What is phishing and how can you avoid another ‘phishing’ scam?
Defining “phishing”It is a form of cybercrime where cybercriminals imitate legitimate companies in order to defraud users for the sole purpose of obtaining sensitive data. As major holders of sensitive data employees are the most vulnerable and often targets of cybercriminals.
How is phishing executed?By using social engineering, cybercriminals trick users to click on an e-mailed link, either releasing malicious files onto their computers, giving the cybercriminal access to their or their employers system, including access to private and confidential data or direct the user to a fictitious website and through the interaction request the user to supply personal information, including but not limited username and passwords. Another method is through claiming the attachment to the e-mail is an outstanding invoice, once downloaded access is gained.
This may sound silly, but with a single step these criminals can attack multiple users at once and so spends particular time on designing e-mails to look exactly like the e-mail is coming from a trusted source such as a vendor or law enforcement.
The above refers to general phishing, but is also applicable to another category, namely spear-phishing. Spear-phishing targets specific individuals based on information learned from their web presence. Generally, spear-phishing appears to come from a trusted source such as colleague or friend. Cybercriminals enjoy using e-mails which appears to come from the CEO or CFO instructing the transfer of money.
Dangers of phishing
- Reputational damages
- Financial losses
- Law suits
- Loss of employment as consequence of above.
Identifying a phishing attack
- The sender’s domain is public e.g. @gmail.com, @yahoo.com. Thus, always look at the e-mail address, not just the sender.
- The domain name contains spelling errors.
- The content of the e-mail is littered with spelling and grammatical errors, with grammatical errors the least likely to be a typo.
- Review the greeting. No professional e-mail will start with “Hi Dear”. And any organisation you work with directly will generally address you by your title and surname. Something bulk phishing e-mails cannot do.
- The message contains suspicious links. An e-mail from Netflix will link you to an address which starts with “netflix.com”. Sometimes these links are embedded in button. Prior to clicking on it, however your mouse over the button and review the destination address which appears.
- The message requests that you share personal information. Any message asking to enter or verify personal information or banking details is a major red flag.
- The message content creates a sense of urgency to counter our tendencies to procrastinate in taking action when something is not exceptionally urgent.
- The message contains a threat of negative consequence such as loss of money, closure of accounts and legal action to be taken against the user if they do not respond.
- In general, phishing e-mails revolves around the following topics:
a. They have noticed suspicious activity on your account
b. There is a problem with your account or payment information
c. Request that you confirm your personal information
d. Contains a fake invoice as attachment
e. Provides a link to make payment
f. States that you qualify for a government refund
g. Provides coupons, other free goods, free vacations or large monetary rewards.
- Always remember, you as employee is the first line of defence. So think before your click!
- Have caution and be mindful of the websites accessed and files opened on your computers.
- Be constantly aware that you are working with data and information which valuable to cybercriminals.
- Keep your systems and programmes updated.
- On a regular basis scan the internet for exposed e-mail addresses and credentials
- Be vigilant! Any e-mail that raises suspicion must be examined with caution.
- Use multi-factor authentication to protect your accounts.
- If you suspect you’ve clicked on a link or downloaded an infected attachment, update your security software and run a scan.
- Report any suspicious e-mail to your IT department.
- If it appears to be too good to be true, it probably is.
- Install anti-phishing toolbar
- Verify the site’s security. A secure site always starts with “https” and have caution when links appeared to be shortened – place your cursor over it to view the end destination.
- Have caution when it comes to pop-ups.
- Never use public networks.