Phishing Scam

Gone Phishing – How to Avoid This Common Cyber Scam

Phishing is one of the most common cyber scams, with individuals and company employees falling for malicious phishing attacks time and time again, despite warnings in the media. This is mostly due to phishing scams becoming increasingly sophisticated and varied, with new iterations cropping up continually.
All businesses are vulnerable to phishing in its many forms. So, what are the various types of phishing attacks and how can a business both mitigate against them and survive their aftermath?

Phishing

Phishing is a form of cybercrime that involves deceitfully obtaining sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy email, instant message or website.
These fake communications encourage would-be victims to provide their personal or financial information through clicking on a link or URL, and the same email can be sent out to thousands of recipients at the same time.
Phishing attacks often exploit psychological tactics, such as urgency or fear, to manipulate victims into divulging confidential data. These scams can have severe consequences, including identity theft, financial loss and unauthorised access to sensitive accounts.
Fraudsters often set up a fake domain that mimics a genuine organisation. Emails are then sent, often with the sender’s email address being one letter off accurate, or the correct company name incorporated, to fool victims. The email or message will contain a link, that if clicked on will scam the recipient.

Variations of Phishing

Spear Phishing

Spear phishing involves malicious emails sent to a specific person and customised to fit their profile. Criminals who spear phish already have some or all of the following information about their victim: their name, email address, place of employment, job title and specific information about their role.
A convincing spear phishing email is personalised to the potential victim and often written in an informal, chatty tone making it seem genuine and not from a template.
These personalised messages often mimic communication from trusted sources, such as colleagues, business partners or even friends, to deceive recipients into clicking on a malicious link, downloading an infected attachment or disclosing sensitive information.
An example might be: ‘Hey, John, Martin at Fax Systems has just informed me that the last three payments haven’t been made. Could you please just whizz them over again, using the link he sent me. Many thanks – I owe you a pint!’
Spear phishing involves research and cunning and is a clever form of phishing that is often successful, especially when the recipient is busy and feels a sense of urgency to deal with the email.

Whaling

Whaling, a variant of phishing attacks, targets high-profile individuals within organisations, such as executives, CEOs or senior management. These attacks are crafted to deceive individuals who hold significant authority or access to sensitive information, hence the term ‘whaling’ - going after the 'big fish'!
Attackers meticulously research their targets, tailoring emails with specific details relevant to the individual's role or responsibilities. The objective is often to trick these high-value targets into divulging confidential information, authorising fraudulent transactions or compromising security.
Whaling attacks typically employ sophisticated social engineering techniques, leveraging urgency, credibility or familiarity to manipulate victims into transferring that money or divulging that sensitive information.

Smishing/Vishing

With smishing and vishing, telephones not emails are the method of communication.
  • Smishing (SMS + phishing) involves criminals sending deceptive text messages to mobile phone users, often containing links to fraudulent websites or requesting immediate action, such as providing personal information or clicking on malicious links.
These are commonly from a bank, stating they have detected fraudulent activity on one of your accounts, a government agency - often HMRC - or an online auction site.
  • Vishing (voice + phishing), on the other hand, is where attackers use phone calls to impersonate legitimate entities, such as banks or government agencies, and manipulate victims into revealing confidential information, transferring funds or installing malware.
Both smishing and vishing rely on social engineering tactics to exploit trust, urgency or fear.

Angler phishing

Angler phishing is a deceptive tactic that combines elements of phishing and social engineering to exploit individuals through social media platforms.
In angler phishing attacks, cybercriminals create fake profiles or hijack legitimate accounts on popular social networking sites to pose as trusted individuals or organisations. They then use these deceptive personas to initiate contact with potential victims, often through direct messages or comments, and lure them into divulging sensitive information, clicking on malicious links or downloading malware-infected files.
An example of this would be a Twitter/X user complaining about bad service from a certain company, and the angler phisher replying to them as a fake representative of that company, offering to help, and asking them to supply personal information or click on a link.
Angler phishing relies on the inherent trust and familiarity associated with social media interactions to lower a victim’s guard, making them more susceptible to manipulation.

