It may be National Fish and Chip Day this Friday (4 June) and while we love haddock, we’re here to discuss a different type of slippery customer – cyber criminals and their phishing scams (no, that’s not a typo).
Cyber criminals are hooked on the method of phishing, where individuals are contacted by email, telephone or text message by someone posing as a legitimate organisation to lure them into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
And for the more targeted approach, spear phishing is also a technique used by hackers to gather personal information that is available publicly from social media platforms, company websites or even news stories.
Phishing attacks are in fact now commonly considered to be the most disruptive types of violation that organisations face according to the Cyber Security Breaches Survey 2021, with 62% of businesses reporting this to be the case.
So how can you catch a phish?
Below is a list of key tactics that cybercriminals use in emails when targeting their potential victims.
Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you
Authority – messages appearing to come from a boss, colleague or company you engage with regularly
Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”
Curiosity – enticing you with something like “breaking news”
What should I do if I reel in a phish?
Think before you click
Verify the communication without replying to the message such as call the person who sent directly and don’t use the information in the email or text message
Seek advice from an external party
What can I do to protect my business?
Staff training – ensure they know about phishing and the tactics used – consider getting your staff to craft a phishing email so they really think about what would make them act
Know what information exists about you and your business that would make a phish appear more genuine
Consider your technical defence by implementing DMARC, SPF, DKIM, TLS. To read the NCSC guidance about these terms and how you can implement them click on the links below:
o For IT managers: Email security and anti-spoofing - NCSC.GOV.UK
o DMARC (Domain-based Message Authentication, Reporting and Conformance) is a system which helps confirm the sender’s identity
o SPF (Sender Policy Framework) allows you to publish IP addresses which should be trusted for your domain
o DKIM (Domain Keys Identified Mail) allows you to cryptographically sign emails you send to show it’s from your domain
o TLS (Transport Layer Security) ensures your system is capable of sending and receiving email using TLS
For those keen to learn more, the Eastern Cyber Resilience Centre business starter membership offers a bolt on option of a closed half day staff awareness session which can also be accessed as a stand-alone service.
Alternatively, our student services provides bespoke corporate and individual internet investigations to understand what could be used in spear phishing.