It was National Fish and Chip Day on Friday and as much as we love haddock, we’re here to discuss a different type of slippery customer – cyber criminals and their phishing scams (no, that’s not a typo).
Cyber criminals are hooked on the method of phishing, which sees individuals being contacted by email, telephone or text message by someone posing to be from a legitimate organisation (sometimes even as colleague at the business they work for). The idea is to lure them into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Sometimes a technique with a more targeted approach called spear phishing is used by hackers to gather personal information that is available publicly on the likes of social media platforms, company websites, or even online news stories.
According to the Cyber Security Breaches Survey 2021, phishing attacks are in fact now commonly considered to be the most disruptive types of violation to an organisation, with 62% of businesses reporting this to be the case.
How to catch a phish
Below is a list of key words and phrases that cybercriminals often use in emails when targeting their potential victims.
Urgency. “You must do this now” – here the attacker is trying to induce panic so that you don’t question the action being asked of you.
Authority. Messages appear to come from a boss, colleague or company you engage with regularly.
Mimicry. Attackers send messages that exploit your daily habits such as “please review your calendar entry. Click here.”
Curiosity. Enticing you with something like “breaking news”.
What should I do if I reel in a phish?
· Think before you click
· Verify the communication without replying to the message, instead call the person who apparently sent it directly and don’t use the information in the email or text message
· Seek advice from an external party
What can I do to protect my business?
· Staff training – ensure they know about phishing and the tactics used. Consider getting your staff to craft a phishing email so they really think about what would make them act
· Know what information exists about you and your business that would make a phish appear more genuine
· Consider your technical defence by implementing DMARC, SPF, DKIM, TLS. To read the NCSC guidance about these terms and how you can implement them click on the links below:
For IT managers: Email security and anti-spoofing - NCSC.GOV.UK
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a system which helps confirm the sender’s identity
SPF (Sender Policy Framework) allows you to publish IP addresses which should be trusted for your domain
DKIM (Domain Keys Identified Mail) allows you to cryptographically sign emails you send to show it’s from your domain
TLS (Transport Layer Security) ensures your system is capable of sending and receiving email using TLS.
The Cyber Resilience Centre for Wales offers closed, half-day security awareness training for staff as a business starter membership bolt-on and is also available as a standalone service.
Alternatively, our student services options include bespoke corporate and individual internet investigations to understand what could be used in spear phishing.