Blagging

Blagging is a deceptive tactic that attempts to manipulate or persuade individuals into divulging sensitive information or granting access to restricted areas by using smooth-talking, confidence and sometimes impersonation.
Blagging often occurs through direct interaction, such as phone calls or face-to-face encounters. Scammers may pose as trusted authorities, service providers, or even friends or acquaintances, to gain the target's trust and extract valuable information.
Blagging exploits human psychology, often leveraging emotions like fear or trust to coerce victims. A common scam, in the non-business world, is to send a message to a parent or grandparent from a child or grandchild who is apparently in trouble, lost their phone or had an accident (‘can’t talk now, Mum, but can you please send me some money…?’) The contacted family member, keen to help out their loved one, falls for the scam.

Pharming

Pharming is a type of cyber-attack that involves redirecting website traffic to a fraudulent website without the user's knowledge or consent. Unlike phishing, which relies on social engineering tactics to trick individuals into disclosing personal information, pharming targets the domain name system (DNS) or other network protocols to reroute users to malicious websites.
This manipulation can occur through various means, including DNS cache poisoning, malware infections or compromised network devices.
Once users land on the counterfeit website, attackers can harvest sensitive information, such as login credentials, credit card numbers or other personal data. Pharming can circumvent traditional security measures like SSL encryption and user awareness.

How can businesses mitigate against phishing attacks?

There are many practical things a business can do:
  • Understand and examine any weaknesses or areas that might be vulnerable to an attack
  • Implement vigorous security measures
  • Set up email authentication methods
  • Implement robust email filtering systems
  • Operate caller and visitor ID verification
  • Regularly update software, using secure DNS servers, and employ anti-malware solutions
  • Comprehensive training to recognise and respond to phishing attempts – not as a one-off session, but continual, to keep staff updated on phishing trends
  • Educate employees about: social engineering tactics; unsolicited requests for sensitive data; not sharing sensitive information over the phone or via text messages unless certain of the recipient's identity
  • Executive-level awareness training
  • Have a contingency plan for an attack. Make sure the relevant people know their roles and responsibilities, should there be one, so your business can recover as quickly as possible

What should a business do if they spot a potential phishing scam?

There are several steps for a business to take:
  • Report it immediately to the company’s IT department/provider
  • Notify other employees to be alert
  • Block the sender and access to any malicious links or attachments
  • Report where possible to relevant authorities or industry groups to raise awareness and contribute to efforts to combat cybercrime
  • Conduct a thorough analysis of the phishing attempt to identify its source, the techniques used and any potential vulnerabilities in systems or procedures
  • Promptly update security protocols
  • Implement company-wide guidance on how to recognise and report suspicious emails or messages
  • Schedule regular training sessions and awareness campaigns to keep employees informed about evolving phishing tactics

And if a business falls foul of a malicious phishing act?

How to mitigate damage and prevent further breaches:
  • Isolate and contain the affected systems or accounts to prevent the spread of malware or unauthorised access
  • Identify compromised data
  • Notify relevant stakeholders, including employees, customers and regulatory authorities
  • Conduct a thorough investigation to determine the extent of the breach
  • Assess any potential vulnerabilities in the business’s cybersecurity infrastructure
  • Provide guidance on how to protect from potential fallout, such as identity theft or fraud
  • Shore up cybersecurity measures by implementing stronger authentication protocols
  • Conduct regular security training for employees and deploy advanced threat detection and response systems to prevent future phishing attacks
  • Collaborate with both police and cybersecurity experts to apprehend the perpetrators and ensure accountability for the attack
Phishing remains a prevalent and evolving threat in today's digital landscape, posing significant risks to individuals, businesses and organisations worldwide. As cybercriminals continue to develop more sophisticated tactics and exploit vulnerabilities in technology and human behaviour, it's crucial for everyone to remain vigilant and proactive in their approach to cybersecurity.
By staying informed about the latest phishing trends, implementing robust security measures and fostering a culture of awareness and accountability, we can collectively work towards minimising the impact of phishing attacks and safeguarding our digital assets.
Staying one step ahead of cyber threats starts with recognising the signs of phishing and taking decisive action. Don’t let the next phishing victim be you or your business!

Read more blogs from Ascend here:

The importance of a cyber security policy
Cyber security and educating your employees

Any questions? Please don’t hesitate to contact one of our team.

Stuart.Belbin@ascendbroking.co.uk | Mobile: 07736 956213