Cybercriminals are using increasingly sophisticated methods to steal data and commit fraud. Still, it's often the simplest scams that turn out to be particularly lucrative. Phishing scams are one of the most common types of scams. A successful phishing scam against your company can lead to a data breach and all related consequences.
Worryingly, even though companies are investing significant sums in training and
awareness programs for their teams, nearly a third of all users open phishing
messages. Unfortunately, we don't know how many of them lead to someone
clicking on a link or sharing sensitive information, but this is likely to be a significant proportion of the recipients.
What is phishing?
Phishing is
a type of scam that is most commonly categorized as cybercrime, as it often
occurs via email, SMS, or social media. However, phishing can also be done
over the phone, either in person or through automated robocaller systems.
In phishing,
criminals pretend to be legitimate companies or individuals to trick
users into revealing sensitive data. Often the criminals target your bank
or credit card details or information such as passwords. The bottom line
is that phishing scams don't necessarily require you to reveal details for the
scam to work. For example, just opening a fraudulent e-mail or text
message can be enough to download malware, which then taps saved passwords from
your web browser.
Once the
scammers have the data they want, they use it for financial gain. The
criminals may resell the information to other criminals or try to use your
information themselves to make purchases or transfer money from your bank.
The six most common methods of phishing
You and your
colleagues need to be aware of the following popular phishing techniques that
cybercriminals use to better protect your business from attack.
1. Email phishing
Most
phishing scams are done via email. We'll look at how to spot these scams
later in the text. Certain types of targeted phishing, such as the next
two techniques, are also worth knowing about.
2. Spear phishing
Spear
phishing is a targeted scam that often comes in two parts. After the
scammers get information about you, they send malicious communications. Sometimes
this is a direct threat that highlights the things the scammers already know
about you.
Spear
phishing scams aim to trick you into sharing additional information with the
cybercriminals.
3. Whaling
Whaling is a special type of phishing that targets senior executives.
It's often
subtle, and it's done by criminals posing as other people in higher positions,
such as B. accountants or lawyers, or even colleagues.
4. Smishing
This is a special name for phishing scams carried out via SMS messages.
5. Vishing
Vishing or
voice phishing is the name given to phishing scams carried out over the phone.
6. Angler phishing
Angler
phishing is a scam that typically uses the direct messaging capabilities of
social media platforms to send malware. Social media users might be sent
fake URLs or be told they were mentioned in a status update and when they click
on it, the link will download malware onto their device.
Have you
ever received a weird "$ 50 off at Wal-Mart" from a friend? If
so, then your friend has likely fallen for a phishing scam that allowed the
criminals to send it to all of their friends and connections.
How to spot an email phishing scam
Have you
ever received an email claiming to be from the Tax Office, PayPal, or Netflix,
but clearly not from those sources?
This is a
phishing scam and definitely a "fake mail", as it is popularly
called.
Business
email phishing scams often come from a variety of sources. Most people
don't use their work email address on Netflix. Such a fraud would
therefore be fairly obvious and easy to spot.
While the
"best" phishing scams look legitimate, which is why they are often so
successful, there are many common traits by which you can identify them.
Here's what to look for:
1. What time was the email sent?
Did you
receive an email supposedly sent by a colleague in the same time zone at 1am? While
many of us appreciate the flexibility of working from home, if you typically
don't get emails from this person at such a time, it may be phishing. Solutions
like UEBA help companies to automatically
detect this type of unusual behavior.
2. What is in the subject line?
Phishing
scammers often use subject lines that look like replies to trick you into
opening the email. Look for subject lines like "RE: your last
message". If you've received an email with a subject line like this,
and you didn't originally send an email to the person or organization sending
the email, you should delete the email. Chances are, it is a phishing scam
that tries to install malware on your system as soon as you open the email.
Another common trick is that scammers use clickbait-style subject lines, but the
content of the email has nothing to do with the subject. Use the preview
functions of your e-mail program so that you can identify and delete such
e-mails as soon as they land in your inbox.
3. Pay attention to these content warning signs
Phishing
emails often use some or all of the following tactics:
- You are offering
something that you did not expect, but it is plausible that you could get
it, such as B. a refund for a specific product or service.
- An offer too good to
be true, such as B. emails in which someone's uncle died and left $
30 million to share with you.
- Calls to action on a
dubious link.
