The Big Phishing Scam
Phishing is a technique used by cyber criminals and involves tricking users into unknowingly taking a ‘harmful action’ such as opening an attachment or clicking a link. Many attacks also result in victims revealing ‘sensitive information,’ such as login credentials or bank details. Phishing attacks can be done via email, text message or phone call.
Cyber criminals sometimes pose as a familiar individuals or institutions, in order to gain your trust and encourage you to fulfil their requests.
This can cause significant disruption to your business including periods of downtime and damaged reputation. Many businesses have also incurred high costs as a result of the attack.
According to the Cyber Security Breaches survey:
- 39% of UK businesses identified a cyber attack
- Out of which, 83% were phishing attempts
Educating Your Staff
With 90% of malware delivered by phishing attacks, training your staff is vital in staying safe. We have teamed up with IT Governance to provide a range of staff training programmes, designed to increase employee awareness and your resilience to attacks. Courses can be accessed anytime from anywhere, allowing you to work at your own pace. It’s very important to embed a culture of security awareness throughout your organisation and ensure your staff are a robust line of defense. Find out more about our range of e-learning courses here.
Identifying Phishing Attempts
Cyber criminals use a variety of methods of deception. As technology develops, they also become more innovative, finding new and more ‘sophisticated’ ways to entice their targets. Although methods change and modernize, there are a few things that cyber criminals always maintain. Here are a few common ways of detecting phishing emails.
Unknown Links and Attachments
Phishing emails tend to contain unknown links or attachments. The email may be vague but will encourage you to click on them. If you do, hackers will be able to install malware on to your computer and infect the entire network, which can have catastrophic consequences.
Sense of Urgency
Legitimate emails from organisations will never require you to give out personal information via email or require you to do something urgently. Hackers will attempt to ‘scare’ you into taking action, for example ‘if you do not verify your password, you will be locked out of your account for 30 days.’
From Email Address
The domain name will appear to look legit, so it’s always important to dig a little deeper and look at the ‘from’ email address. Cyber criminals often use email addresses from a public domain or will use an email address that has a slight adaptation to the company email address, which can easily be missed.
For example, emails from Amazon will end in @amazon.co.uk, however a cybercriminal may create an email address ending in @firstname.lastname@example.org. It may appear legit at first glance, so it’s important to be cautious and check the website to verify the email address. DO NOT click on any links in the email to verify, cyber criminals have been known to go to extreme lengths and create websites to lure their victims in.
Spelling or Grammar Mistakes
Organisations go through a process to ensure correct spelling and grammar in their email communications. Cybercriminals will not have the same level of efficiency and will often have typos or grammar mistakes in their emails. This is one of the easiest ways of detecting fraudulent emails.
Often, in the case of a mass phishing attempt, the greeting will be very generic. The email may start with Dear sir/madam rather than mentioning your name.
However, this does not mean that if you’re name is mentioned, then it is a legitimate email. During targeted phishing attempts, hackers will use your name to make the email look realistic, whilst mimicking a familiar person or organisation.
Types of Phishing Attacks:
There are multiple types of phishing, but here are some of the most common techniques:
This is usually a mass mailer sent out to multiple targets. No-one and no industry is spared. The aim is to target as many people/organisations as possible with the hope that many will succumb to their requests.
Cyber criminals focus on specific targets and source their victims by finding their personal information online. By gaining this information, they can legitimize the operation by posing as someone close to the individual being targeted. Using a personalised approach means that the victim is more likely to provide the sensitive information required.
The term ‘whaling’ derives from the severity of the attack and the major issues it can cause. Whaling involves targeting senior, high-profile individuals within the organisation, by mimicking trusted sources in order to entice them into providing sensitive information. These types of emails are carefully crafted to look as ‘legitimate’ as possible.
Smishing and Vishing
Smishing refers to phishing attacks through SMS and vishing refers to attacks via voice calls. These types of social engineering attacks are becoming increasingly common and mainly target consumers rather than businesses. The Covid-19 pandemic has caused a significant increase in these types of attacks.
