We have all heard of phishing but what is it really and what can we do about it?
Well, phishing is a cybercrime that aims to deceive us into revealing sensitive information or clicking on malicious links. This seemingly simple tactic poses a significant threat to individuals and organisations alike.
Types of Phishing Attacks
Phishing attacks come in various forms, each designed to exploit specific vulnerabilities:
- Email Phishing: The most common form where attackers send emails disguised as legitimate sources, such as banks, credit card companies, or even Amazon and the post office. These emails often create a sense of urgency or contain enticing offers, prompting recipients to click on malicious links or download attachments containing malware. You ever had an email that goes something like – we had trouble delivering your package, please click here to up-date your details? Yeah, you get the idea.
Now we are getting a bit more nuanced with these next attacks but it is good to know what they are so you can protect yourself.
- Smishing: Similar to email phishing, smishing attacks use SMS messages to lure victims. These messages might impersonate delivery companies, government agencies, or even friends or family in distress. Examples are – hi mum, my phone was stolen, and I have to use this one, can you send me £200? Xxx
- Vishing: This method is all about voice calls, with attackers posing as customer service representatives, law enforcement officials, or IT personnel. They attempt to trick victims into revealing personal information or granting remote access to their devices. Examples such as – Hello this is David from Microsoft Security Department; your computer has been hacked and I need to access your computer to help you.
- Spear Phishing: A targeted approach, spear phishing attacks focus on specific individuals within an organisation. Attackers gather information about their targets beforehand from social media platforms such as LinkedIn, crafting emails that appear highly personalised to increase the success rate.
- Whaling Attacks: Now these are the "big game" of phishing. These attacks target high-profile individuals like CEOs, CFOs, or government officials. They take the most time for the criminal but reap the biggest rewards. These meticulously crafted attacks leverage sensitive information taken from many sources over long periods of time about the target to ultimately gain access to confidential data or financial resources.
How They Do It
Phishing attacks rely on a variety of techniques to manipulate us:
- Social Engineering: Attackers are good at using psychological tactics to exploit our human emotions such as fear, urgency, or greed. Phishing emails often create a sense of panic or promise quick financial gain, prompting hasty decisions without proper scrutiny. They play to our emotions.
- Spoofing: It is not as hard as you might think for attackers to manipulate email addresses and sender names to appear as legitimate entities. This creates a sense of trust, convincing us to click or download without suspicion.
- Urgency and Scarcity: Phishing messages often create a sense of urgency, stating immediate action is required to avoid account suspension or loss of important information. Alternatively, they might entice us with limited time offers or exclusive deals.
- Emotional Triggers: Attackers prey on our emotions like fear or concern. Emails claiming suspicious activity on an account, overdue payments, or even threats of legal action can trigger panic and cloud judgment.
What can we do?
With awareness and proactive measures, we can significantly reduce the risk of falling victim to phishing attacks. Here are some tips and tricks:
- Check Sender Email: Don't just rely on the displayed name. Verify the actual email address and ensure it matches the sender's organisation.
- Beware of Urgency: Legitimate companies rarely pressure immediate action. Phishing emails often create a sense of urgency to bypass caution.
- Think Before You Click: Hover over links to see the actual URL before clicking. Misspelled words or URLs leading to unrelated websites indicate a phishing attempt.
- Don't Open Attachments from Unknown Senders: Unless you're expecting an attachment, avoid opening them. Malicious attachments can install malware upon download.
- Verify Information Independently: Contact the organisation supposedly sending the email directly, using a verified phone number or website address, to confirm the message's legitimacy.
- Use Strong Passwords and Multi-Factor Authentication (MFA): Implement unique and complex passwords for different accounts and enable MFA wherever available.
- Keep Software Updated: Regularly update browsers, operating systems, and anti-virus software to patch vulnerabilities exploited by phishing attacks.
- Educate Yourself and Others: Stay informed about the latest phishing tactics and share knowledge with colleagues and family to create a more vigilant environment.
Stuart Barker | Stuart is a cyber security expert, known as the ISO 27001 Ninja and author of the best-selling ISO 27001 Toolkit. He is Director at High Table the ISO 27001 Company: https://hightable.io