Cyber Security from the Inside Out: keeping your organisation safe from phishing and spear phishing
In our fast-paced professional and personal lives we are used to receiving and opening emails and text messages all day long.
Most are from credible sources like friends, family, or work colleagues. But cyber criminals can take advantage of our busy lives and test our decision making through social engineering attacks in the form of phishing and spear phishing.
Staying informed and vigilant about this threat is key to keeping your people and your organisation safe. In this week’s Cyber Security from the Inside Out blog we give you the rundown on phishing and spear phishing, along with some great tips on how to spot phishing attempts.
Phishing and spear phishing - what’s the difference?
Phishing is a type of cyber attack in which criminals attempt to obtain sensitive information, like login credentials or payment details via bogus emails or text messages. Criminals impersonate organisations or individuals, and lure victims through the use of malicious attachments or links to illegitimate websites.
Spear phishing has the added element of targeting victims. Whereas phishing emails are usually sent to hundreds or thousands of recipients, spear phishing victims are thoroughly researched and messages are highly personalised.
Using a fishing analogy, phishing is an unplanned fishing trip. A beginner may buy a standard hook and fishing rod, sit and wait at the nearest lakeshore, and take their chances on what they may catch.
Spear phishing is planned. The attacker will use the appropriate type of hook with a specialised point, wait in the exact place the fish like to swim, and will use the appropriate bait for a particular type of fish.
When inspecting an email or a message asking you to open a link, download an attachment, or pass on sensitive details, ask yourself:
As a rule of thumb, don’t download anything that comes from an unexpected sender in an unexpected email. All email providers have a ‘report’ function, where you can report a message to your IT department, or directly to your provider. Do this if you receive a questionable attachment.
Spotting phishing links can be hard - we’ve curated some key things to look out for when you suspect that a URL may be a phishing attempt:
Hover before you click
You’ve received an unexpected email which tells you to click here to access your Outlook account, your bank account, or your employee work portal.
Phishing URLs and sites will often have the hover feature disabled. This means that placing your mouse over the hyperlinked text will not show you the URL of the website you will be taken to.
The right-click option, which would give you the chance to inspect the link, may also be disabled if the link is untrustworthy.
The email may tell you to access a link which hides the real domain name using a URL shortening service, like the one here https://bit.ly/3jKf1qo. Hovering over this link should also disclose the URL address of the website if the link is credible.
Inspecting the URL
You’ve hovered over the link and it reveals a URL. You’re not sure if it is suspicious or real. Here are some of the things you can look out for:
Spelling: Read the URL carefully to make sure that you cannot see any spelling mistakes.
Double slash redirection: A double slash, ‘//’, indicates that you are being redirected to a site. The only time you should be seeing ‘//’ within a URL is immediately after the protocol, for example ‘https://’.
@ symbol: Web browsers do not read anything that comes before the @ symbol. The symbol can therefore be used to masquerade a phishy domain name.
Hyphen prefix or suffix: Legitimate URLs rarely contain hyphens in the subdomain, or the domain name. These could be used to make a phishing website look like the real thing.
Double full stop: You wouldn’t expect a trustworthy domain to have more than one full stop. More than one full stop indicates more than one subdomain, making it hard for the naked eye to see the real destination of the URL.
IP address: Criminals may use an IP address to hide a spoofed URL. A legitimate domain name will never be replaced by a series of numbers. After all, most websites want to be identifiable from their domains.
Additional tell tale signs of phishing
Phishing links are likely to open in pop-up windows, while phishing websites will typically not have a Google index or rank.
Furthermore, phishing sites are often newly hosted domains, so a short domain age can also be a giveaway of a scam.
Giving the domain from the URL a quick search on your web browser can give you an idea or whether the website is credible and high ranking, or if it’s impersonating another site.
If any of these flag up, or you still think that something isn’t right, don’t ignore your instincts. Report the email to your IT team and email provider so that they can have a look at it.
A little bit of extra care can keep you safe and save the day.
Let us do the work
Our cyber safety communications and behaviour change programme, CyberSafe, contains everything your people need to know to keep themselves and your organisation safe online. It follows science-backed change management and behaviour change methodologies, proven to support long-term behaviour change.
Getting your people on board and engaged with cyber safety is key to keeping your cyber security high, and your cyber security investments worthwhile. What are you waiting for?
Feeling stuck or need help bringing your communications ideas to life? Curious about what CyberSafe could do for your organisation? Send us an email firstname.lastname@example.org or visit our website insideoutconsulting.co.uk.