Cybercriminals launch thousands of cyber-attacks every day. With 83% of organisations falling victim to a phishing attack in 2021 (source), cyber security needs to be a top priority for businesses of any size.
It only takes one small mistake for major business impact to occur.
Commonly arriving on a device in the form of an email or a text message, phishing scams use social engineering tactics to trick users into giving away personally identifiable information (PII), such as bank details and login credentials. Once a user has shared their information, the criminals can gain access to online accounts, further passwords, and worse, finances.
During the COVID-19 pandemic, incidents of phishing rose by 200% (Source), and this trend has continued to grow.
With this knowledge in mind, organisations must implement mitigating measures, such as multi-factor authentication and employee training, to prevent attacks from happening in the first place.
Common phishing scams
Just as technology is evolving, phishing attacks progress and change according to new tools, trends, and current affairs. Therefore, being aware of the latest developments is essential.
Spear phishing
When criminals target their attack at a specific audience or group, for example members of a specific organisation, it is known as ‘spear phishing’
When it comes to spear phishing, cyber criminals have done their research. Typical attacks come in the form of an email, containing information specific to the target, such as their name or job position. Often, the email sender appears to be a trusted and familiar source.
Indeed, a report discovered that recipients are 10 times more likely to fall for spear phishing than a general phishing attempt.
Smishing (SMS phishing)
Smishing is phishing via text. Today, email service providers work hard to recognise phishing emails and either stop them entering your inbox entirely or siphon them into your junk. However, text messaging doesn’t have the same capability. For this reason, smishing is often harder to identify, meaning more people fall victim to this tactic than other attempts.
Vishing (voice phishing)
The incessant calls you receive from people impersonating banks or organisations that request your details aren’t just pesky, they’re phishing. A lesser-known form of cybercrime, vishing scams use the phone to steal personal information from victims. Often a caller will pretend to be phoning from a government organisation, the police, or the victim’s bank. They use clever social engineering tactics to convince the receiver to share private information and bank details.
The callers will use threats and persuasive language to make victims feel like they have no other option than to share their information. Having the courage to ignore or hang up on these calls is vital, which is why training is so important.
Social media phishing
Nowadays, nearly every individual and organisation are on social media. So, it’s no surprise that cybercriminals are turning to social platforms to reach businesses. According to Proofpoint, 74% of businesses surveyed have suffered a phishing attack. While some scams are more blatant, e.g., sending links via private direct message, others can be harder to spot, such as cybercriminals who take control of friend’s profiles.
How do you spot a phishing attempt?
1. There are suspicious links and/or attachments on an email
Before clicking on any links to bogus websites or opening any attachments, you need to be certain that the email or message you’ve received isn’t a phishing attempt. The aim of these links/attachments is to capture your private information, such as credit card details, login credentials, account information or phone numbers. You should NEVER share these with anyone.
One tell-tale sign of a phishing attempt is that the destination address of a suspicious link doesn’t match the context of the email. For example, a phishing email disguised as Barclays could contain a link that doesn’t take you to anything Barclays related. Be warned, often these links are hidden in buttons and images. Hover a mouse over the button or image before you click – it’ll show you the destination of your click.
We advise that you never download or open any attachments, or click any links or buttons, unless you are confident that the email or message is from a legitimate source. Double check, it could save you a lot of hassle (and money).
2. The email comes from a public domain (e.g., @gmail.com)
Most organisations have their own domain name, for example, ours is SupPortal.co.uk. When we send an email, our business addresses all end @supportal.co.uk. We don’t use public domains such as @gmail.com, @outlook.com or @live.com.
If the domain (the portion after the @ symbol), does not match the supposed sender organisation, then do not click on links, or reply to the email. Contact the supposed sender organisation directly using your own channels to respond.
3. The domain is spelt incorrectly
This one can be tricky to spot, and therefore users need to specifically look for them. At first glance, the domain name may look correct, however a simple spelling mistake or added word is a hidden clue that this could be a scam.
It’s worth noting that anyone can buy a domain name, and phishing scammers often do. A domain name that is similar, or spelt slightly differently to, the legitimate organisation is a common tactic. For example, criminals might look to imitate Barclays.co.uk by using the domain barcleysbank.com.
4. The content is poorly written and has grammatical errors
An easy way to tell if an email or message is a scam is to check for spelling mistakes. Often, criminals use online translation apps to convert copy from their native language into many other variations. These typically aren’t the most accurate methods of forming well-written copy, so a conscious read through of the content and the small print could well unearth some clear clues that the communication isn’t legitimate.
Sometimes it’s all in the grammar and punctuation, so it’s worth having a more concentrated look help you decide.
5. The content requests urgent action
If an email requests urgent action, or an immediate response, this is a red flag. In these instances, the sender is hoping you will share your personally identifiable information without allowing the recipient appropriate time to consider if it’s a scam.
A common tactic is for criminals to try and pose as your boss. They know that most people would drop everything to provide what they are asking for, so they use that in their favour.
Take some time to return to the message later, with fresh eyes, to check for any more fraudulent clues. If the email is supposedly from your boss, give them a call to find out.
Final words from SupPortal
With the number of phishing attempts increasing almost daily, being aware of what to look out for is vital.
The first line of defence is your team. Ensuring they know how to identify a phishing attack could protect your organisation from a cyber breach.
If you’re interested in finding out more, contact us today.