We’ve all heard of phishing.  It’s a real and present threat to businesses and individuals alike, but it’s not as easy to spot as you might have thought.  

In this post, we’ll talk about what it is, how phishing attacks are carried out and the dangers posed to your organisation 

We’ll give you some examples of phishing attacks that have been successful and have cost businesses – in terms of finances and reputation – and, most importantly, we’ll share how you can keep your business protected from falling victim to an attack. 

What is phishing?

Phishing is the act of fraudulently obtaining sensitive information (such as usernames, passwords or credit card information) or fraudulently instigating a financial transaction by impersonating a legitimate entity. 

How are phishing attacks carried out?

While often thought about as an “online crime”, phishing attacks can be carried out in a variety of ways – via email, spoofed websitesby telephone or even in person. Phishing attempts are often very convincing and will include elements of social engineering. 

What are the dangers to your organisation?

The end game for a criminal attempting a phishing scam is, of course, money. Businesses can suffer financial losses due to misdirected payments, be held to ransom when their data is encrypted, and suffer damage to their reputation due to these data breaches. 

Phishing attacks can result in financial loss and damage a business's reputation

4 examples of phishing scams

Some phishing attacks are very easy to spot, but more and more the emails and websites used are highly sophisticated. At first (or even second) glance, they can appear to be legitimate. 

Some examples of where organisations have fallen victim to a successful phishing attack: 

  • A company “director” emails one of their finance admin staff members requesting a large financial transaction be processed. The email looks legit, and in some cases could even have been sent from the director’s actual email address. Of course, the funds are actually directed to the criminal’s accounts. 

This could have been avoided by having a process in place whereby any transactions over a certain amount, or those being directed to a new account number for the first time, have to be authorised verbally over the phone, or in person. 

  •  A “supplier” notifies a payables department of a change to banking information prior to a large scheduled transfer – again, redirecting funds to the criminal’s accounts. This one works because the criminals know exactly when a financial transaction is due to take place – they’ve been monitoring company emails for some time. The payables department have no reason to suspect anything and so make the change, feeling safe that they have the email as their back-up for the request. 

Once again, a process whereby a phone call must be made to the supplier to double-check a request like this would have prevented this loss of funds. 

  • An organisation’s “bank” emails with a request to click on a link to log in immediately and fix some problem with the company account. In this example, the link brings the user to a fake page (one that looks practically identical to the original). If the user enters their details here, the criminals have the key to access their accounts, giving them the ability to initiate transfers. 

A company policy that clearly states that links in emails should never be clicked would have meant that the person handling this “issue” would have visited the account by typing the bank’s URL directly into their browser. Additionally, a policy whereby the bank must be contacted via phone whenever there’s any request from them to log in to fix an issue would have prevented this loss. 

  • A user in an organisation is enticed to click a link for some reason, which then downloads malware to the system. The criminal can then hijack the business’s data and hold the company to ransom (often referred to as ransomware). 

A company policy that forbids employees from clicking on any links in emails, a robust security protocol that scans all incoming email for suspicious links, and/or sophisticated anti-virus protection would all help in this case.

How can you protect your organisation from falling victim to phishing attacks?

As you can see from the examples we’ve shared above, technology can’t prevent all phishing attempts.  

Education is your best defence against phishing attacks. 

We’ve compiled some useful tips and listed them below. We’ve also prepared this handy PDF you can download. Be sure to share them with your staff – the more educated everyone in your organisation is regarding this type of crime, the less likely it is that you’ll find your organisation falling victim. 

  • Watch out for generic greetings

Many phishing campaigns are carried out in bulk, meaning the cybercriminals will use greetings similar to “Dear Sir/Madam” or “Dear Customer” rather than your name. If your name isn’t listed, be immediately suspicious. However, having your name listed is not a guarantee of legitimacy.

  • Examine the sender information

Carefully examine the sender information, particularly the email address. Sophisticated phishing attacks will make a subtle change to a legitimate email address in the hopes it won’t be noticed by the receiver. For example, it might be a little difficult to notice the discrepancy in an address like info@bankofiireland.com (did you catch the double “i” the first time?).

  • Examine links before clicking

If an email asks you to click on a link, ensure that you ensure it’s pointing exactly where you expect. Hover over the link to view the actual destination. If it’s different to the link text, don’t click. You can always access the legitimate website by typing the usual address into your browser’s address bar and going from there. If there’s any doubt – don’t click.

  • Be wary of urgency

It’s in the criminals’ best interest to have you act as soon as possible. Often phishing emails will try to create a sense of urgency in the hopes that the receiver will react without taking the precautions we’re mentioning here. An email from your “bank” might inform you that your accounts will be seized if you don’t log in within the hour, for example.

  • Pick up the phone

Have procedures in place for when certain changes are requested. The staff member processing these changes can easily verify the legitimacy of a request by simply picking up the phone for confirmation. It’s one quick, simple way you can protect your organisation from becoming a victim.

 

 

 

pdf icon     Download the PDF here: Phishing – What it is, and how to protect yourself

 

 

 

If you’d like to review any of these items, or discover other ways to protect your organisation from cyber threats, please get in touch by calling 0818 222 132, emailing info@unitec.ie, or by completing the form below.