Have you heard of phishing? In this post, we’ll talk about what it is, how phishing attacks are carried out and the dangers to your business. We’ll give you some examples of phishing attacks and, most importantly, share how you can keep your business protected.
What is phishing?
Phishing is the act of fraudulently obtaining sensitive information (such as usernames, passwords or credit card information) or fraudulently instigating a financial transaction by impersonating a legitimate entity.
How are phishing attacks carried out?
While often thought about as an “online crime”, phishing attacks are carried out in a variety of ways – via emails, fake websites and even by phone call. Phishing attempts are often are very convincing and will include elements of social engineering.
What are the dangers to an organisation?
The end game for a criminal attempting a phishing scam is, of course, money. Businesses can suffer financial losses due to misdirected payments, be held to ransom when their data is encrypted, and suffer damage to their reputation due to these data breaches.
Some examples of phishing attacks.
Some phishing attaches are very easy to spot, but more and more the emails and websites used are highly sophisticated. At first glance, they can appear to be very legitimate. A few examples of where organisations have fallen victim to a successful phishing attack:
“Imagine your payables administrator has a large payment to a regular vendor coming up – the criminals would know the exact details from the email communications between the two businesses. Just before the legitimate transfer is due to be processed, the criminals get in touch, under the guise of the legitimate vendor, and request an update to the banking info. With so much valid information, they’re often not questioned.”
How can you protect your organisation from falling victim to phishing attacks?
Education is the best defence against phishing attacks. Phishing is an ongoing threat, and the risk is even larger for staff working in the financial areas of your business. We’ve compiled some useful tips and listed them below.
Watch out for generic greetings – Many phishing campaigns are carried out in bulk, meaning the cybercriminals will use greetings similar to “Dear Sir/Madam” or “Dear Customer” rather than your name. If your name isn’t listed, be immediately suspicious. However, having your name listed is not a guarantee of legitimacy.
Examine the sender information – Carefully examine the sender information, particularly the email address. Sophisticated phishing attacks will make a subtle change to a legitimate email address in the hopes it won’t be noticed by the receiver. For example, it might be a little difficult to notice the discrepancy in and address like email@example.com (did you see the “sa” the first time?).
Examine links before clicking – If an email asks you to click on a link, ensure that you ensure it’s pointing exactly where you expect. Hover over the link to view the actual destination. If it’s different to the link text, don’t click. You can always access the legitimate website by typing the usual address into your browser’s address bar and going from there. If there’s any doubt – don’t click.
Be wary of urgency – It’s in the criminals’ best interest to have you act as soon as possible. Often phishing emails will try to create a sense of urgency in the hopes that the receiver will react without taking the precautions we’re mentioning here. An email from your “bank” might inform you that your accounts will be seized if you don’t log in within the hour, for example.
Pick up the phone – Have procedures in place for when certain changes are requested. The staff member processing these changes can easily verify the legitimacy of a request by simply picking up the phone for confirmation. It’s one quick, simple way you can protect your organisation from becoming a victim
If you’d like to review any of these items, or discover other ways to protect your organisation from cyber threats, please get in touch by calling 087 551 7689 or emailing firstname.lastname@example.org