Tech Insight: Phishing – why’s it such a big deal?

01535 358161

Tech Insight: Phishing – why’s it such a big deal?

We’re all sick of junk email. It’s been plaguing us for years. Spurious offers of cheap Rolexes and Oakley sunglasses; offers of payment in return for handling a large amount of money. Easy to spot. Easy to filter out. Easy to ignore and delete. But in the last few years we’ve seen a huge rise in a different kind of junk mail. An altogether more dangerous kind. Phishing.

At first glance the message you receive might look legit. It might even appear to come from one of your colleagues, a customer or a supplier. And phishing attempts can now catch even the wariest of people out. AI is also making it harder to spot a phishing attempt.

Hooded hackers looking at computer screen and looking very pleased at their phishing

So what is ‘Phishing’?

In broad terms it’s the means for cyber-criminals to get innocent people to hand over sensitive information or money. It’s robbery without criminals needing to leave their home or office.

It might involve sophisticated tech but, more often than not, the process can be very simple, or indeed not involve much tech at all.

Cyber-criminals have simply identified many easy ways to make tons of money by taking advantage of busy, distracted people (or perhaps the elderly or the vulnerable) or by leveraging human emotion. No longer do they need to get their hands dirty picking pockets or robbing banks.

Why do they do it?

  • They want your personal info (to use themselves or to sell on to other criminals)
  • They want access to your bank accounts (to set up fraudulent accounts in your name, e.g. loans and credit cards)
  • Ultimately they want to make money from your personal data, or to steal your money directly from your bank account

Types of Phishing

There’s several types of phishing doing the rounds today –

  • ‘Spray & Pray’ (Broad & Automated)
  • Spear Phishing (Targeted)
  • Smishing (phishing via SMS)
  • Vishing (Voice phishing)

You can bet more will appear in time!

Let’s take a look at the 4 main types listed above and see how to avoid getting caught out.

1. ‘Spray & Pray’ phishing

This tends to be done via bulk email, in the hope that at least some recipients will fall for the ruse. The emails might contain a link to a website, an attachment or a request to send a payment or send personal information.

The email will convey urgency. It may offer money for a swift response. It may threaten a fine or legal action a fine for not responding. If you fall for it once, criminals will see you as an easy touch, share your details with other criminals, and you will be targeted again and again.

If you click on a dodgy link while logged into your online banking they could hijack your banking session, lock you out of your account and empty it. If the link downloads malware to your device it could hijack the device for a botnet (to spread more malware), encrypt your data (leading to downtime and loss of revenue, and they’ll request a ransom to unencrypt it), or export all the contents of your mailbox and contacts list (valuable data) for them to sell on the dark web.

Red Flags (really look, don’t just glance!)

  • Sender Address – check it is exact and not just similar to a known contact or genuine sender – look for slight misspelling, extra characters etc in both parts of the email address (before and after the @)
  • Spelling and Grammar errors in the main body of the email (although AI is now making it easier for non-English speakers to craft more convincing emails!)
  • Attachments – Are you expecting one? Don’t open it unless you are absolutely certain of its authenticity. Phone the person and check it’s legit!
  • Unrealistic promises – if it sounds too good to be true then assume it is fake.
  • Invitation to click on a link or download something. You can check where links in emails really go by hovering your mouse pointer over them.
  • Account hack warning – requesting you confirm your account details via a link
  • Threat of legal action – requesting payment to avoid this
  • ‘Request for payment’ link – it will ask for card details, bank details etc. You can check where links in emails really go by hovering your mouse pointer over them.

If you see any of the above red flags assume it’s a phish. Remember the presence of a company logo, company address details etc is not proof of authenticity – anyone can copy a logo or get the address of a genuine company from the internet!

2. Spear Phishing

These are less easy to spot because they’re targeted to individuals as a result of careful research or leaked personal data (email address & password). A spear phish may appear to come from someone you know or in your organisation (because their account has already been hijacked).

A common example is an email appearing to come from a senior employee asking for an urgent payment to be made in relation to an attached invoice (the invoice may appear genuine at first glance, but the bank details provided won’t be for the supplier’s usual account).

