Back to Basics #1: Phishing Threats

Cyber security is becoming the latest trend. We’ve all read about the TalkTalk, Dropbox and Yahoo breaches, and this means that they will only be on the rise in the near future.

As human beings, we are wired to make mistakes, therefore it is only necessary that you educate your staff on what to look out for. You can protect your organisation by making your staff aware to avoid clicking on suspicious email links, stop writing their passwords down on a post-it or knowing not to connect to public Wi-Fi networks when working remotely.

In this series of blogs, we are going back to basics so let’s take a look at what type of phishing threats are out there. To arm yourself against a potential phishing attack, you should take advantage of technical barriers but you should also avail of staff awareness. Ultimately, staff awareness will help your staff to recognise the common tactics used by cyber criminals in a phishing email.

  • Phishing

The spam filter on your personal or work email accounts will usually pick up on junk emails but sometimes they can make their way into your main inbox. This is where you need to be able to spot a phishing email. The fact that your spam filter helps you out from time to time and moves spam emails out of your view is both a help and a hindrance. The filter helps you because you aren’t tempted to click on it directly (out of sight, out of mind) but this is hindering you from seeing the tactics hackers will use and thus, may prevent you from noticing the difference between a genuine email and a phishing email.

For example, an individual contacts you to say you have been identified as the last living descendant of a wealthy financier and you are entitled to their fortune. Common sense is right at hand to tell you that this is virtually impossible. Not only that, but you would like to think that you would receive a legal document confirming such news as opposed to an email from a Hotmail account.

If you can spot these warnings signs, that’s good. Generalised phishing emails are designed to catch you out but false promises or lack of grammar used in the email should alert you to the dangers. But – cyber criminals are becoming cleverer.

A ransomware test is a solution to test your employees on their behaviour towards phishing emails. A simulated phishing software solution can provide management with reports on how employees react to such emails. The reports will outline which staff members need to undertake a phishing training module.

  • Spear Phishing

This is an extremely sophisticated method of phishing. Cyber criminals who send spear phishing emails have done their homework; they will have tailored the email content specifically for you. To achieve this, they will have monitored you and your colleagues on social media and eventually, will use this information to create the perfect email for you which will be used to earn your trust.

The email you receive will appear to be from an individual or company. Throw your the personal information that they have gleaned into this mix and it is a recipe for disaster. In comparison to a standard phishing email, a spear phishing email will be personally addressed to you and includes information that appeals to you.

What if you received an email signed by your IT Support team to tell you that your email account is running out of space? This type of email seems a bit more plausible. Email signatures can look official: that’s all well and good but, some things you should be wary of in the body of the email are spelling and grammar, who the email is addressed to (do they refer to you by name or simply “user”?) and any links that are provided.

  • Whaling

This form of phishing attack is directly target to senior members of staff and management but the goal is still the same: to acquire information.

The cybercriminal will mask themselves as a reliable or trustworthy source, much similar to spear phishing. However, a whaling attack is designed to trick senior members of staff as they will more likely have access to important company financial information and possibly even have the ability to authorise financial transactions or payments.

For example, say you are the Senior Finance Manager and you receive an email from your colleague about a few invoices that require approval for immediate payment. They have also attached a zip folder to the email.  You automatically panic and your brain goes into overdrive thinking “Did I forget to authorise those? I’m sure I didn’t – I processed all invoices on Monday”. Here, your automatic reaction would be to click on the zip folder attachment and check the invoices to jog your memory.

This is where to you need to STOP. Instead of clicking on the attachment, check your own records to see whether the payment was approved. Save yourself a few extra seconds (and your company’s reputation) by checking your records before accessing downloadable content from an email.

If you downloaded said zip folder, it would probably have contained a suspicious file and this would execute dangerous malware onto your computer or laptop. This program could even access your network, causing potentially irreparable damage.

Conclusion

Quite simply, phishing attacks can destroy a company simply at the click of a button. All it takes is one person to click on a link or download an attachment, and your company’s reputation and assets are at risk. To combat the threat of phishing, companies need to invest in educating their staff on what to look out for.

Here at MetaCompliance, we provide phishing simulation software and eLearning content which will ultimately increase an organisation’s sensitivity to fraudulent emails.

Did you know that it only takes one minute and twenty seconds for someone to open a phishing email? Instead, take that time to think before you click.

about the author

sharing is caring

Share on linkedin
Share on twitter
Share on facebook

you might enjoy reading these