Phishing - Don't take the bait

What is a phishing attack and how do they work?

Phishing is when criminals try to trick you into doing something they want, like clicking on a shady website link. They use text messages, social media, calls, or emails. Usually, a phishing email tricks you into doing something that seems normal, like opening an attachment or clicking a link. They rush you to avoid suspicion. Then, they ask for sensitive info like login details or bank info. The first site may seem safe but could lead to harmful links. Stay cautious to avoid falling into these traps.

Phishing attacks were the most common form of cyber-attack again this year yet the number of businesses with security controls and agreed processes in place for phishing emails has dropped since 2022, from 91% to 79%.

Thankfully, due to their increased frequency, there is more awareness of phishing scams and how to avoid them. 

What is SpearPhishing?

While most phishing is sent out to many people at once, SpearPhishing is highly focused on one person. It's tricky to detect because it seems very believable. It might include info about your friends, places you've been, or seem to come from a service you use.

A phishing email will aim to dupe the recipient into revealing sensitive information or unintentionally downloading malicious software.  By clicking on a link or opening a malicious attachment, personal or company information can be compromised such as login credentials (usernames and passwords) or financial information (bank card numbers).

How to stop phishing attacks

Everything you share online, whether on a website or social media, can be seen by anyone, including criminals who can exploit it. Stay safe by checking your privacy settings. Before you post, ask if it's personal info about you, friends, or family, and think about who can see it later.

Here are 5 steps that your business can take to avoid phishing emails:

1. Understand what a phishing email looks like

Cyber criminals are developing new methods all the time, including new ways for phishing emails to manipulate the recipient. As phishing emails have a similar end goal, they have shared common traits, which makes it simpler to implement cyber security protections compared to other potential threats. A smart way to protect against phishing emails is to monitor the latest methods being used to identify the risks they pose.

Computer users need to understand what phishing emails are, the threat they possess, and how to avoid falling victim to them. Regular security awareness training reduces the risk of a phishing attack being successful.

Spot the signs of phishing :

• Misspelled domain names and general grammatical errors (e.g. www.blukube.tec)
• Public email domains (e.g. @gmail or @hotmail) - If the email address and organisation website domain don't match        this could be a sign
• Grammatical and/ or spelling mistakes
• Suspicious attachments or links
• The email tone conveys threats or enticements to create a sense of urgency
• Non-personalised, generic greeting - Are you addressed using a generic term or do they refer to you personally?
• The contact details don’t match the registered company details
• Strange looking graphics and logos  - do they look legitimate or have they been created to look real
• Requesting credentials, personal details or payment info - A bank will never ask you to send them personal information in an email or text. Never follow these prompts or click any links even if they say you are at risk, call the organisation directly if in doubt. 

You can learn more about phishing attacks here.

2. Avoid clicking unknown links or opening attachments

The biggest way phishing emails dupe recipients is by convincing them to click a link or opening a suspicious attachment. Doing so may download malware, which could be any form of malicious software that could cause massive damage to your IT infrastructure. Even if an email is from a sender you recognise, don’t click the link straight away. Carry out the necessary checks first.

One way phishing emails have become more sophisticated is by using the recipient’s real name. A cyber security best practice is to hover over the link to see where it’s directing you and if you’re in doubt, go to the site you want to directly. Always remain vigilant and proceed with caution before clicking a link or opening an attachment that you receive in an email.

Sometimes, you may even receive a notification letting know your password or credentials have been hacked... DO NOT click this as it could in fact be a phishing attempt.

Instead:

1. Log into the account on another device and see if the account and information are intact and live.

2. Change your password and increase its complexity. 

3. Check haveibeenpwned. This website allows you to put your email in and it will tell you if that email has been involved in any type of security breach or data leak.

If you think you've clicked a suspicious link or fallen victim to a phishing scam, quickly report it to your IT security team or MSP so they can promptly look into this and minimise further exposure. MSPs can constantly monitor your credentials. 

3. Increase password complexity 

One way phishing emails target the recipient is by attempting to trick them into revealing confidential information such as usernames or passwords. Passwords should never be shared if requested by email to counter this tactic.

The NCSC is now advising the best practice regarding passwords is to increase password complexity. Using passphrases is now the most common and recommended method to follow when creating a password; this uses three random words joined by special characters. It may be useful to use a strong password generator to ensure the complexity of the passwords is sufficient. 

It’s also best practice to monitor who has access to systems that you use so that you can identify any unusual activity and quickly spot if a password has been leaked. Within organisations and also in personal life, the best way to manage this is by using a password manager tool to securely store and back up passwords whilst also controlling who may have access to them. 

Increasing password complexity adds an extra layer of cyber security protection against all forms of cyber-attacks, not only phishing emails.

4. Don’t give out personal information

It’s not only passwords that shouldn’t be shared over email, users shouldn’t give out any personal information.

