As our professional and personal lives continue to increasingly depend on various forms of technology and connectivity, the peril of phishing scams looms larger than ever.
In recognition of the penultimate week of Cyber Security Awareness Month 2023, and this year’s topic of ‘online safety’, our thoughts now turn from Multi-Factor Authentication to Phishing. From the familiar, yet still effective, ‘classic’ phishing scams, to the more sophisticated and increasingly tailored approaches, the deceptive nature of phishing emails continues to wreak havoc, leading to compromised data, financial losses, and breached confidentiality.
The ability to recognise these often-nuanced phishing scam variations is crucial to the development of effective strategies for both phishing detection and prevention. Arming ourselves as individuals and as businesses with enough knowledge of common phishing email characteristics and using this to implement robust security measures is essential.
What is phishing and how does it work?
Phishing is a cyberattack where attackers pose as trusted entities to trick individuals into revealing sensitive information like login credentials, personal details, or financial info. This usually happens through email, text messages, or social media. Here’s how it works:
- Attackers create fake, convincing messages that mimic legitimate organisations.
- They use urgent, tempting, or threatening language to push victims into taking actions like clicking links or giving out confidential data.
- When victims comply, attackers gain access to sensitive information for malicious purposes.
What are the main types of phishing attacks?
There are several types of phishing attacks, including:
- Email Phishing: The most common form, where attackers use fake emails to trick recipients.
- Spear Phishing: Like email phishing, but more targeted, as attackers tailor messages to specific individuals or organisations.
- Pharming: Redirecting victims to fraudulent websites to trick victims to submit their sensitive information as the website looks legitimate (i.e. a clone of a banking website).
- Vishing: Phishing via phone calls, where attackers pose as trusted individuals or organisations.
- Smishing: Phishing through text messages (SMS), where victims receive malicious links or requests for personal information.
- Whaling: Targeting high-profile individuals, such as CEOs or executives, to steal sensitive corporate data.
- BEC (Business Email Compromise) is a type of phishing attack where attackers impersonate trusted entities to trick victims into making financial transfers or revealing sensitive data (i.e. an invoice from a legitimate company with fraudulent banking details).
How can you detect a phishing email?
Detecting a phishing email can be challenging, but there are some signs to watch for:
- Check the sender’s email address: Verify if it matches the official domain of the organisation (i.e. an email coming from your trusted bank should not be sending from a Gmail domain).
- Look for spelling and grammar errors: Phishing emails often contain mistakes.
- Examine any URL: Hover over links to see the actual destination without clicking on them (i.e. a button reading “Log in here”, hover your mouse to reveal the destination link).
- Be cautious of urgent or suspicious requests: Scammers often create a sense of urgency through threatening or tempting words being used.
- Check for generic greetings: Legitimate organisations usually use your name (i.e. your trusted bank will not greet you as “Dear Customer”).
- Verify with the organisation: Contact the organisation independently to confirm the email’s authenticity, should there by any of these telltale signs causing doubt about the email authenticity.
What can businesses and individuals do to protect themselves against phishing?
There are several actions a business and individuals can take to protect themselves:
- Regular education and training to train employees/individuals on how to recognise phishing attempts and what are the best practices to protect against phishing.
- Businesses should invest in email filtering systems to detect and block phishing emails.
- Implement Multi-Factor Authentication (MFA) for accessing sensitive accounts and services which is another method to prevent phishing from resulting in a unauthorised access.
- Have a dedicate process in place to report Phishing attempts to the appropriate authorities or IT/security departments.
KHIPU simulated phishing services
Simulated Phishing & Awareness Training Services (Phishing As A Service – PhaaS). By providing user awareness training can help your organisation in the protection against cyber threats. Our Cyber Security Awareness Training service offers a complete and tailorable package for educating your users including:
- Simulated phishing emails – Fully customisable for different requirements and scenarios.
- Simulated phishing websites – Fully customisable to your domain, website and intranet.
- On-Demand branded education landing pages to promote staff awareness & training.
- Training modules with videos (customisable), interactive quizzes and tests.
- “Cyber Security 101” Classroom Training held onsite, offsite at our training centre or virtually (online), led by Cyber Security trainers for improved staff awareness, security policy compliance and employee inductions.
- Detailed reporting showing stats/graphs after each phishing campaign, illustrating the ‘risk’ to your organisation & used to show improvements as more training takes place (ROI)
- Security “pay as you go” services
Find out more about our Simulated Phishing Services here, or complete the form below to contact one of the KHIPU team.