Don’t get hooked by phishing

By Austen Clark, managing director of Clark IT

Phishing is trawling to new depths – and catching people out hook, line and sinker.

Would you believe that in your inbox, one out of every hundred emails received is probably a phishing attempt? And one simple slip up could compromise an entire organisation.

Phishing email scams have existed for as long as the internet, but they have become smarter, slicker and more sophisticated.

Phishing is basically a cyberattack disguised in an email. The aim is tricking the recipient into believing the message is something they want to read and to create a reaction – respond, click, answer or follow to name a few.

Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers use email, as well as social media and phone calls, to get access to valuable data. That’s why businesses are a particularly worthwhile target for them.

The organisations that scammers impersonate can be retailers or paid services, giving them a reason to ask for your bank details in an email. It may look like a request from a bank, or the HMRC, or a pizza firm you’ve ordered a takeaway from, and may contain a link to an attachment or a URL link. It’s moved on from the clichéd online scams offering Viagra tablets that stood out like a sore thumb.

Phishing emails commonly focus on either money or account details. A common scam used by cybercriminals is pretending to be a business and asking users to update the payment details on their profile or risk their account being suspended.

Fraudulent emails claiming to be from HMRC might inform you of a tax rebate or penalty – something which the real HMRC says it would never contact a user about via email.

Be suspicious – question links that ask you to input your personal details (particularly debit or credit card information) when prompted to do so by an email, even if you think you know who the sender is. Check before you click, every time, be a sceptic, not everything that is too good is too good – it almost never is.

If in doubt, contact the business cited as the sender through their official channels, example by phone, email or social media, and ask them to confirm the message is legitimate before you do anything else. Don’t simply reply to the email, send a fresh email to your contact to check.

Never place yourself in a situation where you transfer money ” because you’ve had an email conversation with someone” that hasn’t been confirmed outside that line of communication.

One of the easiest ways to spot a phishing message is to pay attention to the email address of the sender. Often the addresses used to send scam emails look extremely unofficial, containing many numbers or a jumble of letters.

Genuine communications from established companies, banks or government departments will usually come from a simple address that uses the website’s domain.

Other tell-tale signs include misspellings, poor grammar and poorly presented text in the body of an email which has few logos and official-looking status.

If you think you have received a phishing email, you should report it to your organisation’s data protection officer or IT department. Many large firms have a dedicated phishing email address set up, to which any suspicious messages can be sent on before deleting the original from your own inbox.

The main thing is, if sceptical, not to click on any links or download any attachments included in the email, and do not input any personal information requested.

No one is immune to a possible phishing attack – all it takes is one employee to take the bait. Ina company with 50 employees, that’s 50 possible attacks.

That’s why security awareness training is the number one way to fight back against phishing, as it raises awareness to reduce human error.

All it takes is one person, one time, to be careless and they could fall victim to this online con. It’s one of the oldest types of cyberattacks, and still one of the most widespread and pernicious.

Because the common theme used in the distribution of phishing emails focus on subjects many organisations find themselves dealing with on a regular basis – but with fake despatch notifications, invoices, or requests for quotes and purchase orders – recipients are more likely to think the request is genuine.

The thinking behind these tactics is that as users commonly see these types of emails and attachments, they’ll go ahead and open documents, and act as instructed.

So always be on guard – and ensure everyone in your organisation is too – and remember that if an offer in an email seems too good to be true, then it probably is.

My top advice to help close the net on phishing:

1. Ensure employees to be on their guard – build awareness raising exercises into staff training.
2. Use a SPAM filter that detects viruses and blank senders
3. Keep all systems current with the latest security patches and updates.
4. Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
5. Have a security policy that includes but isn’t limited to password expiration and complexity.