Spotlight On: Phishing

phishing/noun
The practice of using fraudulent e-mails and copies of legitimate websites to extract financial data from computer users for purposes of identity theft

Phishing Emails

Email is an affordable, simple and quick method of communication used worldwide both personally and professionally, but there can be serious risks involved if the right protocols or knowledge is not in place. Phishing attacks try and trick you into giving up sensitive information. Phishing emails are becoming more sophisticated in appearance, but some features are easily identifiable, the most common of which are outlined below:

1. Unrealistic threats or demands are often used, such as telling you ‘urgent action is required’ or that an account will be closed if you don’t take action.
2. A ‘catch’ is also a sign, for example anything related to sending money.
3. The message could start with a generic term of address (e.g. “Dear customer”) instead of your name, pointing towards them not knowing you personally.
4. Lots of phishing emails purport to be from large, well-known organisations (banks, mobile phone providers etc), but the text generally contains a multitude of spelling and grammar mistakes, and the quality of the logo image can be visibly substandard.
5. Check the domain of the email address. Companies use their own domain name (e.g. @clearthinking.co.uk), not generic ones associated with personal use (e.g. @hotmail.com or @gmail.com).

Phishing Websites

After receiving a phishing email you may follow a link to a phishing website, designed to mimic a legitimate page. Here you may be asked to log in, change your details, make a payment or update your card details. Some of the signs of spotting a phishing site are the same as above, such as spelling and grammar mistakes, poor quality graphics and logos, ‘catches’ and unrealistic URLs/domains. A few additional features to look out for are as follows:

1. Pop-up windows can appear as soon as you enter the site, asking for information. Sometimes you can be directed to a real website, but the perpetrator will send a pop-up to gather the data. These malicious pop-ups can sometimes appear on genuine sites, but companies/suppliers don’t ask for sensitive information in this way so don’t give up the information.
2. You receive an alert from your browser telling you that your connection is not secure.
3. Along with the poor spelling, grammar and quality of graphics/logos, further evaluate the design of the website – do menu buttons or links to social media pages work or are they just for show? In a separate window, go to the website directly and compare it against the potential phishing site.
4. Official or reputable websites wouldn’t ask you to pay via bank transfer, so be vigilant if this is the only payment method set up on the website. It indicates the host has no credit card facilities or PayPal account in place.

Additional Examples

spear phish/verb
to phish by deliberately attacking a specific person, sending a crafted email containing personal information luring the recipient to open a malicious link.

Spear phishing attempts to build trust with the recipient by directly targeting an individual, using personal information to make the message seem more authentic.

whaling/noun
a specific type of spear phishing that targets a big phish, often a board member or an employee with access to some particularly tempting assets.

Whaling is a higher-level form of spear-phishing with the victims being people in Executive positions or in a role with access to high-level/sensitive information (e.g. Payroll officer, HR). Sometimes the attack could be made to look like someone in authority, such as a c-suite role, is asking an employee within the organisation to send the information or grant access. This is another example of trying to build trust with the victim in order to get results.

Infectious attachments & links

Phishing emails regularly contain infectious attachments and links are common ways to deliver spyware and ransomware, opening one can infect your computer or device with a virus, compromising security & privacy. Stay vigilant, examine and verify the message before clicking to open anything.

The Clear Thinking team are on hand to empower you and your business to succeed, securely and compliantly.

Subscribe & share to spread the word on a range of topics covering Cyber Security, Risk & Compliance.

Clear Thinking partner with businesses to provide multi-layered cyber security solutions, including certifications, compliance, disaster recovery and more. Further details can be found here: https://clearthinking.co.uk/cyber-security/

P: 0203 327 4560
E: hello@clearthinking.co.uk