Category: CISO life, Phishing

Phishing: Big phish, little phish


Landing just one phish can be disastrous.

How many times have you heard that it only takes one phishing email to cause damage?

That’s because it really does only take one.

One email to an employee. One click on a link. One fake website. One password entered.

One very happy criminal.


What is a ‘typical’ phish?

The short answer is that there is no such thing as ‘typical’ when it comes to phishing.

Phishing attempts come in all shapes and sizes – from one-liners with terrible grammar to high-quality imitations of genuine messages.

Attacks can con come via emails, texts, phone calls, websites or social media messages.

In 2019:

  • 84% of organisations faced smishing attacks

  • 83% experienced vishing attacks

The only ‘typical’ thing that every phishing attack has in common is an underlying request for action. The action could be to click a link, open an attachment, make a payment or send information. And there are endless possibilities for a criminal to disguise this request.


Seeing is believing

Criminals are devious. They often mimic genuine requests and expected messages in the hope their scam will go undetected.

The festive period is a wonderful time of year for criminals looking to intercept purchases, exploit our goodwill and steal our money or identities.

‘Great deal’ emails are much more prevalent at Christmas – and busy shoppers are tempted to click on offers from trusted companies. And while we’re feeling flustered by all the festivities, will we spot the fake Amazon emails among the real ones?

  • In Q4 2019, 52.61% of all phishing attacks targeted users’ financial data, including online shopping and banking.

Criminals will even take advantage of world events, such as a company going into administration or the spread of coronavirus, so you’re less suspicious when an email arrives.

When Thomas Cook ceased trading, those affected wanted to know if their holidays would be refunded or if they would make it home. Criminals took advantage of the situation to launch vishing attacks and scam emails to target affected customers desperate for genuine information.


Confirmation is key

One of the best defences you can put in place is the need for confirmation.

Teach your employees to contact the sender (via known details – not by replying to the email) before they do anything.

  • If IT calls asking for remote access to their device…
    …make sure employees call IT on a listed number and speak to them directly.

  • If LinkedIn tells them they have a connection request…
    …make sure employees type the LinkedIn url into their browser and log in from there to confirm the request – 55% of phishing emails that mention LinkedIn in the subject were successful.

  • If the CEO wants them to send some information…
    …make sure employees call the CEO to confirm the request is genuine.

  • If a supplier asks for their payment details to be changed…
    …make sure employees call the supplier on a known number to confirm the request.

Make it culturally acceptable for any employee to query requests, regardless of who they come from.

If a quick call could save your organisation from a data breach or stop a fraudulent transfer of funds, surely it’s worth the extra minute?


Conclusion

Whatever a criminal’s ultimate goal, everybody needs to know how to recognise and deal with phishing attempts at work and home.

Give your employees the support they need to protect themselves and your organisation by having procedures in place for reporting suspicious emails and confirming requests.

Everyone always says ‘think before you click’.

How about adding ‘ask before you act’?


Download our free ‘Your guide to Phishing’ eBook to learn what phishing is, how to spot it, and what to do about it.

 

Insider sign up button

You might also like...


This website uses cookies, by continuing to use the site you agree to using cookies. Continue Privacy Policy