What is phishing?
In our digital society, we are increasingly confronted with unwanted messages. Individuals and rogue organisations are after our personal data, with malicious intent. Get more insight into phishing, the forms it takes, and how an organisation can better protect itself against this phenomenon.
Phishing is a type of cybercrime in which a person posing as a real organisation contacts the organisation with the aim of convincing their victim via email, phone, or text message to submit sensitive data, such as personally identifiable information, bank details, credit card details, and passwords.
The data obtained after accessing systems and accounts are often used for financial gain.
Phishing comes in many forms, including smishing, vishing, and whaling. We will explain two of the better-known forms of phishing below: phishing emails and spear phishing.
1. What are phishing emails?
Phishing emails are popular among cybercriminals because of their ease of use, low cost, and high success rate. Obtaining e-mail addresses is easy and sending e-mails is almost free.
Phishing mails are emails that appear to come from trustworthy organisations, such as banks or postal services. They usually ask you to click on a link and then log in. On the other hand, they sometimes ask for personal information that can be used to commit identity fraud.
2. What is spear-phishing?
Spear-phishing, like phishing letters, targets a single individual. An attack is carefully designed using information gathered about the individual. Spear-phishing emails may appear to be sent by a trusted business colleague or friend. Information from social media such as Linkedin and Facebook can be used to build trust.
3. Recognising phishing
An organisation can lose millions, damage its brand and undermine customer trust if a phishing or spear-phishing attack is successful. To avoid these fatal consequences, awareness is usually the first step to a successful defence strategy. The start to awareness begins with learning the following recognition points:
3.1 The greetings are usually generic
When a bank sends their customers a message, you can assume that it will usually be personalised with first and last names. However, in the majority of phishing attacks, this is not the case. The attackers usually limit themselves to: ‘Dear Sir/Madam’.
However, when someone is the target of a spear-phishing attack, personalisation does occur.
3.2 Fake web pages and URLs
The website referred to does not correspond to the website it is supposed to be. For example, Facebook can be written as faceboook or fasebook. It looks identical, but unfortunately, it is not. Some hackers actively play on this and capture these kinds of domains. This form of fraud is called “Typosquatting“.
Before clicking on a link in an email, it is advisable to move the cursor over the link. The destination URL is then displayed. If the link does not match the expected URL, it is best to delete this e-mail immediately.
3.3 Grammar and syntax
In addition, poor sentence structure, spelling mistakes, and strange formatting are clear signs of a phishing attempt.
3.4 Trustworthy organisations
Scammers often use popular applications and software. Think of companies such as Wetransfer and DocuSign. Always contact the sender before clicking on a link.
4. Preventing phishing
In principle, there is not much you can do to prevent phishing attacks. However, there are actions that can be taken to reduce the chances of a successful phishing attack.
4.1 Provide training to all staff
Education is the most robust line of defence against data breaches. Employees, and therefore human error, are usually one of the biggest sources of a data leak. Thorough training to raise awareness of cyber security is therefore crucial. Our cyber security awareness training helps organisations with this. Alternatively, you can set up simulations to train employees.
4.2 Check the website
Phishing emails often ask you to download a file or click on a link. If the latter is the case, check the destination URL before clicking on the link. The URL is displayed in a small bar at the bottom of the browser. On a mobile device, you can place your finger on the link and it will appear as a pop-up.
4.3 Do not click on links
An essential element for employees to be aware of is to maintain a healthy level of scepticism. Whether the communication is via email, text or social media, one should be aware of a phishing attack. Staff should ignore any link that takes them to an (unknown) website that requires them to enter passwords, sensitive information or account details.
4.4 Use email filters.
Although software can help secure email servers, spam filters should already be in place. Employees should be encouraged to flag spam emails that arrive in their inboxes so that the filters can perform their duties more efficiently.