With more companies using social media to interact with their customers, cyber criminals have also begun using this platforms to exploit their victims.
There is usually a common sequence of events that occur:
- A consumer complains about a product or service on social media
- The brand responds by asking for their personal contact details to verify the issue and deal with it offline
- Cyber criminals steal this data, pose at the brand on social media, and ask for information such as the victims account details in order to process the refund.
Because the cyber hacker will also be using the company name, have a legitimate looking social media name and the victim will be eager to resolve the issue as quickly as possible, victims tend to adhere to their requests.
Preventing Phishing Attacks
Phishing attacks can be extremely harmful, but by following the below protocols to ensure a first line of defense, you are less likely to become a victim:
Ensure staff are vigilant and do not give out sensitive information or take action without verifying the source.
Spam filters detect and prevent unsolicited emails or infectious emails from getting into your inbox. Phishing emails may still pass through the filter and land into your inbox, but only on rare occasions.
These types of addons identify and notify you of potential threats.
Applications will regularly release software updates in order to update new features, fix bugs or improve performance. Updating your software makes it harder for cybercriminals to attack.
Ensure passwords are changed frequently and use different passwords for different accounts. If the same password is used for all accounts and cyber criminals know the password, all your accounts could be at risk.
Loss of Data
Victims may give out personal data or sensitive information under the assumption that they’re giving it to someone they know. If this doesn’t work, once cyber criminals have hacked the system, they will search for it and steal it themselves. This data may be leaked to the public or sold on the online ‘black market.’ Either way, it can have disastrous consequences including loss of trust and heavy fines. If an individual willingly handed over the data, their job may also be at risk. To book your staff in for staff awareness training, please do get in touch.
Many businesses will suffer from reputational damage as a result of a cyber-attack, particularly if down to human error. Larger, well-established companies will suffer from this the most, especially once reported by the media.
This can lead to loss of trust, loss of existing customers shareholders and business partners as well as lack of new business development.
In many cases, cyber criminals have managed to steal large sums of money from the organisation.
In cases of data breach, businesses could be hit with large fines. Larger companies, particularly PLCs are able to pay these fines and move on but many SME’s cannot survive after paying the fines and end up closing down.
Depending on the level of disruption to the business, businesses may also suffer downtime which can result in loss of revenue.
Businesses may have to close down for a certain duration after suffering from a cyber-attack. In addition to lack of business income, this also means employees may also be out of work and have to deal with temporary loss of earnings.
These are just a few of the many disastrous impacts of cyber-attacks. The level of impact will vary depending on the size and type of business. According to Cybercrime Magazine, 60% of small companies go out of business within six month of falling victim to a data breach or cyber-attack. Many companies do survive but end up with a tarnished reputation.
If you have been a victim of a phishing attempt, it’s important to report this to your IT department so they can deal with issue before it escalates.
It is also worth reporting it to the government website. Simply just forward the email to email@example.com. They can verify and confirm the source. You could be saving victims from being attacked in the future.
The National Cyber Security Centre suggests implementing this multi-layered approach, which involves splitting the mitigations into four layers on which you can build your defense:
- Make it difficult for attackers to reach your users
- Help users to identify and report suspected phishing emails
- Protect your organisation from the effects of undetected phishing email
- Respond quickly to incidents
IT Support and Managed Services
By outsourcing your IT services, you can rest assured knowing your network security is at the hands of experts. They have sufficient experience in managing security, dealing with attacks and planning recovery back-ups.
Security is a key priority for many businesses in this day, and outsourcing can guarantee strong security measures, managed by security experts.
How Minerva Can Help
Minerva has been around for over 35 years and during this time, we have provided a range of IT services and solutions to many SMEs across the nation.
Our team are constantly undergoing training to keep abreast with the latest developments in tech and cyber security. We also partner with some of the leading software providers in the industry, which enables us to provide the most advanced, and robust cyber security solutions for you.
Speak to us now, and together we can devise an effective, multi-channel cyber security strategy for your business.