Phishing is an insidious attacks that seek to part you from your personal data or your money. At their previous height, they were targeting individuals in order to steal their identities or their bank account details. Now the prime target is smaller businesses. Those organizations who don’t have the luxury of an IT team and who tend to use free tools to protect their networks.
Dave’s Computers gets a lot of inquiries from small businesses and sole contractors that revolve around data security and recovery. We can help in many instances of these, but one thing we cannot do is help with recovering from a phishing attack. The nature of these attacks means that once you have responded to them, that’s it. We can clean your systems of malware, but that is all any IT consultant can do.
What is phishing?
Phishing is where a scammer sends a legitimate looking email purporting to be from your bank, a client, vendor, UPS or other real life company. The logo will look the same, the text will look the same, the email will even use the same font and language that real emails from the company use. Only slight variations in word use can tell them apart.
The sophistication of these phishing emails are what causes the problem. They look, sound and feel legitimate. The attachment or link may pass through your malware scanner and it is all too easy to fall pretty to it.
There are other forms of phishing too such as website redirection to a clone of a banking website or the fake Wi-Fi access point close to a real one. Fake SMS called SMishing is also gaining in popularity. These are less common but still a risk.
How to identify a phishing email
There are five main types of phishing email. They include:
- Social media special offers.
- Fake invoices or requests for payment from suppliers or vendors.
- Fake warnings from your bank or credit card company.
- Fake requests for information from interested would-be customers.
- Fake job ads.
Social media special offers
These are generally ads on social networks offering massive discounts on iPhones or cash rewards for completing a questionnaire. The trouble is, lots of legitimate companies run completely honest campaigns just like this. Telling which is which is almost impossible so it’s best to ignore them completely.
Fake invoices or requests for payment from suppliers or vendors
This is a very common phishing attack directed at small businesses. An email purporting to offer payment for goods or services or including an attached invoice arrives. It looks and feels real and the attachment says it is an .xls or .docx file. Except it often isn’t. It is a disguised malware executable.
If you’re lucky, you will be asked to fill in a web form in order to receive payment. If you’re unlucky, spyware will be instantly installed on your computer ready to harvest all the information it can get.
Fake warnings from your bank or credit card company
This phishing scam has been around for years but has grown more sophisticated. The email looks and feels legit, hover over the links and the URL contains what looks like the bank domain. They sometimes even offer a phone number you can call to complete the process. Except the link doesn’t go to the bank’s website and the number doesn’t go to the bank’s call center.
Fake requests for information from interested would-be customers
Most businesses are more than happy to supply service and product information to potential customers. In fact, it is a necessary part of doing business. However, when initially hooked, an organization is gradually asked for more and more information until eventually financial details or company information is involved.
Fake job ads
Fake job ads target both individuals looking for a job and companies looking for staff. Emails or ads are presented offering to find work or employees and a link to the website is provided. The link either sends you to a web form where you are asked a series of detailed questions or send you to an infected page that will download malware without you realizing it.
How to avoid phishing attacks
Do you notice one theme that runs through all those phishing attack types? They all require action from the user to work. Remove the human element and they all fail. Therefore, a good email filtering system and user education is the order of the day.
Email filters are commercial products that remove many email threats before they are even delivered. Many are provided from the cloud and bill using per-seat licensing so you only pay for what you use. Some are more effective than others so you need to do your research to find the right one for your needs.
User education is the single most effective way to avoid phishing. Teaching your staff to:
- Ignore unsolicited emails wherever possible. Ask if you’re not sure.
- Never click on an email attachment unless they have verified the sender.
- Never click on email links from outside the company. Type the bank/credit card company/vendor URL manually and separately from the email to check if you must. Do not use the URL provided in the email.
- Ignore social media advertising. If the offer is too good to be true, it probably isn’t true.
- Only use well known job sites to find work or employees.
Creating a pro forma customer information pack for inquiries is also useful if you are a business. As is arranging a telephone consultation with customers to determine whether they are legitimate or not. While we want you to be careful, we certainly don’t want you to lose business!
Companies should not require personal details for B2B transactions. Neither do they need to know your date of birth, social security number, company bank account number or anything like that. If in doubt verify. No legitimate business will mind you double checking through other means. In fact, they would likely welcome the fact that you are being careful.
Stay safe out there!