The significance of phishing in modern-day society can be swiftly underlined by considering a few statistics. Over three-quarters of companies reported phishing attacks last year. Of these, malicious links now outweigh malicious attachments by four to one, negating the protection offered by certain antivirus tools. And by the end of last year, Symantec research suggests almost 55 per cent of incoming emails were spam.
Plenty more phish in the sea
Email has traditionally been the scammer’s medium of choice, but it’s now increasingly being used to disseminate “messages” from other service providers. Proofpoint recently assembled statistics on the 20 most commonly used platforms for email phishing attacks, and Dropbox-themed messages comprised around 40 per cent of the total. This dwarfed Office or Adobe-themed phishing, while PayPal’s improved security has seen it drop it to tenth in the list behind DocuSign. Interestingly, Netflix phishing attacks were greater in volume than LinkedIn or OneDrive-based scams, reflecting the burgeoning popularity of online streaming services. It’s surely only a matter of time before Spotify makes an appearance in a future Proofpoint top 20 list.
The first takeaway from this analysis is that authenticity should never be assumed when an email arrives. The best way to avoid falling victim to phishing fraud is never to click on an email link, no matter how plausible it appears. This leads us on to the second point of order – pay close attention to the message’s design and presentation for clues about its legitimacy.
Here are five key areas to consider:
1. Sloppy presentation.
If an email arrives with missing images, it’s worth approaching with suspicion. Equally, if you need to scroll midway down the page to view content, it suggests the originators weren’t overly concerned with professionalism. Other giveaways include odd line spacing, text overlapping graphics, and the absence of an Unsubscribe link.
2. Spelling, grammatical or punctuation errors.
It’s not unreasonable to expect anyone sending you an email to be based in the UK, or at least in an English-speaking country. Illogical use of commas infers unfamiliarity with the nuances of the English language, while multiple spelling errors are a huge red warning sign.
3. A lack of personal identification.
No self-respecting business would start an email with the words “Dear valued customer”, or without including an account number. Don’t accept the presence of a valid password as a sign of authenticity – databases of harvested user passwords are ten-a-penny on the Dark Web, and many people share passwords across many online accounts.
4. A sense of urgency.
This is a phenomenon associated with banking phishing, where criminals are trying to rush people into disseminating financial information before they have time to reflect on what’s being asked of them. If any messages arrive asking for an instant response, step back and consider why it’s so important you reply immediately. (Hint: it probably isn’t).
5. Strange domain suffixes.
For those of you not familiar with domain suffixes, these are the final part of any website or email address – ours is .net. You’d expect emails and domain names to end with .com, .co.uk or another mainstream suffix. What you wouldn’t expect is a domain ending in .ru, .gq or .men. Never click on an email address or hyperlink; hover your cursor over them instead, and see what flashes up. Emails are a real giveaway, because the displayed name may bear no resemblance to the actual email address being used.
Originating abroad and usually produced in a hurry, phishing emails are relatively easy to spot. However, you can’t assume everyone in your firm is constantly being vigilant. As a result, any IT or marketing manager should undertake a few simple steps to raise awareness across the company:
- Start a conversation with your colleagues. Explain to staff what phishing is – some people might not differentiate it from conventional malware, despite the obvious differences. Post-GDPR, it’s crucial for employees to recognise the weight of their actions when it comes to data protection and security. This applies to managers and directors just as much as junior personnel.
- Advise staff to approach certain email topics with suspicion. The five most common types of phishing attacks concern billing and invoicing, message delivery failure, enforcement, document scans or package deliveries. Whenever one of these documents turns up unexpectedly, consider whether it may be legitimate before opening an attached file or clicking on a link.
- Send a test message and see who falls for it. Create an attachment explaining your company’s policy on phishing, give it a generic file name, and attach it to a message sent from an email account none of your staff would recognise. Anyone who opens the message will realise they’ve been hoaxed, making them far less likely to fall for a real phishing attack in future…