A phishing email may provide a link that takes you to a shopping website. From there, you enter your card details and make a purchase. A confirmation page appears and everything seems ordinary. In reality, while appearing trustworthy and legitimate, the link directed you to a fake site created to steal card details.

This scenario can be avoided by not clicking the link, but you also shouldn’t share sensitive information (such as financial information) if requested by email. Always verify if a request is legitimate. For example, call the company you believe is asking for information to check if the phishing email is masquerading as a message from a trustworthy organisation. This is important for safeguarding any financial and personal information.

5. Implement cyber security features

Firewalls are a buffer between your IT infrastructure and malware. They act as the last line of defence against malicious actors causing harm to your computer systems. If a link is clicked or a file downloaded that contains malware, firewalls reduce the risk they pose. There are two types: desktop firewalls, which is software, and network firewalls, which is hardware. Both cyber security features complement each other to form effective protection against cyber-attacks.

Other cyber security features that protect against phishing scams include anti-virus software. This measure ensures viruses can’t carry out their intended purpose. Email protection software uses machine learning to develop an understanding of phishing emails so they can identify them and notify the recipient. They may block emails being received or apply a warning message to urge caution to the computer user. To assist this, individuals can easily flag phishing attempts within their email accounts. Within your business, it is important to reiterate this to staff and also ensure they are reporting this to management and/or security staff. 

What threat does phishing pose to businesses?

Over the years, phishing attacks have become more and more common. Typically, they’ve been targeted at individuals and smaller companies but in the last few years, there has been a significant rise in the number of hackers using phishing attack tactics, targeting organisations who do not view themselves as vulnerable to this type of cyber-attack.

Phishing presents a multifaceted threat to businesses, and understanding these diverse dangers is crucial. Firstly, financial loss is a major concern, with fraudulent emails tricking employees into transferring funds to cyber criminals. Data breaches are another peril, where sensitive company or customer information is stolen, potentially leading to legal repercussions.

Moreover, phishing can tarnish a business's reputation if customers' trust is eroded by breaches or scams. Operational disruptions, arising from malware-infected attachments or compromised accounts, can grind productivity to a halt. Spear phishing targets specific individuals, including executives, for corporate espionage. To combat these threats, comprehensive cyber security measures, employee training, and robust email filters are indispensable.

How can your business protect itself against phishing attacks?

Filter it

The best, and first, way to defend your organisation against a phishing attack is to ensure that your anti-virus, anti-spyware, and any anti-malware applications are maintained and up-to-date at all times, we offer a cyber security service where we monitor and eliminate potential cyber-attacks before they do any harm.

Ensure phishing alerts are activated on whichever email platform you and your business are using to ensure at a minimum, suspected attempts can be picked up. Sometimes this setting is switched off as it can affect storage or other administrative elements, so ensure it is on at all times. 

Continually train employees

Educating all employees, from the senior leadership team to the junior employees, is crucial. After all, it takes one human being to read the email and click on the link for the malware to be installed. Hackers are researching their targets and targeting them based on their findings, meaning targeted individuals are no longer limited to just those with high authority. 

A common issue within businesses is the lack of capacity and time for continual cyber security training. After initial induction training, refresher courses are often missed or undelivered as individuals become busy with other work. Understandably, this is problematic in justifying the effectiveness of training to upper management in terms of cost, time and resources. However, prioritising 

Monitor it

Implement monitoring systems that can highlight any suspect activity; this could include potential ex-filtration of data to remote hosts, privileged user access or suspicious connections. By doing so you’ll increase the chances of stopping the attack before it.

Mock phishing exercises 

Mock phishing exercises are an indispensable element of modern cyber security strategies. These simulated phishing attacks replicate real-world threats, serving as a potent training tool. Firstly, they offer critical insights into employee readiness, highlighting areas for improvement. Secondly, they raise awareness about the perils of phishing, fostering a culture of vigilance among staff. Additionally, these drills refine incident response plans and security protocols. In a constantly evolving cyber threat landscape, mock phishing exercises fortify a company's defences, mitigating risks, safeguarding sensitive data, and preserving trust and reputation.

Bluecube cyber security protections

Unfortunately, phishing works; that’s why it's such a popular form of cyber-attacking.

Phishing emails pose a big risk to many computer users and organisations, of all sizes. They allow cyber criminals to steal money, access sensitive data, and damage IT systems. Cyber security protection against phishing emails doesn’t have to be complicated, at Bluecube, our expert team helps you to install protections that safeguard against phishing scams. We offer a range of services that can help defend your systems from this threat and many others, as we have software which will indicate if a "communication" is potentially phishing.

Learn how to protect against phishing scams, get in touch with Bluecube by giving our team a call at 0845 257 8010, dropping us an email (enquiries@bluecube.tech) or fill in our online contact form, and we’ll be in touch.