Have you heard of phishing? In this post, we’ll talk about what it is, how phishing attacks are carried out and the dangers to your business. We’ll give you some examples of phishing attacks and, most importantly, share how you can keep your business protected.
What is phishing?
Phishing is the act of fraudulently obtaining sensitive information (such as usernames, passwords or credit card information) or fraudulently instigating a financial transaction by impersonating a legitimate entity.
How are phishing attacks carried out?
While often thought about as an “online crime”, phishing attacks are carried out in a variety of ways – via emails, fake websites and even by phone call. Phishing attempts are often are very convincing and will include elements of social engineering.
What are the dangers to an organisation?
The end game for a criminal attempting a phishing scam is, of course, money. Businesses can suffer financial losses due to misdirected payments, be held to ransom when their data is encrypted, and suffer damage to their reputation due to these data breaches.
Some examples of phishing attacks.
Some phishing attaches are very easy to spot, but more and more the emails and websites used are highly sophisticated. At first glance, they can appear to be very legitimate.
A few examples of where organisations have fallen victim to a successful phishing attack:
- A company “director” emails a company admin person requesting a large financial transaction be processed. Of course, these funds are actually being directed to the criminal’s accounts.
- A “supplier” notifies a payables department of a change to banking information prior to a large scheduled transfer – again, redirecting funds to the criminal’s accounts.
- An organisation’s “bank” emails with a request to click on a link to log-in immediately fix some problem with an account. In this example, the link brings the user to a fake page (one that looks almost identical to the original). If the user enters their details here, the criminals have the key to their accounts and can initiate transfers.
- A user in an organisation is enticed to click a link for some reason, which then downloads malware to the system. The criminal can then hijack the business’s data and hold the company to ransom (often referred to as ransomware).
As we’ve already said, cybercriminals can be quite sophisticated – in some cases, they can monitor company emails for weeks, and so are able to strike at the perfect moment.
Imagine your payables administrator has a large payment to a regular vendor coming up – the criminals would know the exact details from the email communications between the two businesses. Just before the legitimate transfer is due to be processed, the criminals get in touch, under the guise of the legitimate vendor, and request an update to the banking info. With so much valid information, they’re often not questioned.
How can you protect your organisation from falling victim to phishing attacks?
Education is the best defence against phishing attacks.
Phishing is an ongoing threat, and the risk is even larger for staff working in the financial areas of your business.
We’ve compiled some useful tips and listed them below. We’ve also prepared this handy PDF you can download. Be sure to share them with your staff – the more educated everyone in your organisation is regarding this type of crime, the less likely it is that you’ll find your organisation falling victim.
- Watch out for generic greetings
Many phishing campaigns are carried out in bulk, meaning the cybercriminals will use greetings similar to “Dear Sir/Madam” or “Dear Customer” rather than your name. If your name isn’t listed, be immediately suspicious. However, having your name listed is not a guarantee of legitimacy.
- Examine the sender information
Carefully examine the sender information, particularly the email address. Sophisticated phishing attacks will make a subtle change to a legitimate email address in the hopes it won’t be noticed by the receiver. For example, it might be a little difficult to notice the discrepancy in and address like email@example.com (did you see the double “i” the first time?).
- Examine links before clicking
If an email asks you to click on a link, ensure that you ensure it’s pointing exactly where you expect. Hover over the link to view the actual destination. If it’s different to the link text, don’t click. You can always access the legitimate website by typing the usual address into your browser’s address bar and going from there. If there’s any doubt – don’t click.
- Be wary of urgency
It’s in the criminals’ best interest to have you act as soon as possible. Often phishing emails will try to create a sense of urgency in the hopes that the receiver will react without taking the precautions we’re mentioning here. An email from your “bank” might inform you that your accounts will be seized if you don’t log in within the hour, for example.
- Pick up the phone
Have procedures in place for when certain changes are requested. The staff member processing these changes can easily verify the legitimacy of a request by simply picking up the phone for confirmation. It’s one quick, simple way you can protect your organisation from becoming a victim.
Download the PDF here: Phishing – What is is, and how to protect yourself