The Complete Guide to Phishing

It's likely you've heard of phishing and know it's something you want to avoid.

PhishedEmail

But do you know what it really means and exactly how a phishing attack works?  In our experience, lots of people don't know the specifics.  And that's OK.  But the key to keeping your business protected from phishing attacks is to know exactly how they work and the red flags to look out for. 

This guide is here to do just that...

What Exactly is Phishing?

It’s called ‘phishing’ because cyber criminals bait unsuspecting victims into ‘biting’, just like you’d lure a fish to a hook with a big juicy worm. This virtual bait is usually in the form of an email. And when the victim gets hooked, their device and potentially their whole network can become infected with malware.

Or the victim is enticed into giving away login credentials which can lead to data and even financial theft. Phishing isn’t just inconvenient. You should see how much time, expense and stress has to be invested in fixing the damage. Understand this: You want to avoid a phishing attack.


Oh, and phishing doesn’t always come in the form of an email either. But more on that later.

 

TO HELP YOU UNDERSTAND JUST HOW BIG PHISHING ATTACKS HAVE BECOME, HERE ARE SOME SCARY STATS…

Scary Phishing Stats

WHAT DOES A PHISHING ATTACK LOOK LIKE?

A phishing email will drop into your inbox like any normal email. Often, it’ll look like it’s been sent from a legitimate sender, so you don’t suspect anything is wrong. This is dangerous when it’s pretending to be from a popular company, like Amazon or PayPal.

But in some cases, the attacker will have learnt information about you, such as the services you subscribe to, and the email becomes all the more believable – and riskier. At a glance, the email won’t look suspicious. Everything is as it’s supposed to be, so it’s likely you won’t question the contents,
especially as it’s often an urgent request for you to act, which can be distracting in itself.


This urgent request will work in different ways: It can ask you to open an attached file, perhaps asking you to confirm details of a recent purchase.

By doing this, your device may become infected with malware. And if that device is connected to a network, it’s possible the malware could spread to other devices.

Another common approach is to ask you to click a link. This might take you to a fake page (known as a spoof web page) pretending to be a service you really use… and when you login, you have given your login details to the criminals.

But isn't a phishing attack always an email?

Sadly no. That would make things easier for those of us in defense. A phishing attack can take many different forms. These are some of the most common ones…

SXIcon_PopUp

Pop-Up Phishing

The clue's in the name. This is phishing via a pop-up. It may say there's a problem with your device's security and ask you to click or download a file, or call a number to get it fixed.

SXIcon_Phishing

Evil Twin Phishing

A fake Wi-Fi network is set up to look like the real deal. When you log in, the cyber criminal steals your data.

SXIcon_AnglerPhishing

Angler Phishing

Social media posts which are created to encourage people to access an online account or click a link which downloads malware.

SXIcon_Vishing

Vishing

Like a phishing attack, but done over the phone. Someone will call and pretend to be a person or company you know, or a representative of them. They'll ask you to take an action, such as giving them remote access to your device, or visiting a website.

SXIcon_Spoofing

Spoofing

A website that's created to look like the real that, but isn't. Once you log in, you've given away your credentials (spoofing can be used alongside other forms of phishing attacks too.)

SXIcon_Smishing

Smishing

Like a phishing email, but over SMS straight to your phone.

SXIcon_DomainSpoofing

Domain Spoofing

This is where you click a link that looks to be the genuine web address, except its been faked. Again, once you act on that site your details have been stolen or you've downloaded malware.


Oh, and there's different types of phishing emails to be wary of as well...

 

SXIcon_SpearPhishing

Spear Phishing

These are sent to specific people who have been researched to some degree, so that the information in the email is more relevant and therefore more believable.

SXIcon_WhalePhishing

Whaling

These phishing emails target people in executive positions within a business, who are likely to have greater access to sensitive areas of the network.

SXIcon_ClonePhishing

Clone Phishing

Copies an email you've already received and adds a message such as "resending this..." but includes a malware link for you to click on.

