It’s thought that cyber-attacks on UK businesses rose by a staggering 243% this summer, which vividly illustrates the digital threat we all face during our daily working lives.
Phishing is one of the most common methods of cyber-attack, so let’s take look into what exactly it is, and how you can avoid becoming a victim.
What is phishing?
Phishing is a form of social engineering which is designed to make people do something for criminal gain.
These attacks typically arrive via email, but they can also be found in text messages (known as ‘smishing’) and within website pop-ups. They usually play the role of a known brand or organisation in order to elicit trust and convince the recipient that they’re in safe hands.
It’s cruel, measured, and often incredibly convincing. And this is why it’s called phishing.
Most attacks are just like regular fishing. Picture a fisherman who casts his net into the water. He’ll catch all sorts of fish by doing this. Some of the fish will be thrown back, and others are kept. (The fisherman knows, after all, that only a couple are needed to meet his needs.)
Then we have spear fishing, which is targeted and designed to obtain one specific fish at a time. In the digital realm, that could be a specific department, such as the finance team within an organisation. And don’t forget whaling, which aims to catch the biggest fish in the sea. As far phishing attacks of that kind are concerned, that could be the managing director, CEO, or finance manager – any of whom offer big gains for hackers.
How does phishing work?
Most of us have received a phishing attack of some kind. Usually, it’s contained within an email and will include a link which, once clicked, may:
- unleash a virus on your device or install a malicious piece of software that can, in turn, be used to capture passwords or credit card information;
- install key logging software on your computer which records the keys you press in an attempt to identify password entry;
- enable the cybercriminal to log into your email account so that they can see all incoming and outgoing email. This will also enable them to set up mail rules or send emails pretending to be you, resulting in invoice fraud or additional phishing emails; or
- trigger a ransomware attack where your data becomes inaccessible until you pay the criminal for its release.
Why do people carry out phishing attacks?
Like it or not, data is a form of currency in the digital age – it has significant value.
What’s more, data includes so much information that’s extremely attractive for cybercriminals; credit cards, bank details, passport copies, and client information are just some examples of what might be at risk if you’re targeted by phishing.
There are other reasons phishing attacks take place. For instance, you might be attacked because you work with or for someone who’s the real target. The cybercriminal may simply want to do as much damage to a big-name brand as possible or chance their arm at gaining money in ransom payments.
Sometimes, phishing is nothing more than a cruel prank to make people panic, or a way to flex one’s hacking muscles and demonstrate their prowess.
Whatever the reason for phishing, it’s a criminal offence and capable of causing a significant degree of stress and upset for those targeted.
How do you stop phishing attacks?
Unfortunately, phishing attacks will continue for as long as the methods for doing so exist. That means you’ll probably never stop them entirely from entering your inbox, but you can do a lot to avoid becoming victim.
Here’s some of the basics:
- investing in cyber awareness training for all staff (our training service only costs 7p per user, per day!);
- regularly reminding staff of what to look for in phishing emails and when not to click links;
- thinking about who or which department might be the biggest target (i.e. is it your CEO or finance team?);
- being increasingly vigilant around the time of events such as Black Friday, Christmas, and Valentine’s Day or when a famous brand goes into administration;
- always install software patches, operating system updates, and anti-virus software on all devices; and
- reporting any phishing attacks to ActionFraud. It takes less than five minutes and the police can take down a system in less than 14 minutes.
The Met Police also has a great video on phishing which is engaging and great for sharing in any business.
With 91% of all cyber-attacks starting with a phishing email or text, this isn’t a topic any business should overlook.
What’s more, phishing attacks are becoming increasingly sophisticated; gone are the days of poor English or clearly mocked-up logos. That makes them far harder to spot. Increased vigilance is essential.
Make sure you have adequate cyber insurance in place, and if you have any questions on how to become and remain safe from phishing attacks, just get in touch with our friendly team.