It’s likely you’ve heard of phishing and know it’s something you want to avoid. But do you know what it really means and exactly how a phishing attack works?
In our experience, lots of people don’t know the specifics. And that’s OK. But the key to keeping your business protected from phishing attacks is to know exactly how they work and the red flags to look out for. This guide is here to do just that.
It’s called ‘phishing’ because cyber criminals bait unsuspecting victims into ‘biting’, just like you’d lure a fish to a hook with a big juicy maggot.
This virtual bait is usually in the form of an email. And when the victim gets hooked, their device and potentially their whole network can become infected with malware. Or the victim is enticed into giving away login credentials which can lead to data and even financial theft.
Phishing isn’t just inconvenient. You should see how much time, expense and stress has to be invested in fixing the damage. Understand this: You want to avoid a phishing attack.
Oh, and phishing doesn’t always come in the form of an email either. But more on that later.
A phishing email will drop into your inbox like any normal email. Often, it’ll look like it’s been sent from a legitimate sender, so you don’t suspect anything is wrong. This is dangerous when it’s pretending to be from a popular company, like Amazon or PayPal.
But in some cases, the attacker will have learnt information about you, such as the services you subscribe to, and the email becomes all the more believable – and riskier.
At a glance, the email won’t look suspicious. Everything is as it’s supposed to be, so it’s likely you won’t question the contents… especially as it’s often an urgent request for you to act, which can be distracting in itself.
This urgent request will work in different ways: It can ask you to open an attached file, perhaps asking you to confirm details of a recent purchase.
By doing this, your device may become infected with malware. And if that device is connected to a network, it’s possible the malware could spread to other devices.
Another common approach is to ask you to click a link. This might take you to a fake page (known as a spoof web page) pretending to be a service you really use… and when you login, you have given your login details to the criminals.
Sadly no. That would make things easier for those of us in defense.
A phishing attack can take many different forms. These are some of the most common ones…
Oh, and there are different forms of phishing emails to beware of too…
Ok, you get the idea. Let’s stop there.
Sorry to say it, but everyone in your business and especially you, as the boss (See whaling, above). It’s a real threat you need to take seriously.
This isn’t something you can ignore as “it’ll never be targeted at us, we’re too small or obscure a business.”
Cyber criminals use automated tools to target all businesses, all the time. You don’t read about small businesses being affected, as those stories don’t end up in the news.
Some of the biggest companies in the world have been fooled by phishing scams.
Between 2013 and 2015, Facebook and Google were scammed out of $100 million when cyber criminals carried out an extended phishing campaign.
They took advantage of the fact that both companies used the same Taiwanese vendor, Quanta. They sent a series of invoices pretending to be from Quanta, and both Facebook and Google paid.
When the scam was discovered, it was taken to the US courts. The attacker was arrested and extradited from Lithuania, and Facebook and Google recovered just under half of what was stolen.
In 2014, Sony Pictures became the victim of a phishing attack that wasn’t about money. The attackers were believed to have a connection to North Korea, and targeted Sony because of a movie it refused to withdraw that mocked Kim Jong Un.
The cyber criminals used fake emails to steal huge amounts of information from Sony’s network. That included email conversations about staff members, scripts, and employees’ personal information. They even gained access to Sony’s offices by tricking their way in. Then they impersonated IT staff and installed malware on Sony’s systems.
The attack ended up costing Sony around $35 million in IT repairs.
As with most types of cybercrime, protection against phishing starts with education. Everyone in your entire business should have regular cyber security awareness training. And we really do mean everyone. Because if someone is using any device, they need to be aware of the risks and the red flags to look out for.
This may relate to a phishing attempt, or it could relate to one of the other forms of cyber-attack or threats that businesses like yours face every day.
When it comes to phishing attacks, there are a number of warning signs you and your team should be on the lookout for:
DO hover your cursor over the sender’s name in your emails, as well as any website addresses. This will show you the actual email address used, or the website you’re being directed to. DON’T log in to any of your accounts by following a link in an email. Go directly to the website that you always use and login that way.
DO check all emails to make sure they’re genuine. Even if they’re from close friends or colleagues.
DON’T use the same passwords across different online accounts. Cyber criminals will often try your credentials on countless other sites once they’ve stolen them. Using different login details will keep your other accounts protected.
DO use a password manager to make sure passwords are long and randomly generated, making them virtually impossible to guess.
DO implement multi-factor authentication across applications (where you use a second device to prove it’s really you logging in).
If you often deal with financial transactions over email, it’s a good idea to set up a dedicated email address that invoices should be sent to. If you don’t advertise the address, it’s far less likely that it will be targeted with phishing emails.
You could also implement codewords with clients or suppliers if an email is regarding payments. If the email doesn’t contain the codeword, you know not to process the transaction. Don’t email these codewords out… phone your suppliers to tell them about the codeword scheme.
Finally, make sure your policies accurately reflect your stance on financial transactions and the best way to handle them. For instance, you might decide that all transactions must be confirmed over the phone for security reasons.
As you can see, there’s a lot more to phishing than you thought. Attacks are evolving all the time, so it’s important to take them seriously and protect your business as best you can.
If you want more information, or you need help protecting your business, get in touch.