Phishing is one of the most common types of cyber crime, and one that everybody needs to be aware of. Unlike most attacks, which target technological vulnerabilities, phishing exploits human weaknesses. Crooks send emails (and occasionally texts or social media messages), attempting to trick people into downloading malware or handing over sensitive information.
Hundreds of millions of phishing emails are sent every year, and you’ve almost certainly been targeted. Some are little more than basic spam emails, whereas others are sophisticated and highly persuasive – but they can all easily fool someone in the right circumstances. This blog explains everything you need to know to stay secure.
How does phishing work?
Phishing attacks masquerade as urgent correspondences from legitimate organisations. A common example involves a message supposedly from a delivery company stating that the individual needs to provide personal details in order to receive a package. The message includes a link that goes to a duplicate version of the legitimate organisation’s site, and when the victim logs in and enters their details, they are unwittingly providing their information to crooks.
Alternatively, the message might instruct the victim to download an attachment (for, say, a shipping invoice), which contains malware.
Avoiding phishing scams
In theory, spotting phishing attacks is straightforward. No matter who the scammers are pretending to be, the same tactics apply. All you need to do is remember the things to look out for. Here are a few things you should ask yourself about any seemingly urgent email:
- Is it written in a way that’s unnatural for a native speaker? Most phishing emails are in English, but many scammers aren’t native English speakers. As a result, scam emails are often poorly phrased and use incorrect grammar. Meanwhile, an organisation will almost certainly get a native speaker to write its communications.
- Is it addressed to a generic individual, such as ‘loyal customer’? This is usually a giveaway that the message has been sent in bulk.
- Is the email address legitimate? Crooks have many ways of mimicking legitimate organisations’ email addresses, but they can be broken down into two categories. The first can be summarised as addition or subtraction: if the address being mimicked is, say, UKSales@CompanyX.com, crooks might register UKSales.CompanyX@gmail.com or Sales@CompanyXUK.com. The second method involves character adjustments: a capital ‘O’ might be used in place of a zero or a lower-case ‘l’ in place of a one. Sophisticated attacks might use Cyrillic or other non-Latin characters that look like the ones they’re trying to duplicate.
- Is the hyperlink destination suspicious? Hover your mouse over the link to see the destination address. If it doesn’t go to the organisation’s website, it’s almost certainly a scam. Crooks often hide the link’s address by using bit.ly or other URL shortening sites, something that a legitimate website would never normally do.
Staff awareness training
You can get more tips on spotting and avoiding phishing scams by registering for our Phishing Staff Awareness E-learning Course.
This interactive online course is an ideal resource for individuals or your entire organisation. In a brief presentation, we help you learn how to identify and understand phishing scams, explain what could happen should you fall victim and show you how you can mitigate the threat of an attack. The course can help to reduce the chances that an employee will hand over confidential information or inadvertently infect your systems.