Cyber criminals are constantly on the lookout for sensitive data. It can be data pertaining to the business itself, or customer data including their personal, financial or health information. As technology advances, so are the techniques used by hackers to get access to confidential information. Introducing, Phishing.
What is Phishing?
A phishing scam is a fake message usually sent by an email. It aims to trick the target into disclosing personal or financial information. The sender impersonates as an individual or company you know or trust. They proceed and ask them to click a link, download an attachment, fill out a form or simply give out your information. The messages are designed to look real, with same company logos, similar email addresses and links to authentic-looking websites. Besides email, phishing messages are also sent via text messages and social media platforms. With the help of phishing scams, hackers intend to steal confidential information such as credit card details, online banking logins, business logins, passwords and other personal data. It can affect anyone, from an individual internet user to an employee of a company.
This trend has also increased after the spread of Coronavirus where criminals are using emails, text messages and websites that impersonate official Australian and international organizations such as Health Department or World Health Organization. They claim to give official information about the pandemic, but actually intend to get your information.
How to Detect a Phishing Scam?
Even though phishing messages are mostly typically strategically designed and hard to detect, there are still some signs which can help you identify them.
- If the email is from an individual you know, check their email address to confirm if the message came from the same address or a different one
- Always check the domain name of the email address, for instance, @knowncompany.com.au. If the domain is same as the original website domain of the company or brand, the email is probably genuine. If the domain of email address is slightly different, it is a sign of scam. Criminals often use domain names that are similar to the original website domain, however not identical.
- If a message is asking you to open an unknown attachment, link or picture, check it for authenticity before opening it. You can do it in a number of ways:
- Hover your cursor over the link name or attachment to see where it redirects you – if the link looks suspicious to you, don’t click it
- Call the organisation or individual by getting their contact details from a reliable source and not the one mentioned in the message. Ask them to verify the contents of the email
- Don’t respond if an email has poor grammar or spelling errors
- A message from a financial institution or your bank, asking you to disclose your credit card or online account password details is highly suspicious, as banks never ask for confidential information through emails.
- Messages that claim to be from a government department or an established business but sent from generic email addresses such as Gmail or Hotmail, indicate malicious intent
Phishing vs Spear Phishing
Spear Phishing is a variant of Phishing, where the hacker targets a specific victim for malicious reasons. Whereas phishing attacks are random and can be targeted at anyone in general, spear phishing attacks are planned to directly aim a known victim. This is done by getting their personal details, such as employer, hometown, friends and frequently-visited locations. The criminals then use this information to their advantage and create legitimate-looking messages to trap the victim. Because of their personalized nature, spear phishing emails are more likely to succeed as compared to generic phishing messages. In fact, according to a report, spear phishing is the most successful way of accessing private information online, and accounts to 91 percent of attacks on the internet.
How Spear Phishing Emails Work?
Spear phishing emails are not easy to detect without past knowledge about spear phishing protection. The victims of these attacks commonly disclose too much personal information on the internet. These are easily trackable on social networking sites. They can then identify that person’s email address, friends, geographical location, and other important details, and send a convincing fraudulent message in line to the victim’s profile.
To ensure the success of spear phishing emails, the messages usually demand urgency on why they require sensitive information. When the victim opens a malicious link, it directs them to a spoofed website which asks for passwords, PINs, account number or access codes. Once they gather the information, they can access the victim’s bank account or even create a fake identity in their name.
Business Email Compromise (BEC)
Australian businesses are losing significant amounts of money through BEC. BEC cybercrime was one of the top cybercrime categories, making up nearly 7% of the cybercrime reports received in the 2020–21 financial year. While there has been a slight decrease in BEC reports compared with the previous financial year, self-reported financial losses have increased – total losses were approximately $81.45 million (AUD) for the 2020–21 financial year, an increase of nearly 15% from the previous financial year. The average loss per successful BEC transaction also increased, by 54 % – in one case, BEC led to bankruptcy.
Enjoy on-demand content to help your businesses improve your cyber security posture
Access the following on-demand content
- Highlights of Cyber Security + Cyber Insurance Webinar 2023
- Best Cyber Security Practice Checklist for businesses in 2023
How to Avoid a Spear Phishing Attack?
Whether as an individual or an employee, you should never respond to any unknown messages that request personal information or ask to click suspicious links. This can lead to a serious personal or business email compromise. Here are some precautions businesses must teach their employees to prevent them from being victims of spear phishing attacks:
- Examine the personal information that you have posted on the internet. Do not post too many details about yourself. Do not put anything you would not want a potential scammer to see. Limit your privacy settings.
- Don’t use the same password for all accounts. If a hacker, therefore, uncovers the password to one of your accounts, they are unable to access others. Follow best practices for keeping strong passwords.
- Update your software frequently as software updates provide vulnerability patches to help protect you against common attacks. Enable automatic updates where possible.
- Never open a link in Email right away. Always ensure the legitimacy of the email first and then open the link. Also examine the link by hovering your mouse over it before opening it.
- If you get a message from a “friend” asking you for sensitive information, verify it from them through another channel.
- Practice safe online behavior by following best practices for email and internet browsing.
- Keep yourself informed of the latest threats and trending scams
- Most importantly, implement a data security solution at your organization for conforming to best practices and security from phishing threats
KMT's here to help!
How safe is your organisation in today’s cyber-centric landscape? We can help you understand your IT environment, how prepared your team is if faced with a phishing scam, and uncover your overall network and security risks. With this clear view of your risk profile, you can take the steps needed to strengthen your cyber security.
Get in touch for a Cyber Security Risk Assessment and learn your business’s cyber strengths and weaknesses.