We all instinctively believe we know what to look out for when it comes to online crime – we all think we know when something looks a bit ‘fishy.’  But how many business owners are really clued-up on the vast array of techniques cybercriminals use to gain access to sensitive information, con and extort businesses and individuals out of their hard-earned cash?  In this series, we’ll look at a few of the methods used by these unscrupulous individuals and the damage that can result if you don’t take the necessary precautions.

What is Phishing?

‘Phishing’ is actually quite a broad term used to denote acts of deception and trickery designed to fool individuals into voluntarily divulging sensitive information.  It typically involves scammers assuming a false identity, which they then use to acquire various forms of sensitive information from targets, such as bank details and account logins.

Phishing scams can be perpetrated through various channels, such as website links, emails, text messages and phone calls, however, it is most commonly associated with Email.

The aim of the scammer is quite simple; to dupe the recipient into thinking that the Email comes from a trustworthy source so that they then comply with its contents and surrender vital information – sometimes scams also use malware embedded in attachments to infect the computers of targets and harvest information more stealthily.  Scammers use a variety of identities, but typically they opt for important figures in a target’s life (such as their boss) or an institution that the target is likely to pay attention to (such as their bank).

Phishing Techniques

While most scammers have broadly similar aims – often monetary reward – the techniques used to dupe and deceive vary widely.  Some of these are listed below.

• Deceptive Phishing. This extremely common form of Phishing is one we have all come across at one time or another.  These attacks involve imitating well-known, familiar companies that are typically viewed as legitimate and trustworthy by most individuals.  They often use a sense of urgency or an ‘act now or something bad will happen’ message to compel individuals to divulge details, particularly account credentials!  Often these attacks are performed with no background knowledge of the target, so you might receive an email from a bank saying ‘your account has been breached, act now’ despite the fact that you don’t have an account with that particular institution.
• Spear Phishing. Similar to ‘Deceptive Phishing’ but with one key difference; in Spear Phishing attacks the scammers have done their homework on you or your business.  These attacks are often more successful as scammers use personal, but publicly available information about individuals or businesses usually gathered from company websites and social media accounts.  By assuming the identity of a business or individual closely connected with the target, Spear Phishing attacks are more attention-grabbing than other phishing scams and result in a higher chance of the target engaging with the rogue email.
• CEO Fraud. This is similar to ‘spear phishing’ in the sense that it’s is targeted and involves background research.  ‘CEO fraud’ involves scammers masquerading as senior executives within companies.. They use this identity to coerce other employees into performing transactions that usually wouldn’t be allowed – this works because employees often don’t like to challenge senior personnel and will oblige requests without question.
• Cloning. This process involves deception by imitation.  Scammers will try to replicate a previously sent email from a genuine source such as a bank or online shopping account.  The appearance of this new email will be close to that of the original, but beware, as links and attachments will often contain malware.
• Pharming. This type of Phishing involves directing targets towards malicious sites which are then used to ‘farm’ sensitive data and commit fraud.  This is done either using viruses installed on a user’s computer designed to steer web traffic towards the corrupt site or by using ‘DNS cache poisoning’ so that web users end up on the malicious site by accident and often without realising it.

Staying Secure – Simple steps to guard against Phishing attacks

At this point you might be thinking; ‘geez, there’s more to phishing than I thought.’  But don’t fear, by taking the following simple precautions you can prevent yourself or your employees from falling victim to Phishing scammers.

• Check URLs. Verify the URL contained in a link before clicking on it.  Scammers try to closely replicate popular, legitimate sites however URLs are unique so this is something that will often give the game away. Similarly, if you are redirected, compare the web address of the site you’ve arrived at with what you know to be the web address of the genuine site before you disclose any sensitive information.
• Don’t reply to suspicious emails. Say you receive an email from someone who appears (on the surface) to be your boss…but a few things don’t add up. The email is badly written, they’re using words they wouldn’t normally use and they’ve included an unusual request.  In such a situation ignore the email and instead make contact with the individual it appears to be from using contact details you already hold for them.
• Be mindful of the information you make public. Use privacy settings on social media accounts to keep personal information away from prying eyes.  Even if you think you would never fall victim to targeted phishing, scammers might use the information on your social media to perform attacks against others in your circle.
• Use anti-phishing software. Widely available and affordable,  these software programmes activate pop-up warnings when users try to access malicious links and websites.

When it comes to Phishing, inaction is often the best form of defence.  If something doesn’t look legitimate in any way, don’t interact!