Cybercrime is big business, and phishing attacks are one of the main routes into an organisation. You might have heard of them but are not quite clear what they are and how they work, so here’s our simple definition:
A phishing scam happens when a cybercriminal pretends to be someone else to gain information. Commonly they do this by sending fake emails designed to look like they’re from a trusted source within your company, such as the CEO or head of accounts. The aim is to make the victim feel a sense of fear, curiosity or urgency so they quickly open a dodgy attachment or send important details like bank/credit card details, user names or passwords.
They rely on the fact that most staff are eager to please their superiors and won’t question them, so they freely give out sensitive information they would normally hang on to.
Cybercriminals are very skilled at what they do and can create emails that look so much like the real thing that even the savviest staff member can easily be caught out at the end of a busy day.
For that very reason, phishing scams are often deployed towards 5pm or last thing on a Friday when people just want to get home and take their eyes off the ball. And in a further chilling development, hackers have been accessing bosses’ email accounts, and waiting for them to go on trips abroad before striking.
With Spear phishing hackers know exactly who they’re looking for and will focus all their efforts on these unsuspecting victims. Because this isn’t a blanket approach the hackers have to be more creative and thoughtful in their hunt. It’s common for them to use carefully chosen phrases and tailor their language to suit each individual person or group. In a lot of cases spear phishing attacks are so convincing that they’re able to completely fool the target into parting with all sorts of information, blissfully unaware that they’ve been caught out.
Hackers play a long game
“What makes this scam both clever and worrying, is that the hackers play a long game,” said local IT security expert Wayne Stanley of Iron Dome. “Hackers get into the boss’s email account. In the past they would have done instant damage and immediately got out. But now they sit and read emails, and over a period of months look for ways to steal cash.” Sometimes that’s by intercepting bank account or card details shared on email. But the most cunning hackers wait till the boss is away on a foreign trip before striking.
“They send an email to staff asking for urgent access to a critical system, or for an urgent bank payment to be made,” Wayne Stanley said. “It looks like it’s come from the boss, but it’s actually from the hacker. They will drop in a few facts that the staff know are true, such as where the boss is holidaying and what the weather is like.”
Wayne added: “Many staff are completely fooled, so go ahead and set the payment up. It can be days before anyone knows there has been a security breach, and by then it’s usually too late to stop it.”
Some interesting stats!
- The average cost of a phishing attack for a mid-sized company is £1.22 million.
- Phishing attempts rose by 65% between 2017 and 2018. They’re not specific to any particular industry and businesses of all sizes have been attacked.
- 30% of phishing messages are opened by targeted users, with 12% of those users going on to click the links or attachments.
- Nearly 1.5 new phishing sites are created every month.
Wide Net Attack!
A recent Gmail phishing scam targeted nearly a billion users across the globe. It was fiendishly simple but tricked a lot of people. Here’s how it worked. Victims received a text message asking if they’d requested a new password for their Gmail accounts. Of course, the vast majority had not. Confused targets were then prompted to text back “STOP” to confirm the request had nothing to do with them. They were then sent another text urging them to send their 6-digit numerical access code to prevent their accounts being compromised. Of course, the opposite was really happening. Instead of protecting their Gmail accounts, they were giving the hackers the ability to reset their passwords. And so, access to all their emails. This type of phishing scam is known as a “wide net attack”. Trawlers cast wide nets to catch a huge amount of fish and seafood that won’t all be good enough to sell, and this method uses the same principle. You can’t expect 100% success, but plenty will fall for it. And in this case, even a relatively small catch can reap impressive rewards.
Iron Dome top tips:
Stay informed:Education is everything, and that goes for you and your staff members. New scams are being developed every day, so it pays to sign up to regular updates and guides that will keep you in the loop. Cyber Security training for all IT users is also highly recommended so you can be confident that everyone knows what to look out for.
Think ahead:Develop a robust IT security policy that includes everything from Bring Your Own Device to password management and backups. Make sure all sensitive company information is encrypted and that all mobile devices – including those that belong to staff members – have to pass security protocols before they can access your network.
Keep it private: Never share personal information over the internet unless you’re 100% certain you can trust who you’re talking to and you’re sure your data is encrypted. If a company ever asks you to impart sensitive information, check with them at source first by visiting their main website and calling the customer services team.
Be suspicious:OK, so it’s a bit miserable going through life being cynical but there are some situations where it pays to expect the worst. If an email doesn’t look quite right, it probably isn’t. If you’re not sure, just hover over the link before clicking on it to see where it leads to. If you don’t recognise the website address or it’s full of funny looking symbols, avoid like the plague. A lot of phishing emails start with “dear customer” so be particularly wary of any that don’t address you by name. And if there are lots of grammatical errors and language that sounds very old fashioned, it’s almost always going to be from a scammer.
Get protection:Install anti-virus protection, SPAM filters, web filters and anti-phishing toolbars and make sure they’re always kept up to date. Failure to install the latest patches and updates leaves organisations wide open to threats. Monitor the anti-virus status of all equipment, particularly mobile devices that are used outside of the working environment.
The best way to keep the phishermenaway?
Put your IT security in the hands of trusted professionals. You’re already working hard, so you could probably do without the hassle of having to keep your entire computer system ship shape and safe from cyber attackers. Working in partnership with reputable IT experts who can prove they’re worth their salt will help you sleep better at night and send the hackers further upstream to in search of a better catch.
Iron Dome have put together a series of security measures designed to help local businesses prevent this kind of fraud. They’re making details of the scam public, to try to help more owners and MDs be aware. To find out how Iron Dome can help your business stay safe from cyber-criminals visit www.irondome.co.ukor telephone: +44 (0) 203 358 0203