What is Phishing?
One of the easiest ways attackers can access your system is through the use of phishing scams and it’s something you need to monitor.
What is phishing?
Essentially, phishing is when attackers attempt to trick users into “doing the wrong thing”. This can take the form of encouraging them to click a “bad link” that downloads malware to their device, or by directing them to a dodgy website, or through trying to gain information for later scams or fraudulent attacks.
How does phishing occur?
Phishing can occur via a text message, social media or via a phone scam, but the term is most commonly used to refer to attacks that come via email.
These emails can reach millions of users directly and hide amongst the vast number of benign emails that are received by a busy user’s mailbox.
Attacks can install malware, including ransomware, sabotage systems, or steal intellectual property and money. Phishing emails can hit an organisation of any size and type.
You might get caught up in a mass campaign where the attacker is just looking to collect some new passwords or make some easy money, or it could be the first step in a targeted attack against your company, where the aim could be more specific, like the theft of sensitive data.
In a targeted campaign, the attacker may use information about your employees or company that makes their message more realistic and persuasive.
This is usually referred to as spear phishing.
How to spot a phishing email?
How can you tell you’ve received a phishing email? Quite often there are a set of specific tells which are included. Here’s a list of the main ones, although there are more:
- Is the email claiming to be urgent? Very few people will use email for these matters.
- Is the email asking for Gift Cards (Apple, Google Play etc…)
- Is the email claiming to be a staff member of a company, yours or a client? If so, look for a signature and check if it matches previous emails. Does it have the legal notices at the end, such as company registration details, and a disclaimer about emails being unsecure?
- Are there spelling mistakes, grammatical mistakes, weird words you wouldn’t expect to see in a business email?
- Does the Sender Name provided by the email client match the name that’s used in the email?
- Is the Email Address correct for the person being named?
- Is the email unexpected?
Be aware though, that these are just some of the ways in which people try to disguise their malicious intent within a phishing email. If you’re at all unsure, take further action as detailed in the next section.
What to do when you are not sure
Whatever you do, do not reply to the email or click any links it contains. If you are unsure if an email is genuine or not, contact the person it’s purportedly from directly.
If it’s an internal email, use internal communication tools such as a direct phone contact or platforms like Discord or Slack. Or physically go and ask someone if they’ve sent out an email if you share an office.
If the email claims that a failure to respond or act correctly could result in disciplinary action, check whether your HR department is included in the email. If not, speak directly to them and ask if they are aware of what is happening. Do not forward the email to them.
What to do when you have a phishing email?
If you think you’ve received a phishing email and therefore, haven’t acted on it, then you can delete it. If you discovered it was phishing after you’d responded or acted based on the instructions it contained, immediately inform your Data Protection Officer.
They will help you take actions to secure and safeguard you from further attacks. This will most likely include resetting all your passwords, changing any associated phone numbers, etc and will give you guidance to prevent the situation occurring again.
Want More information?
If you’d like more information, there are a number of Government Agencies, companies and universities who provide resources for free on the internet.
Our recommended reading would be the information provided by the UK’s Government’s National Cyber Security Centre (NCSC) listed below.
You can also sign up with IT Governance, which provides free resources and training. Phishing Resources | IT Governance UK