Phishing is defined as, ‘the fraudulent practice of sending emails claiming to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’
Phishing is a type of Social Engineering. In the context of information security, Social Engineering means “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”.
Think of phishing as those annoying phone calls you’d receive back in the day around dinnertime, where people would try to ‘confirm our billing information’, and if we weren’t paying attention, we might give out our card details and personal information.
Phishing can happen through text messages, social media (including YouTube), and on the phone - but the term ‘phishing’ is generally used for attacks that occur through our emails.
These types of emails can hit any size and any type of organisation and are not only used for gathering personal information from victims, but also for installing malware and ransomware to steal our information through keyboard entry, sabotage of systems and fraud.
These are Targeted Phishing Campaigns – the cybercriminal may find information about you through social media, such as your place of employment, your friends and family, and use this information to make messages more persuasive and realistic – causing you to drop your guard and be more likely to download attachments and click on malicious links in emails.
The classic. These are phishing scams over the phone – criminals will typically create a sense of urgency to get you to give away your personal information. Often created through a spoofed ID to seem like it’s coming from a trustworthy source. These types of phone calls may pretend to be your bank or phone service to gain your trust, then they will try and ask for your name, password, pin, date of birth and more to gain access to your accounts.
Often targeted at senior management, this type of social engineering chooses a ‘High-Level Target’ to attempt to steal sensitive information. These are not the typical phishing scams we’re used to and can be difficult to detect – they usually contain personalised information about the target or organisation with a formal, corporate tone of voice.
SMS messages are used to target individuals – an effective way for cybercriminals to trick unsuspecting victims into revealing their personal information. The text message sent to the victim’s phone will usually have a call to action that requires an immediate response, such as ‘we need to verify your account information’, so you hand over your account details, credit card or usernames and passwords.
This type of phishing is where a legitimate and previously delivered email is used to create an identical email to gain your trust, so you willingly hand over your personal information down the line. The replicated email will seem to be from the original sender but will be updated with malicious links or attachments.
Frequently referenced as ‘Friday Afternoon Fraud’,
“the most prominent cybercrime in the legal sector today. It takes its name from the fact the scam is typically launched on Fridays, when conveyancing transactions are completed. In fact, it was responsible for 75 per cent of all cybercrimes reported to the Solicitors Regulation Authority (SRA) in 2016.”
How can Phishing damage your business?
A successful phishing attack can result in:
- Identity theft
- Theft of sensitive data
- Theft of client information
- Loss of usernames and passwords
- Loss of intellectual property
- Theft of funds from business and client accounts
- Reputation damage
- Unauthorised transactions
- Credit card fraud
- Installation of malware and ransomware
- Access to systems to launch future attacks
- Data sold on to criminal third parties
You could have the best security and defences for your company, but cybercriminals know how to exploit the weakest link in your defences – your employees. Human error can easily result in a massive loss of sensitive data.
It’s vital that businesses take steps to ensure they are doing all they can to educate their staff on the dangers of a phishing attack. Training employees to effectively recognise a phishing attempt is key in alleviating the risk to your organisation.
How can we help?
We can help safeguard your business with Managed IT Security.
Make your weakest link your greatest defence with User Awareness Training – we will train your staff on the warning signs of a potential attack and help them remain vigilant to the latest threats.
Get in touch to find out more and we’ll be happy to help.