What is Phishing?
Cyber criminals are phishers, and when it comes to phishing, you are the fish and the bait is usually contained in a scam email or text message. The cyber criminal’s goal is to convince you to click on website links or download malicious attachments within their scam email or text message, or to give away sensitive information (such as bank details). Once your personal details have been accessed, criminals can then record this information and use it to commit fraud crimes such as identity theft and bank fraud. The unfortunate thing is that these communications tend to look genuine, and look like they have been sent from an authentic organisation i.e. a company which you buy from or engage with.
There are Three Main Phishing Attack Methods
- Mass-Scale Phishing – this is the most common type of phishing attack, where fraudsters cast a wide net of attacks that aren’t highly targeted to a broad range of victims. Characteristics of mass-scale phishing include a sender and/or domain that sounds almost, but not quite legitimate, an impersonal greeting i.e. “Dear Sir/Madam”, poor grammar and spelling, messages have a sense of urgency or try to scare the victim “Your account is out of date, act immediately”, imitates an authentic brand (or tries to!) and may have a zip file attached which contains malicious files, when downloaded to the victim’s computer.
- Spear Phishing – this is tailored to a specific victim or a group of victims. The trick to this technique is that cyber criminals use personal information to earn trust and lower the victim’s defences, as they think that as this is a message highly personable to them, therefore more likely to engage, and the chances of opening attachments or clicking malicious links is higher
- Whaling – this is the grandest of phishing attacks. This is a specialised type of spear fishing that targets a “big” victim within a company e.g. CEO, CFO, COO, CMO and other very senior people within businesses. The cyber criminals aim is to steal sensitive information from a company, as these senior level people within companies typically have access to sensitive data.
Types of Phishing
- Email Phishing is the most common, and tend to fall under the Mass-Scale and Spear Phishing methods as mentioned above, in a bid to fool unsuspecting victims into revealing their sensitive personal and/or financial information.
- Phone Call or Vishing this describes the act of phone calls which trick victims into revealing their personal information. Vishers tend to be smart and sometimes use information from social media profiles to make it sound as though the call is legitimately coming from a bank, credit company or HMRC. Remember if it’s a too good to be true offer – then its most likely vishing, the number is blocked or coming from a region which you are not sure of and the caller is using fear tactics or threats i.e. “your account has been deactivated, activate it now to not receive fines” then its most likely a scam, and think twice before sharing any personal and sensitive information.
- SMS or Smishing attacks are where fraudsters send phony texts in attempt to con you into divulging private information. Key characteristics of Smishing are unsolicited texts from unknown phone numbers, texts sent from random numbers, incomplete information from your personal info such as part credit number, links to visit fake websites which request your personal information
- Social Media Phishing if you’re on social media, you may receive duplicate friend requests from someone you are already friends. Key characteristics of social media phishing are a duplicate friend request from someone who you are already friends with, a notification of someone creating a new account replacing their old account, private messages from someone in your contacts asking you to click on links taking you through to spoof sites requesting personal information. Cyber criminals are effortless and will use your personal social media network to target you and gain sensitive information from you.
- Always be aware and vigilant, when responding to emails or phone calls, never give your login or personal details. If you receive an email from a company claiming to be legitimate but is requesting sensitive information tell them you will call them back. Use a contact number from you latest bank or credit card company and then call them directly and ask if they called or requested information via email to confirm the message is genuine
- Use your SPAM filter in your email – mark the message as spam and delete it. This ensures that the message cannot reach your inbox in future.
- Know your source: Never respond to a message from an unknown source. Take care not to click any embedded links. Phishing emails are sent to a vast number of randomly generated addresses. However, clicking embedded links can provide verification of your active e-mail address. Once this occurs it may facilitate the targeting of further malicious emails. Even “unsubscribe” links can be malicious. Ensure that the e-mail is from a trusted source and you are, in fact, subscribed to the service.
If you or your business has fallen victim to Phishing scams or wish to find out how we can provide support when it comes to all things Cyber and Security – find out more here or contact us on 02030968946 and our representatives will be able to support. Alternatively, please fill in a contact form and one our team members will be in contact.
Sources: www.hackernews.com / www.thehartford.com / www.ncsc.gov.uk