Phishing the quick guide | What is Phishing? | How Does Phishing Work | Types of Phishing
What is Phishing?
Phishing the quick guide explains the threat to a company through the staff. Phishing comes under the category of cybercrime where an individual is contacted by way of email, text message, or telephone. The sender will look to gain trust by impersonating a work colleague, (usually one in senior management), or legitimate business contact. Because of this the target will therefore be more open to passing sensitive data such as, banking details, personal information and passwords.
Once the impersonator has the required information they can therefore access company records or the financial system.
How Does Phishing Work?
With Phishing the quick guide out the way, detailed below are phishing examples. These examples show just how competent the criminals are.
An email Phishing attempt:
Stage 1) The criminal may look at Linkedin profiles for the target and also their managers, or clients. Cashiers or invoice approvers or treasury obviously being a prime target.
Stage 2) Review and preparation of harvested information. This could even be reviewing an individual’s style of writing or the way they sign off an email.
Stage 3) Craft an email. An email could have a subject of urgent and require funds to be transferred to an account or eve a link in the email to a “secure management fund transfer portal”. Typically this will involve urgency and a demand. The body of the email may well be:
“ I’m meeting client XYZ and my wallet was left in the taxi, I have cancelled the cards but need to take the clients out in the next hour. Can you send £1,000 to the below account details, we can sort the reclaim when I’m back in the office tomorrow”
Stage 4) Ensure the email from field shows the legitimate email address which is easy to achieve in an email software’s settings
Stage 5) Sit back and see if the fish of Phish bites!!
Types of Phishing (to name a few)
The above was a simple email phishing technique but there are many others that follow the same pattern
- Gain the confidence and ask for detail of to click a link which ultimately ends up at a cloned website that again asks for details to be input.
- Asking for sign up credentials
- Posing to be a bank or other trusted source that require login credentials to be entered
- A letter asking you to call a number urgently (usually a premium rate number)
- Asking to call and the try and extract data
- Impersonating a client or colleague in an attempt to extract details. These can be more be harder to overcome as the criminal can adjust their approach to suit the responses
How to Identify Phishing
So now the world looks a bad place and do we ever trust an email again…….
However there are steps that can be taken.
If a request is urgent take 10 minutes to review a few key items:
Take time to check:
- Is the person actually out the office (it maybe harder for a scammer to know this)
- When was the email sent (business hours?)
- Give the person a call to confirm the email and bank details, However do not call from any number seen on the email. Use your existing or company database to find the number
- Look for spelling mistakes, unusual phrasing or sign off not usual with the contractor
- Is the ‘replyto’ email the same as the sender email. An email can come in as ‘John@ABCsomecompany.com’ but the reply sends to ‘firstname.lastname@example.org’
- Are their hyperlinks in the body to open websites
- Ask advice from another manager or security team
A director will have a better story to tell to a client of how he lost his wallet and was waiting on funds than explaining how his company had just been subject to fraud, so take those 10 minutes.
Websites design and set up is accomplished within an hour and because of this cloning a bank template is fairly easy to do. From the above example the email may give a “secure managers link” to transfer these funds. This link will open up a fictitious or cloned website. There will be a request to enter login and or bank details. This will be sent directly to the criminals.
These websites maybe identified by some of the following methods:
- Blurred logo images
- Spelling mistakes
- Look for https in the address bar
- Do all the links work or are some just for show or lead to error pages
- Ensure the address bar is that of a bank such as ‘www.mybank1234.com’ and not ‘freeaccount/mybank123.com’
How to Prevent Phishing
There is good news in that there are ways to prevent phishing attacks. Staff are on the front line in these attacks and so educating them is a worthwhile investment if it stops greater financial loss and keeps private data secure.
Ensuring reputable malware protection and cyber security software is in place is essential as these can stop phishing email from reaching the inbox. They can also block links to red flagged external websites.
Introducing a cyber security protection plan
Introducing such a plan is also key to cover staff training, attack response and lessons learnt. Datplan’s Cyber Control software delivers Cyber security solutions, fraud detection and system vulnerability checks to keep your business safe and in control of it’s Cyber Security Risks.
Datplan also recommend ESET as an anti-malware provider As an approved reseller we have the latest deals and products. Contact us for Cyber Control or ESET products.
What To Do In The Event Of A Phishing Attempt
Make a log of the attempt and details and inform all staff. There are also 3rd parties that should be informed to investigate such as:
As skilled as you are at your job the cyber criminals are just as skilled in theirs. Make no mistake, this is a job for them and it’s in a multibillion dollar industry! The risk will never go away but companies can ensure they have the best chance to defend against cyber risks by employing security solutions or read best practice guides books. Just as your property is protected by multiple devices such as locks, alarms and CCTV, Your network and company assets should also have the same levels of protection.
If you enjoyed reading Phishing the quick guide check out the Datplan Cyber Security Blog.