Important! New mandatory data breach reporting laws may impact your company.
phishing

If you haven’t received one of the numerous phishing emails or texts over the past few years – you are living under a rock or suffer from immeasurable good luck. Chances are, you have received one and just didn’t realise what it was. Best case scenario – it went into your spam folder never to be heard from again, worst case – you now have a large hole in your bank account where your money used to be.

‘Phishing’ usually refers to fraudulent emails, text messages or robot-calls that trick people into giving out their personal and financial data with the purpose of network infiltration, identity theft or simple money siphoning. The information cyber criminal are after can be anything from usernames, passwords and Social Security numbers, to credit card numbers and other sensitive information.

“‘Phishing’ usually refers to fraudulent emails, text messages or robot-calls that trick people into giving out their personal and financial data with the purpose of network infiltration, identity theft or simple money siphoning.”

Phishing takes the form of a mass attack, where messages appear to come from well-known companies such as banks or web sites having a large user base such as Facebook, Twitter, Amazon, Paypal, or eBay. Phishing emails often look genuine, using an organisation’s logo and message format, and use what look to be authentic internet addresses that link to websites that are convincing fakes of real companies’ home pages.

At the corporate level, cyber criminals can target the companies’ staff in an effort to steal the companies’ confidential information such as trade secrets, military information, personnel information, corporate intellectual property, etc. This usually takes the form of spear-phishing which is similar to phishing, but is usually aimed at a specific company where cyber criminals often disguise their messages as coming from an individual in the position of authority within the company or organisation they wish to infiltrate.

phishing-2015

The goal of a spear-phishing attack is ultimately the same as a phishing attack—to coerce a target into opening an attachment or clicking an embedded link—but it is much more sophisticated and elaborate, combining several tactics including sender impersonalisation and enticement.

The common objective of this technique is to compromise the victim’s machine by stealthily inserting a backdoor which seeks to obtain unauthorised access to confidential data remotely. A successful spear-phishing attack can establish sustainable, long-term access to an organisation’s information assets. Once a link is clicked or an attachment is opened, the door to the network is established, allowing the attacker to move forward with the advanced targeted attack. The collected information can then be sold for material gain or used to the cyber-criminal’s benefit and most likely to the detriment of the targeted entity.

“Once a link is clicked or an attachment is opened, the door to the network is established, allowing the attacker to move forward with the advanced targeted attack. The collected information can then be sold for material gain or used to the cyber-criminal’s benefit and most likely to the detriment of the targeted entity.”

Because spear-phishing combines technology and social engineering to breach an environment, it is very hard to defend against. Nevertheless, the most effective defence against these potentially devastating attacks is a combination of testing, training and awareness.

To combat phishing at an organisational level, your company should perform frequent testing of its security awareness programs to include simulations of spear-phishing attacks in order to gauge the effectiveness of your awareness programs and controls that are intended to reduce the likeliness of success from these types of attacks. 

 

To protect yourself at a personal level:

  • Do not give out your personal, credit card or online account details over the phone unless you made the call and know that the phone number came from a trusted source like your bank statement

  • Only provide personal or financial information though an organisation’s website if you typed in the web address yourself and if you see signals that the site is secure (e.g. the URL begins with https, where the “s” stands for ‘secure’). Typing the correct URL is the best way to be sure you’re not redirected to a spoofed site

  • Be cautious about opening attachments and downloading files from emails regardless of who sent them

  • Never send your personal, credit card or online account details though an email

  • Do not click on any links in a spam or suspicious email or open any files attached to them

 

Below are several examples of typical phishing messages:

“We suspect an unauthorised transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”

“During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”

And an oldie but a goodie – “Our records indicate that your account was overcharged. You must call within 7 days to receive your refund.”

If the above failed give you the willies, for a truly frightening experience see further examples below. (DISCLAIMER: Not for the faint-hearted)

Example 1 – Fraudulent website

Example 2 – Fraudulent SMS

Example 3 – Fraudulent e-mail

 

Read Our Latest Blogs