While Ransomware employs coercion, Phishing relies on acts of deception to lure victims into parting with sensitive information. Phishing scams can be performed using a variety of media such as email, web links, text messaging and phone calls.
Email however, is the most popular tool of the Phishing scammer. The main aim of any Phishing scam is to convince the recipient that the correspondence comes from a legitimate source – this could be an employer, close friend or colleague or a reputable entity such as a bank or credit card company. If the act of deception is successful then the victim is more likely to disclose compromising information, such as bank details or account information or alternatively, open an attachment that will release malware onto the victim’s computer.
What does Phishing look like?
While broadly speaking all Phishing scams employ acts of deceptions, scams vary in their execution. Let’s consider some of the most common methods scammers use to perpetrate email phishing scams.
This targeted form of phishing involves using publicly available information to imitate an organisation or individual closely linked with the victim. Scammers of use social media ‘friends lists’ and other accessible information to assume the identity of someone the target is likely to trust and therefore increase the scam’s chances of success.
Possibly the most well-known form of phishing scam whereby the cyber criminals take on the appearance of a well-known and generally trusted institution such as a bank, service provider or credit card company. Often the scammers present victims with emergency scenario that requires urgent action. The call to action might be along the lines of…
“We’ve noticed suspicious activity on your account, login here to take action now”
Such scams often attempt to harvest account details using links to login portals. This form of Phishing is usually non-discriminatory in terms of those targeted and instead relies on the credibility of large firms to make targets voluntarily hand over sensitive information.
Like Spear Phishing, CEO fraud also makes use of publicly available information. Scammers do research into firms and identify senior personnel. They then use publicly viewable information to impersonate them in order to convince less senior staff to perform unusual requests, often authorising payments. Scammers take advantage of the authority wielded by the company executives to compel other members of staff into performing requests without questioning them.
This process involves copying the format, appearance, text and content of a previously delivered email in order to fool recipients into thinking that the email presents no threat. Looks can be deceiving however, as this cloned email will likely contain malware ridden attachments or links to malicious websites.
Pharming involves the use of fake sites to harvest account details and other forms of sensitive information from victims. Cyber criminals direct traffic to these infected sites either by using viruses installed on a user’s computer or using ‘DNS Cache poisoning’ to direct users to a rogue site whenever they search for a legitimate site using the domain name system.
It can a be a challenge to distinguish one of these rogue sites from the legitimate sites which they attempt to resemble without paying attention the URL.
Protect your business against the Phishing Fraudsters
While Phishing scammers employ several techniques and can prove persuasive to the uninitiated, such scams are easily avoided when you know what to look out for. It all comes down to spotting the fake among the legitimate, but ultimately if something doesn’t add up the best course of action is not to interact. Here are a few summarised tips to avoid falling foul of Phishing scams.
- Check the website connection type. If a site handles sensitive information such as payment details or identifying personal information, it should feature an ‘HTTPS’ tag in the address bar. The presence of this tag offers a degree of reassurance that the site is legitimate.
- Check the website URL. Rogue sites will often be set up to appear as similar as possible to the legitimate site on which they’re based, so it’s important to closely examine the address bar to distinguish the real from the fake. Pay attention to the domain name and compare it with what you expect – are there any misspellings or unnecessary punctuation? Then take a look at the ‘top-level domain’ – the tag at the end of the domain name (.com .co.uk .gov etc). If you’re expecting the presence of ‘.com’ but you see ‘.info’ alarm bells should be ringing.
- Don’t reply to suspect emails. Say you get an email from someone you appear to know, but the content of the email seems out of character in some way; don’t reply, instead, follow up by sending a new email using an email address you hold for the person in question. This is the easiest way to test the authenticity of a piece of correspondence that seems out of the ordinary.
- Apply ‘Friends only’ restrictions on social media content. Fraudsters use poorly configured social media accounts to gather data on individuals in order to perform targeted attacks. By applying privacy settings to your accounts you’ll give the scammers less to work with, and reduce your chances of falling victim to the likes of Spear Phishing.
- Take advantage of anti-phishing software. Awareness of Phishing is important, but technical measures such as the use of anti-phishing software also have a role to play in reducing the success and prevalence of Phishing attacks. Such programmes are designed to prevent malicious emails from reaching your inbox and block access to malicious sites by presenting pop-up warnings whenever a site being accessed is deemed ‘high-risk.’
We’re Cloud Nexus
We’re Cloud Nexus and we believe that technology should make life easier, not harder.
We help people move to the cloud, secure their data and work with customers in awesome new ways. We’ll get to know your business and create the most appropriate solution to meet your technical requirements while being commercially sensible in cost.