Don’t let phishing catch you out

John Baldock

Phishing attacks

Phishing is a malicious social engineering technique which leverages email and appears to come from a trusted source so as to acquire sensitive information such as usernames, passwords, and credit card details. Phishing attacks may also be designed to fool email recipients into downloading malware onto their computers.

Phishing attacks have been steadily increasing and are a major threat to companies and individuals. Whilst some phishing attempts are quite obvious and easy to detect, there are many others that are incredibly well formulated and very sophisticated.

The professional standards used by some scammers has meant that the importance of educating users and testing for vulnerabilities has grown significantly. A recent study conducted by Intel Security showed 97% of people were unable to identify the most sophisticated phishing emails.1 This illustrates that even highly skilled people may fall victim to phishing scams.

In 2014, phishing attacks cost businesses globally around £3 billion. See https://www.emc.com/emc-plus/rsa-thought-leadership/online-fraud/index.htm.

Spear phishing attacks

Other forms of phishing attacks, such as spear-phishing have risen dramatically. See report https://securityresponse.symantec.com/content/en/us/enterprise/other_resources/b-istr_gov_report_v19_21284431.en-us.pdf.

Spear phishing attacks typically target a specific organization, or even specific individuals within an organization, and seek unauthorised access to confidential data. Spear phishing attempts are not random attacks, they are typically motivated by financial gain, trade secrets or military information. The apparent source of the e-mail is usually an individual within the recipient’s own company and generally someone in a position of authority.

As phishing relies on exploiting people rather than systems, it is easy to overlook as an IT risk. Phishing is constantly evolving and becoming more advanced. There were more than 120,000 unique phishing attacks recorded in 2014.2

How can I protect my organisation from phishing attacks?

Despite the obvious risk, it is clear from these recent statistics that many organizations are not doing enough to protect themselves. So how can you avoid becoming another unfortunate statistic in IT security? How do you ensure your employees are vigilant and alert to attacks such as these?

1 https://securityaffairs.co/wordpress/36922/cyber-crime/study-phishing-emails-response.html

2 https://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf

Guidelines to avoid getting hooked by a phishing attack

  • Be cautious of all email or messages that are unsolicited
  • Never click on links or attachments in unsolicited emails
  • Be suspicious of emails that are vague, not addressed to the target by name, or contain little other specific or accurate information to build trust besides claiming to be from a known organization
  • Be wary of email or messages from an organization with which the target has had no prior communication
  • Look out for poor spelling, grammar, typos or use of odd phrases, even if the message purports to be an official company communication
  • Be cautious of emails containing information or offers that are “too good to be true” or make unrealistic threats like “your account will be terminated”, often with a sense of urgency
  • Check that email addresses, website links/URLs exactly match those used officially by an organization
  • Be wary of email communications that contain incorrect or poor copies of an organization’s logo and brands
  • Watch out for links that display as a valid location but in reality direct the user elsewhere. You can often see the ultimate destination if you hover over the link first

Unfortunately, these guidelines only provide partial protection. A multi-faceted solution is required to combat the multi-pronged nature of phishing attacks.

Employees and users must be educated to the threat, and to the techniques that are being used to launch attacks.

Software systems such as anti-virus and anti-spam tools must be used – in the cloud or on premise, or both – to ensure that the number of spam or phishing emails getting through to users is at a minimum, and known harmful websites are blocked from access.  See our email & web security page to find out more.

And finally, anti-virus and anti-spam tools are not enough on their own, regular tests should be carried out to assess your systems and users to ensure they are not falling victim to new attack methods.

Please see our phishing simulation page to find out more.