PureCyber

View Original

Phishing Awareness…Hook, Line & Sinker: What Is Phishing, How To Prevent It And What To Look Out For?

Continuing our Cyber Security Awareness Month campaign here at PureCyber; having previously looked at tried & tested cyber security basics and cyber vigilance vs paranoia, we’re today looking at one of the largest and often easy to miss cyber threat variations – Phishing.

What is Phishing?

Phishing is a type of social engineering attack that aims to trick users into providing valuable, sensitive information or data via fraudulent emails, website links or SMS. These kinds of attacks rely on the user being deceived by sometimes very convincing replicas of real sites/emails from sectors including banking, government sites and even retail.

The aim of phishing campaigns is to get victims to share sensitive data such as passwords, financial details and social security numbers. Cyber actors will often collect this data by redirecting victims to fraudulent websites where users are prompted to enter emails, passwords and other details that can then be used to either enter accounts or directly steal money, data and identity.

There are different variations of phishing with some campaigns being a mass target event where emails are sent indiscriminately to millions of inboxes, and others that are much more targeted where information such as names and employers are included in seemingly legitimate and customised emails that aim to be more persuasive to the victim in order to build trust. These types of targeted emails are often referred to a “Spear Phishing”. Another form of phishing is “Whaling” – This refers to attacks that target high-level corporate offices with fraudulent emails, text messages and sometimes phone calls.

Instances of phishing are on the rise, meaning it is now one of the most common forms of cyber-attack that is launched by cyber actors across the globe. Most businesses have experienced an attempted phishing attack or fallen victim to one. According to government data, phishing is by far the most common type of attack faced by businesses and charities, with 84% of businesses and 83% of charities experiencing one in the last 12 months.

How to identify a potential phishing email/SMS?

There are several ways phishing emails and SMS messages can be identified; some common hallmarks of malicious emails/SMS messages include:

  • Emails demanding urgent action – These emails usually threaten some kind of negative consequence or loss of opportunity if action isn’t taken urgently and so any unexpected emails like this should be approached with caution.

  • Emails/SMS containing poor grammar and spelling mistakes – These are usually clear indicators of a potentially malicious email as most legitimate organisations will apply spell check tools to emails and edit content being sent out.

  • Emails/SMS with unfamiliar greetings or salutations – These emails and SMS messages may begin with unspecific headings and greetings such as “Dear Sir/Madam” or “Dear Customer”. Any emails starting with these types of unfamiliar greeting are to be approached with caution as they are likely part of a mass targeting attack hoping to catch out unsuspecting victims.

  • Inconsistencies in email addresses, links and domain names – Some phishing emails are sent from emails made to closely resemble that of legitimate organisations, however by taking time to carefully read the email in question you will often find that the email address has an inconsistency that doesn’t line up with other, legitimate email addresses from the organisation in question.

  • Suspicious attachments – Lots of work-related sharing is often done through collaboration tools and if you are not expecting an internal email with an attachment then you should treat any attachments as suspicious…especially if they have an unfamiliar extension (.zip, .exe etc.)

  • Emails/SMS messages that seem too good to be true – If you receive an email or SMS that seems like it is too good to be true…chances are it probably is. Phishing attacks will often try to win over victims with unrealistic promises and rewards for visiting the attached link or providing certain credentials. Don’t

Protecting yourself and your business against phishing campaigns

The best way to protect yourself and your organisation against phishing is to increase user awareness within the organisation and create a healthy culture of cyber security within your workforce. Training will provide staff with the knowledge they need to avoid being caught out by phishing attacks and random phishing simulations can be hugely beneficial in teaching employees not only how to spot a potentially malicious email, but also what to do if they do unfortunately fall victim to one.

How can PureCyber Help?

Our dedicated team of cyber security and compliance experts are available to help secure your organisation and provide a bespoke, tailor-made cyber security service. Our service subscriptions offer a range of cyber security solutions for organisations of all sizes and scopes. From vulnerability scanning to penetration testing, incident response and active threat detection, our cyber solutions ensure you can operate safely and securely with reassurance that your business, employees and customers are safe from cyber threats.

Need a refresh? No matter what level of cyber security knowledge you have, it is always valuable to refresh your understanding of terms, topics and techniques. Our PureCyber glossary of terms is the perfect place to brush up on your understanding.

Links: NCSC Phishing

NCSC Spear Phishing

Cyber Security Breaches Survey 2024

PureCyber - When Phish Get Caught