What is Phishing?
Phishing is one of the easiest forms of cyberattack for criminals to carry out, and one of the easiest to fall for. It can provide everything hackers need to ransack their targets’ personal and work accounts.
Usually carried out over email – although the scam has now spread beyond suspicious emails to phone calls (so-called ‘vishing’) social media, messaging services (aka ‘smishing’) and apps – a basic phishing attack attempts to trick the target into doing what the scammer wants.
That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.
Phishing emails have spiked by over 600% since the end of January as cyber-criminals look to capitalise on the fear and uncertainty generated by the COVID-19 pandemic, according to Barracuda Networks.
The security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed.
As is usually the case, the attacks used widespread awareness of the subject to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers
Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).
How does a phishing attack work?
A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks.
The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day.
Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.
Most people simply don’t have the time to carefully analyse every message that lands in their inbox – and it’s this that phishers look to exploit in a number of ways.
Scams vary in their targets – some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim’s eye – common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a ‘winning voucher’.
In this example, in order to ‘win’ the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of hackers.
How can I spot a phishing attack?
At the core of phishing attacks, regardless of the technology or the particular target, is deception.
While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it’s easy to forget that there are billions of internet users – and everyday there are people who are only accessing the internet for the first time.
Large swathes of internet users therefore won’t even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it. Why would they even suspect that the message in their inbox isn’t actually from the organisation or friend it claims to be from?
But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key give-aways in less advanced campaigns that can make it obvious to spot an attempted attack.
- Many of the less professional phishing operators still make basic errors in their messages – notably when it comes to spelling and grammar.
- Official messages from any major organisation are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate.
- It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural.
- Many phishing attacks will contain what looks like an official-looking URL. However, it’s worth taking a second careful look.
How to protect against a phishing attack?
Training, training and more training. It might seem like a simple idea, but training is effective. Educating your team on what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.
Exercises allow staff to make errors – and crucially learn from them – in a protected environment. At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren’t designed to be malicious – they’re designed to help users perform repetitive tasks with keyboard shortcuts.
Most newer versions of Office automatically disable macros, but it’s worth checking to ensure that this is the case for all the computers on your network – it can act as a major barrier to phishing emails attempting to deliver a malicious payload.
Multi-factor authentication also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack. According to Microsoft, using multi-factor authentication blocks 99.9% of attempted account hacks.
Here at 1Connect as accredited partners with the leading Cybersecurity vendors such as Cisco, Juniper and Fortinet we are only too happy to assist in making sure your business security is well protected from attacks.
Head over to our dedicated security page or visit our infrastructure page to learn about the vendors we are partners with.
If you need more information call one of our specialist team on 01925 530 150.