Phishing emails are one of the top reasons for security breaches in business and personal data. These emails range from highly impersonal to highly targeted and can occur online, via text or even in person. This article answers the frequently asked questions regarding phishing and includes information about how you can try to prevent becoming a victim to cybercrime, because it is no longer "if" but rather "when" you'll experience a cyberattack.
Why do phishing emails have spelling mistakes?
We often think phishing emails are easy to detect due to the amount of spelling and grammatical errors – but what if I told you those were put there on purpose. The ultimate goal of a cybercriminal is to make money, they send these emails to thousands of people (unless they’re highly targeted), therefore, these spelling errors act as a deterrent so only a small amount of people will fall victim to the scams.
Additionally, to guarantee these emails reach your inbox, spelling errors are added to increase the chance of the email getting through your spam filters, as they are designed to look for specific keywords or phrases that are often found in phishing emails.
If the phishing email is highly targeted, spelling errors are included to make it appear more personable as most people don't double check their spelling or grammar when quickly responding to an email, or if something is urgent, which is why you should always check the sender or call the person emailing you to make sure the email is legit.
Are phishing and spam the same?
The short answer is no, phishing and spam are not the same, but they fall under the same umbrella. Spam emails are the digital version of unsolicited mail you get through the post – they’re bulk email chains, often containing discounts and special offers – these emails are sent to large groups of people who did not sign up to receive them. Most junk mail on the other hand are emails that come from opt-in services, such as marketing emails from businesses you purchased from and joined their mailing list.
Phishing emails are malicious emails that are designed to trick you into handing over your personal data such as, bank credentials and passwords, or deceive you into downloading malware and infecting your computer.
These emails are often created to appear as if they’re from HMRC, friends, family, colleagues, or other companies such as PayPal or TV Licensing. These emails have a sense of urgency to them and usually want you to complete the task on the same day, such as “your latest payment failed, re-enter your payment details immediately or we will take legal action”.
Can phishing be done by phone?
Yes, phishing phone calls aka Vishing (Voice Phishing) are the classic telephone scam. These phone calls can vary from a robotic, pre-recorded message to an actual person – often with a sense of urgency to get you to give away your personal information. Some of these vishing scams will say they’re calling regarding your recent accident and for you to claim compensation. Other scams include, someone is taking legal action against you and you must call back immediately to the number they’ve given, which will charge you an extortionate amount of money, or they will get the police involved.
Other phone scams may include a spoofed ID to appear as if it’s coming from a trustworthy source. These types of phone calls may pretend to be your bank or phone service to gain your trust, then they will try and gather your personal data to gain access to your accounts – if in doubt, it’s better for you to call them back from a number on the official company’s page to double check the call is legitimate.
Can phishing be done by text?
Yes. Phishing done via text is known as Smishing, these SMS messages are used to target individuals and trick unsuspecting victims into revealing their personal information. The text message sent to the user's phone will typically have a call to action that requires an instant response, such as ‘we need to verify your account information, click this link to verify’, or as seen in the example below, "You have added a new payee, if you do not recognise this please visit 'link to malicious site'", and then you enter your data, which is then stolen.
This is also being done via other messaging services such as WhatsApp.
If you receive a message that seems suspicious, you can report it by forwarding the message to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action if the text is found to be malicious - see an example below.
Can phishing happen in person?
Yes, this type of phishing is known as “Baiting”. Its name comes from the victim “taking the bait” – for example, a scammer will leave a USB device loaded with malware for the user to find and then use for business or personal use. As soon as the device is plugged in, the malware is installed unbeknownst to the user.
How can phishing be prevented?
User Awareness Training. It won't matter if you have incredible security defences in place, if one of your users clicks a link in a Smishing Text, downloads an attachment in a Phishing email, connects a Malware infected USB or gives away details over the phone - the scammer will be able to get access to your data to disrupt your business or sell this information on the Dark Web for multiple cybercriminals to gain access.
Remember, phishing scams do not rely on a weak website or network security - these scams are attempts to trick you, the "human firewall". The more aware you are of cyber threats, the more prepared you will be to avoid them and help prevent the rest of your team succumbing to them.
Why is phishing dangerous?
Phishing is dangerous because of the information that can be gathered from it. This data can either be used immediately to gain access to your accounts, without your knowledge. If a cybercriminal has access to your passwords, they can easily gain entry into your accounts as it'll appear as if the actual user is logging in, (which is why you should set up Multi Factor Authentication as it is another barrier to help protect your data). In addition to this, your data could be harvested and sold on to other sites such as the Dark Web where multiple cybercriminals can purchase the information for as little as £2.
How can AZTech IT help?
We are experienced Managed Security Service Professionals, we can provide you with User Awareness Training, including fake phishing to test your users and see how they would react to these types of threats. In addition, we can scan the Dark Web to see if any of your credentials are already for sale to cybercriminals.
Or if you'd prefer to find out how well your organisation is currently protected, why not begin with an IT Security Audit. Our Security Audit will analyse your network, finding any weaknesses or areas of concern so you'll know exactly where you need to focus your security strategy.
If you'd like to find out more about our services, please get in touch by calling us on 03300949420, emailing email@example.com, or contact us with our online chat.
There are no stupid questions when it comes to IT Security, and we are here to help, no matter the question.