What is Phishing all about?

Here at CTO we often like to flesh-out a topic in layman’s terms, so Users can understand more about the technology they interact with on a daily basis. Today we want to provide information regarding an activity known as Phishing.

What is Phishing?

Phishing is an attempt to deceive users in order to steal sensitive information from them via emails, telephone or text message.

More specifically: –

Phishing is a form of social engineering – the act of deception, or taking advantage of a user’s trust to convince them to reveal sensitive information.

Spear phishing is a type of phishing attack that targets a specific individual or set of individuals. Attackers may do research on their targets via social media networks and publicly available information online, using the data to craft a credible message to convince victims to click, download or give away additional, non‑public information.

How does Phishing work?

Phishing methods can vary from credential and data theft to malware infection and machine compromise. But one of the most common methods involves phishing emails. This activity involves a hacker: –

  • Sending email to Users
  • Stealing data by persuading Users to:
    • Send them information directly
    • Click on a link, visit a spoofed site, then enter their Username and Password
    • Download an email attachment which executes malware on their machine
    • Visit a malicious website hosting an exploit kit that executes malware on their machine

So what can Users do to avoid falling for a Phishing attack?

Type in URLs yourself; don’t click on links in emails.

Web addresses may not be what they appear in your email messages – better to type in the domain name yourself before entering any sensitive information into any web forms.

Turn on two-factor authentication (2FA) for every account.

If you’re able to, use a free authentication mobile app, and set up push authentication‑based 2FA for all of your online accounts to protect against unauthorised access via phishing. Or, use passcode‑based methods if that’s what is offered (set up your mobile app to generate unique passcodes, then enter them into your login screen). In fact 2FA is a feature available free with Windows 10 so there is little excuse not to enable it for added security.

Beware of certain social cues, urgent requests, and gift or money offers.

Messages that appear to be urgent requests for either immediate payment, updates to your account, password changes, etc. play on the reactive emotional response of a user to get information from them quickly.

Beware of social media, entertainment or reward scams.

Attacks targeting social media platforms have nearly tripled since last year. These types of scams are leveraging the inherent trust between users and a platform or brand. By targeting employees that mix personal and business practices, scammers are hoping that employees may lower their guard for a message that appeals to them on a personal level.

Verify the sender in person or via a different channel of communication.

If you’re able to, verify that the sender actually sent you the message in question by asking them in person or over a different messaging service, or call them. Sometimes those methods can also be compromised or phished, so if you’re still unsure, send the message to your IT or security team for review.

Check for and run updates; use software that updates automatically whenever possible.

Keeping your software and devices up to date is one way to protect against malware compromises and data theft as the result of phishing. Do them often and on a timely basis. The recent End of Support for Windows 7 on the 14th January 2020 means many Users must upgrade to Windows 10 to ensure their machine does not become a security risk.

What should I look out for?

A quick list of phishing message ‘triggers’ for Users to reference are: –

  • Impersonates reputable organisations
  • Triggers an emotion
  • Urgent request
  • Asks for personal information
  • Offers gifts or money
  • Poor spelling and grammar
  • Mismatched URLs

Be aware – it can happen to anyone, even me!

Just recently a hacker attempted a phishing scam on myself regarding my TV license. I received an email from tvlicensing-support.co.uk on the 23rd December last year stating my Direct Debit payment had failed and I needed to complete a new Direct Debit mandate to watch TV legally, plus pay the missed payment online by clicking a link to a cleverly ‘branded’ spoof website (thereby obtaining my Bank Details). I checked my Bank Account and the payment went out on the 2nd Dec. Also the TV license email address is tvlicensing.co.uk and not the one stated above.

If you require any further information on this topic, please do not hesitate to contact CTO.

All the best

Richard

Menu