If you or your employees have ever received an email from the bank asking you to verify your account, chances are it was fake. Phishing attacks targeting specific individuals, have become more common and costly in recent years with cybercriminals using them to steal user data, including login credentials and credit card numbers.
The term ‘phishing’, refers to the practice of ‘fishing’ for sensitive user information using sophisticated email based lures. More recent variations include ‘smishing’, which is phishing via SMS text message, or ‘vishing’ which is phishing via voicemail or a recorded message.
With the average data breach costing businesses a staggering $4.24 million, it only takes one seemingly innocent click for cybercriminals to access your data or your company's systems, unleashing devastating consequences. Protect yourself, your family, and your organisation by learning how to recognise common phishing tactics and learn what you can do if you fall victim to one of these attacks.
.png?width=1920&name=New%20Phishing%20infographic%20(5).png)
What is Phishing?
Phishing is a type of cybercrime designed to steal user data, including login credentials and credit card numbers, and it’s becoming increasingly popular. Tripling since 2020, these scams are responsible for 90% of all data breaches. A phishing attack usually starts with an email or text message (AKA Smishing) that looks like it's from a trusted source, like your bank or a company you do business with. The message will typically contain a link that takes you to a fake website that looks legitimate.
Phishing attacks can target anyone, in any industry, but some are more vulnerable than others. Healthcare, financial services, and retail are among the most commonly targeted industries. Small businesses are also at a greater risk, as they may not have the same level of security as larger companies. But ultimately, we’re all at risk of falling prey. Businesses can even become vulnerable if an employee is phished using a personal service or device, with scammers seeking to use the breach as leverage to access the company’s communications and networks.
Types of Phishing
Phishing comes in many forms, but they all have one goal: to steal your sensitive information. There are three main categories of attack: Phishing, Spear Phishing and Whaling.
Phishing
Involves sending mass emails that try to fool you into clicking on malicious links or into giving up sensitive information under false pretences. Examples include these Apple scam emails that we often intercept here at MailGuard. The cybercriminals are banking on most people having an Apple account, so there’s a good chance that at least some of the recipients will click through without spotting the tell-tale signs.
Spear-Phishing
These attacks are more specific. They target individuals rather than groups through malicious emails, and they rely on social engineering techniques, researching the targeted individual beforehand so that the scammers can include personal and familiar information in the attack, such as sending messages that appear to come from someone you know well, like a friend or colleague. Spear phishing attacks often feature credible-looking websites that seem legitimate but they’re explicitly designed to compromise large companies' computer systems.
A typical target of a spear phishing attack might be a member of an organization’s accounts payables or receivables team, if the scammers are seeking to elicit payment of an invoice for example, or perhaps they’re hoping to steal an individual’s identity in order to target other firms in their supply chain. For instance, by gaining their email account credentials, they can send legitimate emails to suppliers from the compromised account, to provide different account details for payment, or to switch invoices, and then delete any evidence that they were ever there.
CEO Fraud or Whaling, and BEC (Business Email Compromise)
A form of spear phishing, in that it targets specific individuals, such as a company President, CEO or other key executives (AKA, a whale), often hoping to trick them into handing over information that will enable the scammers to complete an action like a wire transfer. Or, in the case of BEC, which is closely related, the cybercriminals attempt to impersonate senior executives exploiting their power and influence over subordinates. The scammers are banking on employees feeling obliged to act quickly, and to follow the instructions of their senior manager or executive without asking too many questions.
How to Spot a Phishing Email
With 3.4 billion fraudulent emails sent each day, attacks are becoming more and more sophisticated, and harder to spot.
Here are six things to look out for:
1. Sender details are spoofed, or illegitimate
Scammers mimic real companies and brands that we’re already familiar with, or in other cases the sender email address may be completely unrelated to the company – which can be a sign of a compromised account.
2. Imitating brands we know & love
Scammers love to imitate authentic brands that we know and love, to lure you in by leveraging your trust in those companies.
3. Poor grammar & spelling
A tell-tale sign that an email isn’t legitimate are grammatical errors and simple spelling mistakes.
4. A sense of urgency
A much-loved tactic of scammers, is creating a sense of urgency by including a looming deadline, hoping you don’t take the extra time to check the details.
5. A seemingly small ask
Scams sometimes include seemingly innocuous tasks, like a small fee to release a parcel, or an extra verification step. They’re intentional, to steal personal or credit card details.
6. A hidden nasty, URL Or malicious file
To bypass email filters, often the nasty surprise isn’t in the email. Instead, there’s a link or URL to take you to a phishing page.
If you're unsure about an email, don't hesitate to ask the sender for clarification.
How do I Protect My Business from Phishing Scams?
With almost half of all emails being phishing emails, it’s essential to know what to do protect your business.
Here are some tips:
- Keep your anti-virus and anti-malware software up to date and protect yourself with a cloud-based email security solution such as MailGuard.
- Avoid clicking on links in emails, even if they look legitimate. If you're unsure, go to the company's website directly.
- Don't enter personal or financial information on websites that don't have https:// in the URL.
- Be suspicious of any email or text message that includes a sense of urgency or threatens consequences if you don't take action immediately.
Remember to never share sensitive information like usernames, passwords, social security numbers or credit card numbers online. Even if you think you're chatting with somebody who really knows what they're talking about, never give out too much information - there's no such thing as being too careful when it comes to protecting yourself against cyberattacks. With the rise of new technology and new ways to carry out old crimes, it's important to remember that prevention starts with being mindful about how you interact online.
What to do if I Suspect a Phishing Email?
If you suspect an email is a phishing attempt, don't click on any links or open any attachments. Instead, mark the email as spam and delete it.
And if you have fallen victim to an attack or near miss, it’s important to know that you’re not alone. In fact, it’s more common than you probably think. In the US, 1 in 10 adults fall victim to a scam or fraud every year, and 1 in 9 Australians experienced personal fraud in 2020-2021.
After a cyberattack, it’s important that you act as quickly as possible. Most importantly, you should:
- Advise your IT department
- Update your antivirus software and run a scan on your computer to check for malware.
- Report the Phishing attempt to the company or service that the email appeared to come from.
- Contact your bank if you’ve sent money or personal banking details to a scammer
- Change your online passwords
- Report the scam or cyberattack
For further tips on Reporting Phishing scams check out this post.
Well, that’s a wrap! Hopefully you now have a better understanding of phishing and you’ve found some of these tips to protect your business and employees useful. Remember if you're ever unsure about an email, message or call, don't engage. If something doesn't seem right, it probably isn't.
Prevention is always better than a cure, and the best defence is for your businesses to proactively boost its cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for your business to fortify.
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or Google Workspace, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365.
For more information about how MailGuard can help defend your inboxes, reach out to our team at expert@mailguard.com.au .
