Information from the latest Cyber Security Breaches Survey shows 84% of attacks or breaches in the UK were phishing related*, meaning it is the single biggest cyber threat to businesses.
Phishing is a form of social engineering in which attackers send fraudulent messages to victims, in the hope that they trick them into giving up sensitive information or installing malware.
The attacker can then use this information for financial gain, identity theft or account takeover.
The most common form of phishing is email phishing. Attackers can ‘spray’ mass emails with ease, and at very little cost. 7.1 million suspicious emails and websites were reported to the NCSC in 2022 – equivalent to one every 5 seconds*. It is very likely that you have received a phishing email before. Whilst most people are knowledgeable of the threat of email phishing, the huge number of attempts means that many will fall victim to the deceit.
Phishing emails may look like exact copies of legitimate emails from legitimate companies or individuals that you trust implicitly. Their graphics, wording and headers could look exactly the same. The giveaway is typically in the email address – this is the most difficult identifier to spoof due to authentication mechanisms such as DKIM, DMARC and SPF. These mechanisms, when paired with email providers such as Gmail, verify that the sender is who they say they are.
To avoid email phishing, be careful when receiving emails that contain links or request private information with you. When receiving emails of this nature, verify the identity of the sender via another form of communication – preferably direct word of mouth.
“Smishing” is SMS phishing - phishing via SMS/text messages. You have probably received an SMS of this nature before, prompting you to click on a link for an urgent matter.
A common SMS phishing campaign in the UK is the courier scam. You receive a fraudulent text from a delivery courier such as Royal Mail, claiming that you have unpaid fees on your delivery and prompting you to click a link to complete the payment. When huge numbers of these texts are sent, a number of the recipients will be expecting a delivery, adding credibility to the phishing scam. Confused or not taking the time to think about it, they may follow the prompt and input their bank details into the fraudulent website.
Never click on any links that you receive via text unless you were expecting them, and always check the sender’s number when handling sensitive information.
Vishing, or voice phishing, refers to phishing via phone calls. The traditional method of voice phishing would be impersonating workers from trustworthy entities such as banks, then attempting to socially engineer victims into handing over their confidential details.
Recently, Artificial Intelligence (AI) has caused an evolution of this threat. AI can now clone real human voices, then replicate them with dangerous accuracy. Threat actors can effectively clone a voice then produce any speech they want with that voice. The possibilities associated with this for fraudsters are vast, especially when paired with caller ID spoofing.
The cloning of a CEO’s voice has been seen in cyberattacks, asking employees to transfer funds. In a different, shocking example, victims have been called by their “family members” asking for money in an emergency situation. The victims hear their family member’s voice, see their phone number, and truly believe they are in an emergency – for example, a hostage situation. The fraudster then requests money to be sent in order to solve the emergency.
To mitigate this threat, organise a “password” with your family members that you can ask them to tell you over the phone if you ever suspect a scam attempt.
Spear phishing is deliberate, targeted phishing aimed at a specific individual, organisation or group. This means the phishing attempt can be personalised, increasing the chance of the victim falling for the scam. Spear phishing is typically conducted via email, as is most phishing, but can occur through all forms (smishing, vishing).
The phish attempt will contain information that the attacker knows is relevant to the target, therefore increasing the likelihood of engagement as the email looks familiar and trustworthy. Examples of information that might be included are names, job titles or work-related information such as projects or recent meetings. The attacker may even mention sensitive data that you would not think they have knowledge of, giving further credibility to their email.
Whaling refers to a specific type of phishing campaign, where senior-level executives are targeted. Senior-level executives, naturally, have access to a higher level of data and have a higher level of privileges - this makes them the ideal victim for a phishing attack. A successful attack on someone at this level could yield far greater opportunity for monetary gain.
For those in these positions, it is more important than ever to remain vigilant due to the higher risk and potential cost associated.
In angler phishing, attackers impersonate reputable businesses through social media, in order to perform a phishing attack. They contact unsuspecting customers of the company – often people looking for support – and lure the user into clicking their phishing link. They can find these users by monitoring public discussions where individuals seek assistance with the company’s products or services. These individuals are found by searching social media – for example, a customer requiring assistance might make a Facebook post voicing their complaint. They are then contacted by an attacker pretending to be a customer service representative for that company, and socially engineered into a phishing attack.
The typical target for this type of attack is someone who lacks technical ability, because if a tech-savvy user visits the profile they will quickly realise the account is fake and the scam will abruptly fail.
If you come across an account that you suspect is impersonating a brand or company for this purpose, ensure that you report them. Even if you know you wouldn’t fall for it, others might.
A common theme that you will find among all forms of phishing is the creation of urgency. Phishers don’t want to give you time to think about what you are doing; they want you to act without thought. They create a false sense of urgency, in the hopes that you will rush to action and input details or download malware in a rush. To counteract this, you must slow down when acting on an email. Don’t do anything in a rush, take your time, and properly read the email.
During this time, verify the email address – assuming you have security protocols in place to prevent spoofing. If in doubt, contact the sender via an alternative method of communication to verify the legitimacy of the email. Better safe than sorry.
You should also implement multi-factor authentication on your accounts, to prevent account takeover should you fall victim to a phishing scam.
Security solutions that will actively scan each email you receive will heavily minimise the risk of cyberattack. CyberSafe’s Advanced Email Security is THE solution to prevent phishing – it unpacks each email before they reach you, filtering out malicious content in seconds.
