By far the most common form of cyberattack are phishing scams. Visions of a hooded person in a dark room with matrix code on his monitor can be safely discarded – phishing scams are a far more inelegant method of gaining access to personal information for fraudulent activity. Rather than using sophisticated methods to gain access to your information, phishing scams, rather crudely, just ask for it.
Phishing might seem like a funny word, but if you're unlucky enough to fall victim to it, you will agree it’s no joke. Put simply, phishing refers to some form of deceptive communication (usually email). Its purpose is to trick the target into revealing sensitive information about themselves, or to deploy malicious software to the user's machine, such as ransomware.
Understanding Phishing
We’ve all had them - emails which claim to be from a distant uncle offering vast sums of inheritance money. However, they’re not always this obvious. Phishing emails can be very convincing and sophisticated - like for like emails from well known agencies asking for bank details, or emails with files to download. These types of email can be difficult to spot, and if you’re working on autopilot, distracted by a busy day in the office, you can quite easily fall victim. So, if they are this convincing at times, how do you spot them?
Check the email address
Email addresses give off a lot of information, and you should always look at the email domain.
Take HMRC for example. The official HMRC email address when receiving reminders for your business is no.reply@advice.hmrc.gov.uk.
This second bold section is the email domain. If this part of an email address looks slightly different to what you would expect, including numbers or special characters, do not trust it.
The same goes for common email platforms, like Gmail. No large legitimate organisation uses Gmail. Not even Google.
Unless the organisation is a small company which you personally know, almost all large organisations have their own domain, with members of staff having company accounts. If you're ever unsure about what the correct email domain of a certain company is, just give it a quick Google.
The message creates a sense of urgency
Phishing emails generally work by targeting our basic instincts, and it doesn't get much more primal than our sense of danger. You need to act now or else it may be too late.
Furthermore, if you get a spoofed email from a co-worker who needs something next week, chances are, you're going to mention it to them at some point. Attackers are counting on you to act quickly, with urgency and without verifying with someone. Any other way wouldn't work.
Receiving an urgent payment demand for an invoice you weren't expecting may get you in a fluster, leading you to click a link or download a malicious attachment. If something smells phishy, it definitely deserves to be investigated.
Dodgy email attachment
'Infected attachments' refers to a document attached in the email, which might seem relatively routine and normal, such as a PDF or .zip file, but actually contains malware. It's very often the case that the email itself is quite ambiguous, with the implication that the attachment will solve the mystery.
For example: A 'Please find your latest invoice for the subscription to our services, please find it attached' might seem pretty mundane, but what was purchased? Of course, under normal circumstances, it's certainly worth investigating a legitimate business invoice. However, it's advisable to never open an attachment unless you know the source of the email is legitimate. Even if it is the case that you're fully confident that the sender is legitimate, don't ignore the warning signs. You might receive a warning about the file from Outlook or Gmail, don't ignore it, pick up the phone and choose an alternative form of communication to verify.
Phishing in the Real World
While phishing emails may have become a comical anecdote from the depths of your junk mail box, the reality is that many of these cyberattacks can be highly effective and hugely damaging.
Take Facebook and Google – two of the most tech-savvy companies in the world. You would assume such companies would be resilient to malicious emails and phishing. However, between 2013 and 2015, a fraudster impersonated a Taiwanese electronic manufacturer, which has Facebook, Google and Apple as clients. Facebook and Google fell victim to these fake invoices, paying significant sums of money to the impersonator. Think millions of dollars.
Facebook and Google detected the fraudulent activity and recouped some of the said funds, while the cyberattacker was caught and sentenced.
This real life example shows that even the largest of companies can be duped. But all is not lost - we can all learn lessons from the case. For smaller companies, it is incredibly important to have as robust financial processes as possible, and to always think twice before handing over sensitive information, or paying invoices requested over email.
Best Practices for Email Security
There are a number of things you can do to make sure your email system is secure and protected from cyberattack.
Keep software and security systems up-to-date
Use strong, unique passwords and enable two-factor authentication
Educate yourself and others about phishing tactics discussed above
Regularly backup important data
Conclusion
It is so important for your business to be aware of cybersecurity and remain vigilant to protect your assets. Remember – don’t rush, think twice, check the sender and trust your gut.
We can help you to stay informed and protect yourself from phishing attacks – contact our team to find out more.