What is a phishing attack?

Cybercrime costs the UK economy an estimated £27 billion with phishing the most common type of attack. Unfortunately, as criminals become more sophisticated, scams can be harder to detect. To help you stay one step ahead, here’s what you should know about phishing and how you can keep your business safe.

What is phishing?

Phishing is a way of getting you to disclose personal information which can be used to steal money from you. Criminals will do this by masquerading as a legitimate business or organisation using fake emails or websites.

The technique is also a way to infiltrate your computer network in order to install malware (malicious software) which can corrupt your data. Again – the end goal is to extort money and criminals will ask you to pay a ransom in order to decrypt your files.

Phishing is one of the oldest types of cybercrime and started back in the 1990s. The very fact it’s been around so long highlights how effective it is at helping criminals get what they want.

Why is it called phishing and not fishing?

Phishing is a technique that ‘baits’ users which is where the fishing analogy comes from. The use of ‘ph’ instead of just calling it ‘fishing’ is rumoured to be a nod back to an even older type of scam called phone phreaking.

How does a phishing attack work?

Fundamentally, phishing is about making you give up information willingly through deception – even sensitive information like usernames, passwords or credit card and bank details.

In most examples of phishing, criminals will send their victims some sort of communication. This is usually an email, but it could a text message or even via a website.

It’s important not to underestimate just how convincing phishing attacks can be. It’s a method that’s so well evolved that phishing is now an umbrella term that covers an entire range of specific attacks. Types of phishing include:

Email phishing

This is the simplest type of deception. A criminal will pose as a genuine client, business or organisation. In many cases, it’s a simple message that asks you to log in to your account or make a payment for something.

Email phishing is typically done on a blanket scale and thousands of people can be targeted at once in the hope that a handful will be duped.

Spear phishing

This is very similar to email phishing but in these examples, a specific person is targeted. Criminals may also already have information about the person they target which can make emails appear even more convincing.

Whaling

Another targeted form of phishing, this time aimed at management. As this is directed at senior executives, the deception is often far more sophisticated and can be very subtle.

Criminals carrying out whaling scams tend to focus on sending fake emails from government agencies such as HMRC.

Angler phishing

This centres on social media and deceiving victims through fake posts, tweets and mentions. When users click on links, they unwittingly download malware, giving criminals access to their social media accounts.

Fake websites

Criminals send phishing emails with links to fake or dummy websites that pose as the real one. These can be very convincing, and criminals can even buy packages known as exploit kits to make their deceptions appear genuine.

Smishing and vishing

Smishing is duping victims using their mobile phone – for example through text messages or in-app purchases. Vishing is similar but uses voicemail rather than text.

A common theme in all phishing examples, is urgency. Criminals will try and convince you that action needs to be taken immediately by suggesting your account has been suspended or (ironically) hacked. They may also say that you owe money to HMRC or haven’t paid vehicle excise duty (car tax).

How to prevent phishing attacks

Even if your business has a secure email gateway (SEG) to filter out potential harmful emails, phishing is hard to stop using software. In reality, the only defence you have, is knowledge and staff awareness.

With that in mind, ask yourself and ask your employees to consider these points before they give up personal information:

• Check the sender’s email address. Criminals often manipulate domain names to appear legitimate. Typos are common (for example Gogle instead of Google or Pay_Pal instead of PayPal. Increasingly, scammers are substituting Latin letters used in the English alphabet with similar letters from the Cyrillic alphabet.
• Check grammar and spelling. It’s highly unlikely that large scale organisations will send out badly structured emails with spelling mistakes so look for errors. Also look out for changes in spelling part way through (for example, inquire vs enquire). British firms will also use British rather than American spellings (for example offence vs offense).
• Never use the contact details provided. Scammers sometimes include a phone number urging you to call them to resolve the matter. Never use the number provided. If they’re posing as an organisation you have genuine interaction with (for example, BT, your bank or HMRC) call them using a number you have sourced yourself.
• Don’t panic. Urgency and the importance of immediate action is a common theme in all forms of phishing. Statements such as ‘your credit card has been compromised’ or ‘you must update your password’ are used to make you panic and should serve as a red flag. Simply pausing to check the email for typos, poor grammar or a manipulated domain name can help keep your information safe.
• Train staff and stay alert. Cyber security is crucial, especially as so many businesses store and manage sensitive data. Training staff to be aware of the tricks techniques scammers use is the best way to protect your organisation from cybercriminals.

How serious is phishing?

Phishing might be an old method of scamming but it’s effective and highly evolved and increasing numbers of businesses are falling prey. The most recent government data reveals that:

• Phishing is the number one type of cyberattack.
• Incidents of phishing increased from 72% in 2017 to 86% in the 12 months to 2019.
• 67% of businesses consider phishing to be the most disruptive type of cyberattack.
• Phishing has scammed around $12 billion (around £10 billion) from firms in the UK, Europe and US since 2013.
• 90% of phishing emails were found in places using secure email gateways.

Can cyber insurance protect businesses?

Policies can’t protect you from becoming a victim of a cyberattack, but it can help you manage the consequences including cover for extortion and fraud. Policies can also compensate you for business interruption and data loss.

At Alan Boswell Group, we also understand that the type of cyber insurance policy that’s right for you, will depend on the nature of your business.

To find out more about how we can help you and your business, head to our cyber insurance hub. Alternatively, you can speak to an expert member of our team for bespoke advice on 01603 218000.