Far and away the most common form of cyber-attack is phishing scams, visions of a cool, savant, hoodied person in a dark room rapidly smashing away at a keyboard with matrix code on his monitor can be safely discarded, phishing scams are a far more inelegant method of gaining access to peoples accounts. Rather than using sophisticated, esoteric methods to gain access to your information, phishing scams, rather crudely, just ask for it.
What is Phishing?
Phishing might seem like a funny word, but if you're unlucky enough to fall victim to it, it won't be a joke at all. Put simply, phishing refers to some form of deceptive communication (usually email) which is designed to trick the target into revealing sensitive information about themselves to the attacker or to deploy malicious software to the user's machine, such as ransomware.
This sort of scam predates the internet and probably predates the industrial revolution. Deception and manipulation come in many forms, phishing is really just the modern digital equivalent.
Emails which purport to be from a distant uncle offering vast sums of inheritance money have entered the mainstream consciousness and become jokes, most people understand and delete these sorts of emails, and they don't get sent as often either. Phishing evolves as our resilience to old tricks evolves, so phishing emails are always changing. How do you spot them?
Check the email address
Email addresses give off a lot of information, if you get an email from eBay, but the email is a Gmail account, the email is certainly a phishing attempt.
No legitimate organisation uses Gmail. Not even google.
Unless the organisation is a one-man band which you personally know, almost all organisations have their own domain, with members of staff having company accounts. For example, a genuine Google email will read something like "accounts@google.com" as the sender.
If you're ever unsure about what the correct email domain of a certain company is, just give it a quick google.
The message creates a sense of urgency
Phishing emails generally work by targeting our basic instincts, and it doesn't get much more primal than our sense of danger. You need to act now else it may be too late.
Furthermore, if you get a spoofed email from a co-worker who needs something next week, chances are, you're going to mention it to them at some point, when you do, the jig is up. Attackers are counting on you to act quick, with urgency and without verifying with someone, any other way wouldn't work.
A boss asking "Why a transaction hasn't gone through? it's late! senior staff are waiting on you to do this!" is something that smells phishy and definitely deserves to be investigated.
Dodgy Email Attachment
'Infected attachments' refers to a document attached in the email, which might seem relatively routine and normal but actually contains malware. It's very often the case that the email itself is quite ambiguous, with the implication that the resolution to the mystery will be solved in the attachment.
For example: A 'Please find your latest invoice for the subscription to our services, please find it attached' might seem pretty mundane, but what was purchased? Of course, under normal circumstances, it's certainly worth investigating a legitimate business invoice. However, it's advisable to never open an attachment unless you know the source of the email is legitimate. Even if it is the case that you're fully confident in that the sender is legitimate, don't ignore the warning signs. You might receive a warning about the file from outlook or Gmail, don't ignore it, pick up the phone and choose and alternative form of communication to verify.
Unfamiliar Greeting/ Content
If a co-workers account has been compromised, your only way of telling would be the content of the email, and the greeting is a very strong indicator, Emails between colleagues often start informally, "Hey mate" rather than "Dear John" might be the first sign that something fishy is happening.
The difficulty of dealing with this situation is, if email is being sent from a boss, the scam can be particularly effective as the employee may too afraid to confront their boss, even if they did expect foul play. If they do end up being wrong about the nature of the message and it's end being legitimate, they're effectively suggesting the bosses conduct/ request was unprofessional.
Getting everyone on the same page about prudently verifying emails via a quick phone call can be difficult to ingrain in the office culture. A collective staff training session can go a long way in not seeing a them verifying an email as offensive.
Get in touch to arrange one of these sessions, bespoke to your business.