Phishing has very much evolved from the early days where you would receive a random email from someone you have never even heard of, asking for your bank details to send money in order to help them.
Nowadays, the types of emails that are sent have become more advanced and impersonation is one of the most common themes.
Unfortunately, no matter how good your security is, the ever changing nature of phishing emails means that some will inevitably make it to your inbox.
Common types of phishing email:
Standard Phishing: The email will be designed to appear as if from a legitimate organisation e.g. Microsoft, Paypal or Amazon and will often contain a warning of some sort regarding your account. The links in these emails will often lead to a fake website (which looks real) where you will enter your credentials – then they have you. More advanced attackers will even take over the real website so that when you login everything looks normal, however your user information has been intercepted in the process. If in doubt, always best to close the email and access the website manually via your web browser.
Spear Phishing: This type of email will often be customised with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. Again the purpose is to steal your user credentials in some way. It may contain an attachment of some sort which if clicked will likely cause some malicious software to be downloaded in order to compromise your system.
CEO Fraud: Attackers will either take over an account of someone at the top of the organisation or construct emails that appears to be from them in an attempt to authorise transfers of money. To avoid this, it may be best to have a policy of not authorising payments via email.
Useful tips for how to detect a phishing email:
1. Implement Advanced Network Security
A complete Network Solution Security Solution should protect your system from external threats.
Tackle malware, hacking attempts, phishing schemes and other exploits before they ever reach your users. It should also allow you to filter content and block porn, gambling, videos, social networks, shopping sites and other inappropriate content or applications.
With Internet of Things (IoT) your network security system should tackle the challenges of a remote workforce, branch offices, guest Wi-Fi and any devices connected to internet. It should also provide detailed views of the traffic on their networks. See who’s doing what and when on your network. Set policies by user, group, device, time and more. Get complete visibility and control over traffic. Create alert rules to stay on top of threats, policy breaches or system status.
2. Train Employees to be able to identify threats
Even the most advanced Network Security Solutions with Phishing, Virus and Spam blockers cannot stop 100% of the threats. It is vital for every organisation that employees are properly trained on how to identify cyber threats and how to deal with them.
The email subject and content A phishing email will often appear to be urgent or desperate in some way, for example it may say “you need to respond urgently” or “your account has been deactivated”.
What is the email about – is it asking for something? You should be instantly suspicious if the email is asking you to enter or update any personal details.
You should also check the content – sometimes the email will contain various errors in spelling or grammar, or is just written badly.
Common example: An email appearing to be from the bank asking you to update your personal information urgently.
Sender Address Check the sender – is the email from someone you are expecting?
A common trick will be the sender appears to be from someone you know, but when you drill down into the sender you will see the email address does not actually match.
Attachments and Links If the email contains links to unknown files or sources that you are not expecting, this is suspicious!
It is often a giveaway if you hover over the link and it does not look like a legitimate website. (But remember not to click on it!)
If you are not sure about any email then it is always best to contact the individual or organisation directly to verify (not from a link within the email of course).
Intsys UK have developed Training Courses to help employees Identify and Deal with phishing emails and other cyber threats.
Join us for this Training Course where we’ll look at:
-How to recognise phishing emails and bogus websites or social network posts. -Examples of malicious emails, websites, social network -How to deal with phishing emails and other threats
For more information contact training@intsysuk.com