Articles

What Are Phishing Attacks and How Do You Spot Them?

The threat of a cyber-attack is growing and with high profile hacking scandals filling the headlines, it seems like 2017 is the year businesses are finally waking up to the importance of cyber security. Protecting your business from hackers, specifically those using phishing techniques, has never been more vital, as FSB research shows that 66% of smaller businesses have been a victim of cybercrime with phishing scams accounting for 49%, making them the most common form of attack.

Phishing is an attempt by hackers to capture sensitive information from web users by posing as a legitimate and trustworthy source. The information requested ranges from account logins and personal passwords to banking and credit card details and is acquired through a range of techniques that trick the user into believing the request to be genuine.

The methods used by 'phishers' are getting more and more sophisticated, and recently Google Docs was hit by such a scam, as hackers sent out targeted emails that invited users to make edits on a Google Doc. The email appeared to be from the receiver's contact list but the link it contained was malicious, directing them to a fake webpage and tricking them into giving their details over to a third party.

Attacks like this are common in businesses of all sizes but their effects can be mitigated with proper employee education. Your employees are your strongest line of defense when it comes to protecting your business against hackers so we've put together a list of the most common phishing techniques to help you to identify a threat when it comes your way.

1. Email

Using emails to trick people into giving away personal information is the most common form of phishing attack. As we saw with the Google Docs example above, users are sent an email from an apparently 'trustworthy' source that contains a request for information, a malicious link or download.

2. Spear phishing

Spear phishing works in the same way as email phishing but is more highly targeted, with emails using direct personal information such as names or company info to further convince the target that the scam is legitimate.

3. Web based delivery

Web based delivery, also known as the 'man in the middle' technique is a highly-sophisticated form of phishing where the hacker positions themselves between a legitimate website and the user by designing a click-through to a fake web page to harvest valuable information.

4. Malware

Malware involves encouraging targets to click on a rogue link or download that contains a virus that can infect the user's computer and access sensitive information and files. This link can be delivered by email or on social media sites in the form of a 'malvertizement', a phony advert which then forces the download of unwanted content onto their computer. This can be as simple as allowing a third-party app access to a Facebook page, or contain the more serious trojan horse virus, allowing the hacker access to the user's account. Ransomware is also a kind of malware, which locks access to a device or files until a ransom has been paid.

How to spot a phishing attack

As phishing attacks get more sophisticated they are also becoming harder to spot, but there are several things you can look out for in your inbox and online to alert you to suspicious activity.

1. URL

Before you click on a link, check the URL (hover over it if it's a hyperlink) and check that it matches with the company the email or site claims to be from. Check that the domain name appears on the right of the URL, for example a link claiming to be from Apple will read 'page.apple.com' rather than 'apple.page.com'. Many hackers will create a 'child site' on the domain of a rogue web page so that users are tricked into believing the link is genuine.

2. Language

Scan the language of an email or advert for spelling and grammar. A legitimate company will have had their content thoroughly reviewed before publication, so chances are if there's a typo in the text, it is not from who it claims to be from!

3. Request for sensitive information

No matter how convincing a scam looks, legitimate companies will never ask for your login details over email, just as banks will never request your account details in this way.

4. Threats or promises

If an email or advert tells you you've won a prize that seems too good to be true, or contains unlikely threats about your account, it is likely a scam to scare you into putting in your information.

5. Something phishy

Finally, if something just doesn't look right about the advert or email but you can't quite put your finger on what or why, avoid it and contact your system administrator before you continue. Chances are your instincts are right.

Phishing attacks can result in sensitive information and vulnerable data theft, leaving your business at risk of a major disruption and huge reputational damage. To protect against this, it is vital that you educate your employees and yourself on how to detect and prevent a phishing scam so that your business can rest assured that human error won't be a weakness when it comes to fighting cybercrime.