As one of the most common forms of cyber-crime, phishing scams along with other social engineering tactics make up a shocking 2/3 of data beaches, with Action Fraud recently reporting a yearly figure of over 400,000 scam emails…
This shows no sign of slowing down with the recent Royal Mail phishing attack, whereby victims received a text message claiming a parcel is awaiting delivery and a shipping fee is required. The message then linked to a phishing site simulated to look like an official Royal Mail webpage, requesting personal and payment details.
Despite Royal Mail’s statement that they would never send such texts – unless specifically requested – and would use a grey card if any fee was required – a worrying number of people still fell for the scam. This is likely due to the fact that phishing campaigns can take various forms in addition to text messages, such as email and over the phone – as well as the increasingly sophisticated methods used by cyber-criminals in today’s virtual environment.
Despite this, there are a few red flags you can look out for in order to successfully identify a phishing campaign and avoid falling victim. Keep reading to find out what these are…
Firstly, back to basics – what is Phishing?
Phishing attacks come under the umbrella of social engineering, and are a form of fraud whereby a cyber-criminal imitates an organisation or reputable person in order to trick victims into providing personal or sensitive data, or to inadvertently install malware via a malicious link.
Red flags to look out for:
Always check the sender’s email address. A legitimate organisation won’t send an email from a public email domain such as @gmail.com. Cyber-criminals will often have the option of selecting the display name – so always check the actual sender email address and not just the sender name!
Strange turns of phrase, poor grammar and spelling mistakes are often a key sign of a phishing campaign. Unprofessional language and low-quality graphics are also unlikely to be included in an official email.
Phishing scams will often be littered with unsolicited attachments and links, urging you to ‘click here’ or ‘sign up now’. Don’t do it! If these are clicked, they may take you to a malicious website or be an infected attachment containing malware. Top tip – if you’re unsure, you can hover over the hyperlink to double check the full URL.
Commonly, phishing scams try to create a sense of urgency – for example, telling you to ‘act immediately’ or it will be ‘too late’ and your ‘account will be compromised’. It’s likely the fraudsters are using scare tactics to try and distract you from the various other red flags littered throughout the email.
Phishing campaigns are usually automated attacks sent to thousands of recipients. As such, the email will usually be addressed to the ‘customer’ rather than including any specific details. However, it’s important to note that this is different to spear phishing, which is a targeted campaign at individuals – so remember that the inclusion of your name does not equal legitimacy!
How can I protect myself?
Phishing emails only rely on one human error to make the attack a success, rather than trying to crack complex code or break into sophisticated networks – likely attributing to their common use and popularity as a method of cyber-crime. As such, user education is of utmost importance in combatting this threat.
In addition to training your workforce, at 10-100 we recommend that our customers utilise Microsoft Defender for Office 365. As an add-on to Office 365 subscriptions, Microsoft Defender detects compromised emails and phishing attacks, providing holistic threat protection. It additionally warns about possible spoofed emails, and includes a threat simulation system whereby IT or HR teams can send fake phishing emails to employees. These phishing simulations provide invaluable training, highlighting which employees fall for the campaign and those who require additional education. As experts in both cyber-security and the Microsoft sphere, our team at 10-100 can implement bespoke Microsoft 365 solutions to optimise and secure your workplace systems.
For those looking for additional spam filtering products, our team can also work with your organisation to find a solution best suited to your requirements, such as Mimecast’s email security spam filter. As part of Mimecast’s Secure Email Gateway, the market-leading filter provides comprehensive protection against spam, malware, zero-day attacks and more. Specifically, the Target Threat Protection scans every email to mitigate the risk of phishing and spear phishing.
Our team can implement these products and more into your business model, providing on-going user support if necessary. If you require additional guidance on phishing campaigns or the preventative solutions, get in touch with one of our experts here.