Skip to main content

Private property: no phishing

(Image credit: Image Credit: Gilles Lambert / Unsplash)

‘Phishing’ has been around for decades now. America Online (AOL) first flagged an algorithm-based phishing concept in the 1990s, which generated random credit card numbers to match with original cards from AOL accounts.

Cybersecurity specialists talk phishing

But by the time AOL had caught up to the scam in 1995, phishers had already moved onto newer technologies…

Phishing has, by far, been one of the fastest evolutions in the history of cyber-crime. Over time, scammers have devised new types of phishing, and attacks have become increasingly sophisticated.

Although the term ‘phishing’ is mainly used to describe email attacks, it can now also be conducted through text message, phone or social media. Attacks like these open up the door for hackers to sabotage systems, access and manipulate sensitive data, steal confidential information and install malicious software such as ransomware.

Banking, technology and healthcare are the most targeted sectors for phishing attacks. This is primarily due to their high volume of users and the massive amounts of data they store. But phishing attacks can hit an organisation of any size and type. So, it’s essential to know what to look out for and how to prevent them from happening.

Phishing from all angles

These days, phishing attacks can typically be classified into five categories: smishing, vishing, spear phishing, whaling and search engine phishing.

Smishing is one of the easiest types of phishing attacks, which target users through SMS alerts. With smishing, users might receive a fake message telling them to look at something via a link or a phoney order with a cancellation link. But clicking on the link will take them to a sham site designed to gather personal details.

Vishing (a combination of ‘voice’ and ‘phishing’) is when phishers call victims pretending to be a friend, relative or company. By using information gained from social media, hackers can confidently communicate with individuals and get the information they need without raising any suspicion.

Traditional phishing often involves sending emails to thousands (even millions!) of unknown people. But spear phishing takes it one step further by carefully targeting and actively scamming a particular user. Phishers carry out a complete social profile check of the user and the company they work for to make the scam appear more legitimate. As such, these attacks are especially risky and tricky to spot. The most common type of spear phishing is payment diversion. This is where a seemingly legitimate bank or utility company contacts a would-be victim with a change in banking details.

Whaling is very similar to spear phishing. However, instead of targeting lower-level employees, these types of attacks go after senior management positions such as CEOs, CFOs and CISOs — who are often the key to information chains in an organisation.

Search engine phishing then refers to the creation of a fake webpage for targeting specific keywords. Phishers wait for users to land on the fake website via legitimate search engines, such as Google, and then steal their data through it.

How to spot a scam

Phishing emails and text messages may look like they’re from a company you know or trust — such as a bank, credit card provider, social networking site or an online store. So, how do you know if they’re legitimate or not?

Some of the most common red flags to look out for include:

  • Mentions of suspicious activity or login attempts
  • Claims there’s a problem with your account or your payment information
  • Request to change payment details
  • Asking you to confirm personal information such as bank details, logins or passwords
  • Unexpected invoices
  • Asking you to click on a link to make a payment or view something
  • Claims you’re eligible for a refund
  • Offers of coupons or free products
  • Email addresses made up of lots of numbers and letters
  • Webpages, emails or text messages that are littered with spelling mistakes
  • Generic messages or email addresses that don’t address you by name

However, as attacks become more sophisticated, it is becoming increasingly difficult to spot a phishing attempt.

A multi-layered approach

In the past, defences against phishing have relied exclusively on users being able to identify phishing emails. But these days, scammers will have corrected all the typical red flags — including masking their URL more convincingly and knowing the user’s name.

So, how can companies hope to defend against these advanced attacks without compromising productivity? The secret lies in a multi-layered approach, which harnesses the power of advanced software.

Here are some of the ways you can protect your organisation from phishing attacks:

  • Educate users on what to look out for, how to identify a phishing email and what actions they should take if they suspect an email to be malicious.
  • Use available tools such as those provided by MetaCompliance to enforce and measure the effectiveness of the education process.
  • Reduce the information available to attackers. Consider what visitors to your website or social profiles really need to know (and what could be useful for attackers).
  • Use anti-spoofing controls to make it harder for emails from your domains to be spoofed.
  • Filter or block incoming phishing emails through a cloud-based email provider’s built-in service or a bespoke service for your email server.
  • Use modern, up-to-date browsers that will block known phishing and malware sites.
  • Run a proxy service to block any attempts to reach websites which have been identified as hosting malware or phishing campaigns.
  • Protect your devices with the latest security software and set it to update automatically, so it is always kept up to date with the latest patches.
  • Prevent users from accidentally installing malware from a phishing attempt by limiting administrator accounts through privileged access management.
  • Improve identity and access management (IAM) through multi-factor authentication. This will make it harder for scammers to log into your accounts if they do get your username and password.
  • It is also worth seeking the help of a cybersecurity consultant or IAM specialist to help implement appropriate technology and processes within your company.

Richard Menear, management, Burning Tree