There are many different ways that scammers are trying to steal our private data these days but phishing attacks are still very common and the threat is a growing one. It sometimes feels as though there is no end to these attacks – and it’s hard to recognise who we should and shouldn’t trust.
Phishing attacks, what are they?
‘Phishing attacks are the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers’. Oxford Dictionary.
These emails can appear to come from trusted senders such as postal services, websites you have previously purchased from, online streaming and even work colleagues – once a vulnerability has been found attackers can install malware, steal your sensitive and personal information and intellectual property. This theft of data can cause huge security issues for companies and make individuals vulnerable to identity theft. In the last 12 months, there has been an increase in phishing attacks with 39% of businesses reporting a cyber attack during this period according to the Information Commissioners Office (ICO). It is important to remember that all your devices are open to phishing attacks and so caution should be taken across every device you use – mobile devices have multiple channels to exploit SMS, WhatsApp, social media and gaming apps which all open you up to an attack.
Common phishing attacks
A phishing attack will be made up of either a malicious attachment or an external link to a malicious website – email attachments will appear to have un-harmful names such as ‘invoice’ to encourage users to open it, on opening, the malware is installed on the computer. Links work a little differently but with the same outcome – an email is sent from a legitimate-appearing email address directing you to click on a link that takes you to a malicious website – as soon as the link is clicked the malware is downloaded or it runs scripts to harvest your credentials.
Spear phishing – this form of phishing is a more personalised attack it involves a customised ploy that includes the user’s details such as their name, phone number or email address because these attacks are unique to the user it means that the attachment or link is more likely to be opened or clicked because the user believes there is a connection with the sender that already exists. Scammers may only appear to have limited information on you but by pulling information from social network pages, attackers can quickly find your email addresses, where you live, your friend’s list, interests, and hobbies. Due to the personalised nature of the attack, spear-phishing is the most successful method of acquiring sensitive and confidential information on the internet.
Deceptive phishing – these types of attacks appear to gain trust so that victims unknowingly input personal data and login details. This type of attack has been widely publicised in recent months for example the Royal Mail text scam which pushes the user towards a copycat website and encourages payment for an undelivered parcel and more recently this type of attack is also coming from DPD – once the user enters their credentials the hacker is able to withdraw large sums of money.
CEO fraud – these attacks come from either acting on a compromised CEO email account or disguised under a fake title, CEO fraudsters abuse the power that higher-level staff have over junior staff to make requests about unauthorised money transfers or confidential financial data.
Best ways to protect yourself from phishing attacks
The best way to protect against phishing attacks is to have a multi-layered strategy in place as recommended by the Nation Cyber Security Centre as this improves resilience and minimises the impact of damage that can be caused by a phishing attack.
- Use security software to protect your computer. Make sure your software is set to update automatically so it can deal with any new security threats.
- To give your mobile phone critical protection against security threats make sure your software setting is set to update automatically
- Use multi-factor authentication on all your accounts – to offer you extra security some accounts offer multi-factor authentication which means you are required to use two or more credentials to log in to your account – this makes it harder for scammers to log in to your accounts if they do manage to get access to your username and password.
- Make sure you protect your data by backing it up. Make sure the backups are not connected to your home network, use an external hard drive to copy your computer files or use cloud storage. Make sure you backup the data on your phone as well.
- Make sure there is an organisation-wide Policy that requires two forms of confirmation before any financial transaction can take place. This can work to help prevent attacks.
- Respond quickly to incidents, responding quickly to phishing attacks can limit the potential for further damage – creating a response plan such as forcing password changes when compromised and removing malware promptly can be greatly useful to mitigate potential losses.
Things to watch out for as these are all likely to be phishing attacks.
- Misspelt emails and domain names (even if you have to look and look again)
- Poor grammar
- Urgent/persuasive language
- Suspicious links and attachments
If you have any concerns or suspicions at all make sure you contact your IT support team or if you are an individual – just don’t open it.
If you would like any further advice or information we are able to help, please contact us here