09 Sep Online Security Fundamentals – Phishing

Phishing scams…what are they?

Phishing scams come in a variety of forms but typically they involve the use of a false identity to extract sensitive information from a victim. Phishing scammers use various methods to perform such scams, but the fraudulent practice is most strongly associated with email.

Most of the time the scammer’s main aim is to gain compromising information – bank details, account credentials etc – with a view to stealing money directly. Sometimes, however, a Phishing scam will be front for a malware attack, with ransomware commonly found contained within Phishing emails.

Common to all Phishing attacks is an act of deception. The scammers will try their best to impersonate individuals and entities you’re likely to trust in the hope that you’ll comply with their demands.

Methods used by the Phishing scammer

While there are technical solutions which aim to block Phishing attempts, it’s important that you and your staff know what to look out for if a scammer slips through the net. Let’s look at some of the inventive techniques used by these unscrupulous fraudsters.

• Deceptive Phishing. This common form of Phishing scam involves the scammer imitating a well-known and trusted organisation. Often the message will convey a sense of urgency in an attempt to panic the victim into disclosing sensitive information (usually account logins). The email may contain a message along the lines of:

“Unexpected activity noticed on your account, please log in to verify”

Or

“Your account password is due to expire in 24hrs, follow the link below to create a new password”

Messages such as these will often be accompanied by a redirect to a login portal designed to harvest account details.

• Spear Phishing. A more targeted technique whereby the scammer performs a degree of background research on the victim in order to pose as an individual or entity known to them personally. Fraudsters can often glean a surprisingly extensive amount of information from social media profiles in order to imitate a trusted person quite convincingly. Scams of this nature have a higher chance of success as victims often think it’s unlikely that they will be targeted on an individual basis.
• CEO Fraud. This method involves the scammer imitating a company CEO or other similarly high-status individual within an organisation. Armed publicly sourced information about the person they’re impersonating, they then get in touch with company employees and ask them to perform tasks and transactions that would normally be unauthorised. The scammers will come up with inventive cover stories for their requests in the hope that the employee complies – they may feel reluctant to disobey who they think is their boss.
• This technique involves creating a near carbon copy of a previously sent email from a legitimate sender. This time, however, any links contained within the email will be to a malicious site.
• Pharming involves directing users towards fake websites set up to steal login credentials and other forms of sensitive information. Hackers may use viruses to direct individual users towards the rogue site – this method involves infecting the user’s computer beforehand. Alternatively, DNS cache poisoning may be used to redirect all traffic away from a legitimate site and into a corrupt one.

7 ways to avoid Phishing attacks

With their manipulative techniques and clever tricks, anyone can fall foul of Phishing scammers. Proceed with care, examine links closely and if in doubt walk away.

• Pay close attention to URLs. If you find yourself redirected to a site from an email take a moment to look at the URL to compare it to what you’d expect. Look out for slight misspellings, extra words, or unnecessary hyphens in the domain name. Also, look to see if the ‘top-level domain’ is as you expect. For example, if you expect ‘.com’ but you see ‘.fr’ then something isn’t quite right. If in doubt, just close your window and make your own way to the legitimate site.
• Know how your bank operates. Do some research into how your bank will contact you in the event of an emergency. Most financial institutions will let you know exactly how they’ll get in touch so that you distinguish between legitimate communications and the fraudsters.
• Don’t reveal too much on social media. A massive, publicly available social media presence is a goldmine to fraudsters. Apply privacy settings and keep things like your friend’s list, phone numbers and your date of birth viewable only to people you know and trust.
• Don’t hit ‘reply’ If you receive an odd request from someone you appear to know, send them an email using an address you currently hold for them instead of replying to the email you’ve been sent.
• Use Multi-factor authentication. Use additional access criteria to beef up the security of your accounts. By activating MFA (multi-factor authentication) where available, scammers will find it harder to gain entry to your accounts even if they do get hold of your username and password.
• Use anti-Phishing software. A useful technical measure you can employ to prevent Phishing attacks, the software can be used to block access to sites and emails suspected to contain Phishing related content. Such software can often be implemented at browser level or within an email client. Many popular anti-virus suites incorporate anti-Phishing tools.
• Be wary of emails that don’t address you by your name. If your bank addresses you with ‘Dear Customer’ be very suspicious.

Online security training is a useful tool in the fight against Phishing scams and many similar acts of deception. Ensuring your staff understand the techniques used and how to respond to them will help prevent a member of your team becoming a Phishing scammer’s next victim.

Where do I begin?

The UK government is currently in the process of rolling out funding to help businesses make efficiency changes as part of its economic response to the Covid-19 pandemic.

These grants of up to £5000 could help you embrace technological change, in order to improve efficiency, resilience and ensure your business is able to sail through these turbulent times relatively unscathed.  This funding could help you invest in productivity-boosting new tech, migrate systems to the cloud and ensure your team are adequately trained and supported in the use of any new technology.

At Netcom, we are well-versed in helping companies in various sectors navigate the often mystifying, jargon-filled worlds of IT.  With over 15 years’ experience and covering virtually all aspects of business IT, we can help guide your business through this uncertain period and help you deploy cutting edge solutions that will not only help you weather the current storm but keep your business at the top of its game beyond the pandemic.

So for guidance on Government funding, IT strategy and digital transformation why not book a free, no-obligation discovery call today by calling 0114 361 0062.