Some of the most successful forms of cyber attacks take the shape of phishing, a form of social engineering. It's estimated that 91% of cyber attacks start with a phishing attempt. In this article, we'll take a look at what phishing is and how you can take steps to protect yourself and your business against it.
So, why phishing?
Phishing at its core is the attempt to obtain valuable or important information, such as passwords and bank card details, via electronic means such as emails and text messages. It first came to prominence in the early 1990s and has constantly been on the rise with increasingly sophisticated methods.
Phishing attacks can be carried out in several ways, and some of them are incredibly sophisticated. Primarily, they revolve around deceiving the intended victim by the phisher pretending to be someone or something they are not. Below we'll look at two of the most commonly used.
Link manipulation
In its most common form, link manipulation is when an email is sent out, seemingly from a reputable company and possibly one that the intended victim already has dealings with. Once the user has opened the email, inside it will be a link, which on the surface looks like it will take you to the company’s website. When you arrive at the site you will probably be presented with a good facsimile of the company’s website you’re expecting, however, all is not as it seems.
The website while seemingly legitimate is being run by the phishers. Any information entered, including card details, user names, and passwords, etc., will now be in their hands. These types of emails can be made to look as if they have come from a whole range of companies such as banks, food delivery, software companies and even government organizations.
Voice phishing
Voice phishing, as the name suggests, is when a phisher seeks to gain sensitive information over the phone instead. The calls can either be automated or carried out by someone in person. The usual method is to pretend they are from an organization, such as a bank, stating that there is an issue with the victims' account; they will then attempt to obtain account information. Alternatively, if a company rather than an individual is being targeted, they may pretend to be from the companies IT department to obtain usernames and logins allowing access to the companies systems.
Other types of phishing that you may hear of are spear-phishing, where the phishing attempt is aimed directly at an individual, or whaling, which is aimed at an individual in a particularly influential role, such as the CEO of a company.
How do you increase security in small business?
The key element here is making sure both you and your staff are aware of the potential risks.
The weakest part in any defense against cybercrime is a person, which is the reason why phishing is successful. Make sure your staff is aware of any changes in your business that may lead to emails from organizations they haven’t dealt with before. Equally, make sure that they know who to inform if they receive any form of suspicious communication.
If you're in doubt about the authenticity of an email, caller or website, do not give out private or sensitive company information, such as payment or bank details, user names or passwords, any further email addresses or telephone numbers. Organizations and businesses such as banks will not ask you to identify yourself over your phone or email. If a caller rings up identifying themselves as an organization you have ties with, they may sometimes ask you to call back. This is a common trick used in many types of attempted telephone fraud. If you do call back, don’t call the number that you were called on. Instead, find a number for the organization and call it.
If you receive an unsolicited email with attachments, be cautious before opening them up. While anti-spam filters on most email providers are very good, people with malicious intent are constantly coming up with sophisticated methods of evading them. If you suspect it may be a legitimate attachment, before opening it, contact the organization who is supposed to have sent it. It’s worth remembering that the vast majority of organizations will not be sending out this form of email and they certainly will not be asking for any sensitive information.
If you think you have been the victim of a phishing attempt the best thing you can do is report it. Check out the Federal Trade Commission's guidance for more information.