SXIcon_MaliciousUser

Man-in-the-Middle Attack

A cyber criminal jumps in the middle of an existing email thread and takes over the other side of a conversation. They already have your trust and can ask you to take a specific action.


Ok, you get the idea. Let's keep going.

 

Who's At Risk?

Sorry to say it, but everyone in your business and especially the boss (See whaling, above). It’s a real threat you need to take seriously. This isn’t something you can ignore as “it’ll never be targeted at us, we’re too small or obscure a business.” Cyber criminals use automated tools to target all businesses, all the time.

 

You don’t read about small businesses being affected, as those stories don’t end up in the news.


 


The more complex and nonsensical each password is, the better! (by using a password manager, you won't have to remember them anyway, so this makes life a lot easier).

 

Some of the biggest companies in the world have been fooled by phishing scams. Between 2013 and 2015, Facebook and Google were scammed out of $100 million when cyber criminals carried out an extended phishing campaign.

They took advantage of the fact that both companies used the same Taiwanese vendor, Quanta. They sent a series of invoices pretending to be from Quanta, and both Facebook and Google paid. When the scam was discovered, it was taken to the US courts. The attacker was arrested and extradited from Lithuania, and Facebook and Google recovered just under half of what was stolen.

In 2014, Sony Pictures became the victim of a phishing attack that wasn’t about money. The attackers were believed to have a connection to North Korea, and targeted Sony because of a movie it refused to withdraw that mocked Kim Jong Un.

The cyber criminals used fake emails to steal huge amounts of information from Sony’s network. That included email conversations about staff members, scripts, and employees’ personal information. They even gained access to Sony’s offices by tricking their way in. Then they impersonated IT staff and installed malware on Sony’s systems. The attack ended up costing Sony around $35 million in IT repairs.

 

How can we stay protected?

 As with most types of cybercrime, protection against phishing starts with education. Everyone in your entire business should have regular cyber security awareness training. And we really do mean everyone. Because if someone is using any device, they need to be aware of the risks and the red flags to look out for.  

This may relate to a phishing attempt, or it could relate to one of the other forms of cyber-attack or threats that businesses like yours face every day. When it comes to phishing attacks, there are a number of warning signs you and your team should be on the lookout for:

  • Misspelled words, websites, or email addresses

  • Oddly named attachments

  • Who the email is addressed to

  • Poor grammar and punctuation 

  • An unusual layout to the email

Dos

DO hover your cursor over the sender’s name in your emails, as well as any website addresses. This will show you the actual email address used, or the website you’re being directed to.

DO check all emails to make sure they’re genuine. Even if they’re from close friends or colleagues.

DO use a password manager to make sure passwords are long and randomly generated, making them virtually impossible to guess.

DO implement multi-factor authentication across applications (where you use a second device to prove it’s really you logging in).

Donts
DON’T
log in to any of your accounts by following a link in an email. Go directly to the website that you always use and login that way.

DON’T use the same passwords across different online accounts. Cyber criminals will often try your credentials on countless other sites once they’ve stolen them. Using different login details will keep your other accounts protected.



If you often deal with financial transactions over email, it’s a good idea to set up a dedicated email address that invoices should be sent to. If you don’t advertise the address, it’s far less likely that it will be targeted with phishing emails.
 You could also implement codewords with clients or suppliers if an email is regarding payments. If the email doesn’t contain the codeword, you know not to process the transaction.

Don’t email these codewords out… phone your suppliers to tell them about the codeword scheme. Finally, make sure your policies accurately reflect your stance on financial transactions and the best way to handle them. For instance, you might decide that all transactions must be confirmed over the phone for security reasons.

As you can see, there’s a lot more to phishing than you thought. Attacks are evolving all the time, so it’s important to take them seriously and protect your business as best you can.

If you think you need expert support, or you’re worried that making these changes might cause disruption, just get in touch. We do this every day : )

 

Have Questions?  Let's Chat!

Some of Our Capabilities