Another common example is an email from a senior employee asking for confidential information urgently, perhaps for a business meeting that day.

Never assume the sender is who they claim to be. Verbally confirm with the real person before acting.

Red Flags are the same as for ‘Spray & Pray’ phishing.

3. Smishing

It’s just like phishing – directing you to click on a link, download a file, contact them to confirm account info, unlock an account, reschedule a delivery, pay a fine etc, but it comes to you via text message, iMessage, Messenger or What’sApp, rather than email.

If you’re not sure it’s genuine, phone the company it appears to come from using the number on the company’s real website (don’t click on any links in the message!), or off the back of your credit/debit card, or your bank statement.

Red Flags (are generally the same as for phishing)

Carefully check the sender’s phone number (if it’s a mobile phone number it may not be genuine, although some are) or email address (a lot come though random addresses now)

  • Spelling, grammar
  • Sense of urgency
  • Requesting account info
  • Never assume these messages are genuine.

If you are expecting a delivery or appointment update/reminder be particularly on your guard!

4. Vishing

Voice Phishing utilises social engineering techniques. The intent is exactly the same as for phishing, spear phishing and smishing though. They want your data, your account login credentials or your money.

A common example is the caller says they are your IT support provider or working in your IT Support department. They may ask you to go to a website to download an update, but it’ll be malware designed to track your keystrokes, or collect data from your device, or take control of your device.

The caller may even openly ask for your login details (user ID and password). Genuine IT Support providers won’t ask you for this information. They may ask for credit card details or bank account information in order to provide you with support. Again, genuine IT Support providers won’t do this.

Cyber-criminals may simply ask you a load of questions to gather information to help them guess your passwords.

They may already have some of your data and just need to get one or more details from you directly to enable them to rip you off royally. They can use vishing to record your voice, for example they may ask a pretty innocuous question such as ‘Can you hear me OK?’ to get you to say ‘Yes’. They can potentially use a recording of your voice to get past security or approve actions on a telephone banking or loan application system.

These calls may start off with the caller sounding friendly and helpful to start with, but may turn nasty if you don’t comply with their requests.

Think critically. You need to confirm callers are genuine, before doing anything they ask you to do, so tell them it’s not convenient right now and end the call.

If they said they’re from IT support, call your IT support provider or IT department immediately, using the number you normally call them on (not the one you’ve just been called by) and ask them if the call was genuine.

If it was a genuine call, they will have a record of the previous call and will be happy to make an appointment to perform whatever work is required. If it wasn’t them, then you know you’ve avoided a vishing attempt.

You can dial 159 to call your bank directly if you suspect a caller alleging they’re from your bank is not genuine.

How can I avoid getting caught by a phishing attempt?

  • Learn to spot the red flags
  • Master the ‘mouseover’
  • Never assume anything is genuine
  • Think critically – always err on the side of caution even if there’s a chance it’s genuine
  • STOP – THINK – GET CONFIRMATION (ask a colleague to take a look)
  • Become a Human Firewall!

Take a look at our next article – Hurrah for the Human Firewall! to find out more about becoming one and help protect yourself and your organisation from cyber-criminals!

The National Cyber Security Centre also has more information on Phishing and how to protect yourself and your business. Take a look here

We provide training software to help your employees become effective Human Firewalls. Our consultants provide Business IT Security Reviews, so you can find out about any chinks in your armour before the cyber-criminals do!

Give us a call today to find out more!

< Back to blog
Microsoft software on a laptop

Microsoft 365 & Office 365 Migrations

Read more
IT Support

Business IT Support

Read more
Private, Hybrid, Public image

Server and Cloud Migration

Read more
Consultancy: Agreement in a meeting

Business IT Consultancy

Read more
Telecoms

Telecoms and Broadband

Read more
Server maintenance

Implementation & Procurement Services

Read more
Cosurica on Twitter

Call us:

01535 358161

Email us:

info@cosurica.com

Follow us:
LinkedIn Twitter Instagram