Social networks are one of the most common ways we communicate in the 21st century. We use them for entertainment, social interaction and even business. But…
As we scan through our emails on a Monday morning, clicking absentmindedly on each one to make sure there are no more blue links left, are we taking the time to actually read them? A short period of inattention could be all that is needed for us to fall foul of a phishing scam.
Phishing (pronounced fishing) is a method of manipulating people to either give up sensitive information such as bank card details or attempting to install some form of malware. Whilst the effects of the loss of information can be quite apparent, malware installation isn’t just installing a virus that could make annoying pop-ups appear and can have far more serious implications. Often there won’t be an immediate effect, this level of access that they will have achieved is often the initial goal of threat actors online; gaining a foothold in larger organisations through tricking employees that are unfortunate or poorly educated in cyber security. From here our systems are exposed to either unauthorised access to confidential information and records or to a potential ransomware/crypto-locker attack, crippling our organisation.
Recognising phishing attempts is the key to protecting against them as phishing tries to exploit the weakest link in the cyber security chain, people. Often these emails will be almost indistinguishable from a genuine email that would have come from the organisation being impersonated. Just this month the NCSC reported that it had stopped 140,000 phishing attacks that were using fake gov.uk addresses* which could also have been used to impersonate HMRC. There are a few different kinds of phishing attempts to recognise:
Regular Phishing – as outlined above, this can have a scattergun approach and would not be particular to an organisation. It will usually relate to some kind of heavily used online service (such as Paypal or online banking).
Spear Phishing – a targeted attempt, a specific organisation may be impersonated that is known or trusted by the target organisation. These can be harder to recognise as we tend to not question messages from those we know.
Whaling – even more specifically targeted. This is where a specific high ranking individual within the organisation is impersonated in order to get employees to perform some task, either the more usual opening of a link or perhaps even socially engineering someone to transfer funds. This form of attack is extremely specific and often requires months of reconnaissance to correctly emulate the person they’re trying to make us believe they are.
How can we protect against this?
Training and education – as phishing is targeting human error or exploiting trust, the most obvious initial course should be to educate our organisation on what to look for. Things such as spelling or grammatical mistakes on official emails, ensuring that the email address we’re receiving from is correct, and hovering over links to see where they will direct us, are all simple measures that will help against the majority of attacks.
Email security services – there are paid technological services, such as Mimecast**, that scan emails and block out the majority of phishing attempts. They can also hold suspected emails for you to review and make sure that they are ones you are expecting to receive.
Firewalls – by enabling ‘website filtering’ on our firewalls, we can help to mitigate the risks of us accidentally clicking on the bad links from phishing emails. Whilst not fool proof, it is an additional layer of protection.
Ultimately, this does come down to us as individuals and being trained and aware of the risks. At almost any point we are able to override any technological controls put in place and all it takes is one instance to have severe consequences. We must make sure that at all levels everyone is informed and has the tools and training necessary to recognise this kind of threat. We have to get it right every time, they only need us to get it wrong once.
If anyone would like more advice or guidance on this subject or any other relating to cyber security or information assurance, please feel free to contact our team at [email protected]