- Contains information about you to make you feel insecure and therefore to encourage you to do something. Phishing scams often obtain frequently used passwords. A second notification follows and makes it clear that the fraudsters know
your passwords and are demanding cash.
4. Are there any attachments?
From a
business perspective, attachments are often the biggest red flag, especially
when companies work exclusively in the cloud.
If your
company has a policy on using OneDrive or Dropbox but a “colleague” sends
physical attachments, it is likely phishing.
If you
typically send attachments, watch out for unusual file types, or receiving files
that you did not request.
5. Where do the hyperlinks lead?
Some
phishing scams are obvious by having long text hyperlinks for you to click.
For more
sophisticated scams where a link is masked with a call-to-action button, you
can hover over the button to see where the link will take you.
Watch out
for:
- Links that take you
elsewhere than specified in the email.
- Links that contain
typos, often to appear legitimate.
- Emails that contain
links and no other content or information.
Often times,
when you click a link, you are taken to a website that looks like a poorly a designed version of the real website. It is easy to set up a website that
looks like PayPal, but there are often errors that suggest it is not a
legitimate website.
6. Who else was the email sent to?
Phishing
emails are often sent to thousands of people at once. Usually, you can see
the recipients in the CC area.
Look out for
emails that have you CCed on something you didn't ask for or signed up for, and
where you can see everyone else's email addresses.
7. Where did the email come from?
The source
of the email is often a clear indication that it was a phishing scam.
Watch out
for emails that:
- came from an unusual
email address, someone you don't know, or someone you wouldn't normally
communicate with.
- that come from
outside your company and have nothing to do with your professional
activity.
- Seems to come from an internal email address, but appears unusual or atypical.
- come from suspicious-looking email addresses.
Pay attention
to the sender of the e-mail in the "From" field and not who according
to your e-mail program, the sender is. Some programs even allow scammers to
pass legitimate email addresses as their own, so you need to be doubly
vigilant.
How to spot SMS and phone phishing
SMS phishing
in a business, context is easy to spot. How often does your CEO send text
messages asking for specific information?
You should
also keep an eye out for news:
- that come from unusually long phone numbers.
- that claim you are entitled to some kind of refund.
- asking you to reactivate or validate a product or membership.
Phone
phishing typically involves a phone call from someone pretending to be from a
specific organization and asking you to confirm information such as banking
information or passwords to "keep it safe". Serious callers will
never ask you for this information over the phone, so you should hang up. Criminals
often use robocall callers and fake call ID data to make a call appear
legitimate. If criminals know your location, they will often call from a
“local” number too, to increase the likelihood that you will answer the call.
Why do phishing scams increase in times of uncertainty?
There was a
significant increase in phishing scams in 2020 due to the COVID-19 pandemic.
Times of
uncertainty and crisis are the perfect time for cybercriminals to take
advantage of people's fears. When people have lost their jobs and need money, the likelihood that they will click on a link promising a tax
refund increases massively.
Companies,
particularly in the financial sector and government organizations, typically
experience more phishing attempts during such times. An increase in the
number of loan applications, for example, puts more pressure on lenders, who in
some cases are not as careful as usual. The increased pressure makes them
vulnerable to both phishing and other types of cybercrime.
How to prevent phishing attacks and avoid falling victim to
scams
Whether you
are reading this guide in a personal or business context, the ways you can
prevent phishing attacks and fall victim to such scams are similar.
Also
to be aware of what these scams look like, as detailed above, make sure that
you have taken the following precautions:
- Email spam filters
that prevent most phishing emails from reaching your inbox. However,
cybercriminals are always more adept at bypassing filters, so you need to
stay vigilant.
- An up-to-date
free antivirus for your devices or your network. In a business
context, you should insist that your employees who work while on the move
or use work functions on their mobile devices have adequate protection on
those devices as well.
- Use tools like Should
I Answer? And similar apps to identify potentially fraudulent incoming
calls and SMS messages.
- If possible, set up multi-factor authentication for all accounts. Even if fraudsters get access to the credentials, it will be difficult for them to use them.
- Limit access to sensitive data to as few people in your company as possible. The fewer people who can be targeted by fraudsters to get rich, the less likely it is that someone will fall victim to your company.
- Take backups of your data and make sure you store it regardless of your main home or office network.
Organizations
should also ensure they have specific risk mitigation policies in place, such
as B. using software to monitor all emails received from outside the company, e.g. B. by freelancers or contractors, and a policy that does not
include sending attachments.
Comments
Post a Comment