Phishing scams have been around for a long time, and although we are much more clued up now than before, they are unfortunately constantly adapting and changing, finding new ways to dupe individuals and businesses.
Phishing explained
Phishing has earned its namesake by ‘luring’ people in with legitimate-looking emails, websites or advertisements and hoping that they will bite by providing the information that the criminals have requested. This is usually credit card numbers, account numbers, passwords, usernames or other valuable information.
This is often done via an email or text message. Commonly, they include a link that will appear to take you to a company’s website to fill in your information, however, it is a very clever fake. That information that you then provide goes straight into the hands of the scammer. From there, they may be able to access your email or bank accounts.
Thousands of these phishing scams are launched day in day out across the globe – but that doesn’t make them any easier to spot. Here are a few scary phishing statistics to put their success into perspective:
- 97% of users cannot identify a sophisticated phishing email
- 85% of organisations have suffered from phishing attacks
- Nearly 1.5 million new phishing websites are created each month
- 78% of people claim to be aware of the risks of unknown links in emails, yet click anyway
- SaaS and webmail services accounted for 34.7% of phishing attacks internationally
How do I spot a phishing scam?
Unfortunately, scammers are always updating their tactics in order to become ever-more convincing. There are some signs that you can look out for to help you recognise a phishing email or text message.
The aim of a phishing scam is to look like they are from a company that you know or trust, such as your bank or credit card company. They often tell a story to trick you into clicking on a link or opening an attachment. This could be:
- Letting you know that they have noticed some suspicious activity or log-in attempts
- Claiming that there is a problem with your account or payment information
- Asking you to confirm personal information
- Sending you a fake invoice
- Claiming that you are eligible for a government refund or tax rebate
Next time you receive an email like this, there are a few things that you could check. Firstly, the email address that the message has come from. No legitimate organisation will be contacting you from an ‘@gmail’ or ‘@hotmail’ account domain, or similar. Instead, they will have their own email domain which will often be the name of the company i.e. @google.com or @nationwide.co.uk. If you are unsure what a company’s domain is, you should be able to find out via a simple Google search.
And don’t be fooled by simply looking at the sender’s name. It might say the name of your bank or another familiar organisation, but if you actually check out the email address then it might not match. If it’s not a match, then you can assume that the email is part of a phishing scam.
Another thing to keep a close eye out for is copy errors within the email/text. This could be spelling errors, grammatical errors such as not including a full stop at the end of a sentence, or something very subtle like including a space before a full stop at the end of a sentence, or a capital letter where it doesn’t belong. A phishing scam may simply be poorly written and worded in a strange way that you wouldn’t expect from a legitimate organisation. This should ring alarm bells.
Examples of phishing scams
Over the years, phishing scams have evolved to take on a few different formats. Here’s a handful of the most common that you may come across:
- Standard email phishing – the most widely known form, this is an attack to attempt to steal sensitive information via an email that appears to be from a legitimate organisation
- Malware phishing – similar to above, this attack encourages the target to click a link or download an attachment. From there, malware can be installed on the device
- Spear phishing – highly-targeted, well-researched attacks generally focused on business executives, public personas and other lucrative targets
- Smishing – refers to short links to smartphone users, often disguised as account notices or prize notifications
- Vishing – involves a malicious caller pretending to be from tech support, a government agency or other organisation, trying to extract personal information such as banking or credit card details
- Pharming – a tricky one to spot, this form of phishing reroutes legitimate web traffic to a spoofed page without the user’s knowledge, often to steal valuable information
- Clone phishing – this is where your email account becomes compromised and the scammer makes changes by swapping a legitimate link, attachment or other element with a malicious one, sending it to your contacts to spread the infection
- Business Email Compromise – involves a fake email pretending to be someone from within a company requesting urgent action. This can be wiring money or purchasing gift cards. This sophisticated tactic has been estimated to have caused nearly half of all cybercrime-related business losses in 2019
How to protect your business from phishing scams
No one wants to get caught out by a phishing scam, whether you are being targeted as an individual or as part of a business. However, there are things that you can be doing – and should be doing – to protect your organisation. It’s not enough to rely on your email spam filter as scammers are always finding ways to outsmart these. Instead, you should apply extra layers of protection to make it harder for scams to reach your network, such as security software, encryption and multi-factor authentication for access.
It may seem obvious but be aware of the red flags – and make sure your employees are too. Perhaps you could offer regular training to your team to give them the responsibility to be on guard for phishing scams. Make sure you keep up to date with any new scams that emerge and how you can combat them. Treat any unexpected emails or texts with suspicion and analyse them carefully before taking any action.
The best thing you can enforce when it comes to security is prevention. Do you have a security plan in place for your business and software? If not, you should seriously consider this. Ask yourself what would happen if one of your employees was to fall for a business email compromise phishing scam. How can you avoid this?
And it’s not only your business you should worry about – what about other businesses that you rely on? Do you have a software provider that you need in order to carry out your service? External threats could break your connection with them and you may not have a contractual right to access it. In this instance, make sure you have extra protection in place with SaaS Escrow. It protects your critical cloud-based and off-premise software in the event of your hosting provider going out of business, meaning you can access what’s yours for at least three months of business continuity.
If you are interested in making SaaS Escrow part of your security business plan, then we can help. Call LE&AS today on 0800 456 1115.
