The National Cyber Security Centre defines ‘phishing’ as ‘a type of social engineering where attackers influence users to do ‘the wrong thing’. This could include disclosing information or clicking a bad link.’ Phishing is usually conducted through text messages, social media, phone or emails.
Key types of phishing attacks
Phishing hackers will deploy a range of techniques which broadly fall into the following categories:
Bulk phishing campaign
A criminal group will have purchased large lists of previously stolen or data acquired from marketing companies to use in an attack. Typical examples of these are PayPal fraud, iTunes, supermarket offers, travel offers, HMRC refunds etc.
These campaigns are often undertaken after a degree of research by the criminal group where they have identified a specific organisation, or people within an organisation to launch an attack against.
CEO Fraud (Whaling)
Whaling campaigns are targeted against individuals within a company who have the financial authorities to make payments or transfer money. They are referred to as CEO fraud because the emails appear to come from senior members of the management team demanding urgent payments. They can be very convincing, and rely on an individual’s lack of willingness to challenge senior members of staff within an organisation. Criminals use sophisticated cloned emails and company branding to trick you into delivering the desired action.
Note – Not all phishing emails are looking to gather sensitive information as their primary objective. Attachments or embedded links within emails are also used to deploy malicious software or ransomware.
What to look out for
#1 Mismatched domains
A domain basically what describes the owner of a website or email. For example, if you receive an email from your bank, make sure that the email domain is the official customer service email address. You can find out by ringing customer service directly or seeking guidance on their official website.
#2 Poor spelling and grammar
Spelling is often another give away. Professional organisations put a lot of effort into quality and use the right language for the target audience but pay attention to the content detail.
#3 Authentic visuals
Most modern websites will have their branding next to the company name on a website tab in a browser. This is called a ‘favicon’. Phishing attacks will often have poorly constructed websites or landing pages which will not have addressed this properly. For example, if you search for The Times website, you will see they have a relevant ‘favicon’ on the tab (see image below).
A ‘URL’ is the web address for a page located on a computer network. In the example above, you can see that the beginning of The Times website URL begins with ‘https://’. This, along with the padlock symbol, is an indication that this is a secure and safe website. It’s worth checking this when browsing the internet. A website which does not use secure certification is not secure, and you should not enter any sensitive information.
TIP – If you use Google Chrome browser, it will also state that the site is secure where most other browsers do not yet have that function.
TIP – Never click on an embedded link in an email you are uncertain about.
TIP – Never reply to an email you believe to be a phishing attempt.
Other types of Phishing attacks
Many applications now allow you to embed links in messages which can be used to deliver malware onto a device. Or, direct you to a fake website where an attempt to gather personal data or download malware will take place.
Cybercriminals often leave voice recordings purportedly coming from a company that the victim knows, asking them to call them back. When the victim calls back, they get an automated voice message asking them to input certain details (for security reasons) to validate the account. This technique is often used by many genuine companies to screen inbound calls and get them to the right department.
Increasingly, criminals are starting to use traditional techniques. One example includes sending convincing letters asking you to fill in and return forms that will contain sensitive personal information (e.g. pension scams).
TIP – Never click on a link embedded in a message unless you have validated it comes from a legitimate source.
TIP – If you receive an unexpected voicemail from a company who ask you to call them back, look up the customer service number online and call them via that number instead.
You may receive phishing emails to your personal inbox, but this type of cyber-attack is a growing concern in the workplace. IRM works with many organisations to help combat phishing attacks. As well as running mock phishing attacks to help you understand your vulnerabilities, IRM also supports clients with staff awareness and training. If you would like to learn more about how we can support you with potential phishing attacks and other cyber vulnerabilities, please get in touch.