges or benefits that may be at stake.
To identify such an email, look out for generic greetings or links within the email. Legitimate companies will not ask for your personal data in this way.
There are two other, more sophisticated, types of phishing involving email. The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:
- Their name;
- Place of employment;
- Job title;
- Email address; and
- Specific information about their job role.
You can also reduce the chances of becoming a victim by being careful what you post on social media, and ensuring that your social media privacy settings exclude the general public. Use a different password for every site, so if one gets compromised, the others remain safe.
As we’ve seen from several high-profile cases, fraudsters assume the identity of an authority figure within a company and make a request to the accountant of the business to activate a payment.
Companies are encouraged to employ two-step or two-factor authentication as best practice to defend against such trickery.
Smishing involves criminals sending text messages (the content of which is much the same as with email phishing). Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.
Vishing involves a telephone conversation. A common vishing scam involves a criminal posing as a fraud investigator (either from the card company or the bank) telling the victim that their account has been breached.
The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.
Beyond dodgy emails, phishing also stretches to dodgy websites, where it is known as ‘pharming’. Scammers hijack a website’s domain name and set it up to direct you to a fraudulent site where you will be asked for sensitive information.
Some internet security products will automatically block suspicious websites, drawing your attention to potential traps.
Organizations need to consider internal awareness campaigns and make sure employees are given the tools to recognize different types of attacks. Organizations also need to beef up security defences, some of the traditional email security tools — such as spam filters — are not enough defence against some phishing types.
Need to strengthen your organization’s cybersecurity? Or just do a quick security assessment of the vulnerabilities in your organization? Simply get in touch with us at Trixter.
Follow Trixter on LinkedIn for more cyber-security information and updates.