How to Spot Phishing Email Scams

Did you know that your staff are officially the weakest link in your cyber security? The more staff you have, the more vulnerable your business and data becomes. If you’re not already running regular security and staff cyber training sessions, then read on to find out why training your staff should be high on your Cybersecurity To-Do list.  

What is Phishing? 

Phishing is a term used to explain a type of social engineering where a fraudulent message is sent designed with the intent to trick the receiver into revealing sensitive or personal information. With this information the attacker can deploy ransomware, malware or another form of code to gain access, information, data or demand, or steal funds or to cause damage – and usually all of the above! 

What Sort of Cyber Scams Are There?

Before we delve into Phishing, we may as well introduce some of the other ways cybercriminals are trying to capture data in order to hack companies. Online criminals are continuously improving their methods, and devising new and wonderful ways to breach businesses, including: 

• Ransomware 
• Malware 
• CEO Fraud & Executive Fraud/BEC 
• Online scams 
• Email bombing 
• Malware 
• Viruses 
• Logic Bombs 
• Social Media Spamming 
• Software Piracy Scams 
• Cyber Stalking 
• Hacking 
• DoS Hacking (Denial of Service) 
• IoT hacking (Internet of Things) 
• Social Engineering 
• Cryptojacking 

And believe us, there are MANY more… 

What Are the Risks to My Business if we Suffer a Data Breach? 

At the very best, the risks to your business following a data breach will be: 

• Reputational Damage 
• Operational Downtime 
• Loss of Sensitive Data 
• And Financial Loss

The financial impact of a data breach is probably the most immediate and hard-hitting consequence that your company would have to deal with. Even if you avoid paying any ransom to retrieve your data, legally you’ll have to report the breach. Once reported it will be made public knowledge and displayed on the gov.co.uk website, and the cost of the damage to your reputation could be devastating. 

Some Cyber Stats 

These stats aren’t pretty, but they may highlight the need to ensure you and your staff should be undertaking regular training and testing.  

• Four in ten businesses (39%) and a quarter of charities (26%) have reported having cyber breaches in the last 12 months. Gov.co.uk 
• Around half of businesses (53%) and over four in ten (45%) charities have reported seeking external information or guidance on cyber security in the past year. Gov.co.uk 
• 2021 had the highest average cost of a data breach in 17 years from USD 3.86 million to USD 4.24 million. IBM 
• The average cost of a breach where remote working was a factor was USD 1.7 million higher. IBM 
• In July alone the IT Governance found 86 security incidence accounting for 33,727,641 breached records the companies suffering breaches include:
  New Skills Academy
  Guntrader.uk
  Oxford City Council
  National Lottery Community Fund
  And a Nottingham nurse who had been accessing confidential medical records of people she met on online data profiles!
• In June this year, the US brought back its Cyber Most Wanted list containing the most sough-after fugitives involved in their financially related cybercrime investigations. 
• The penalties imposed by the ICO should your company be breached, could be devastating, with the standard maximum fine of £8.1million or 2% of the total annual worldwide turnover in the preceding financial year – whichever is higher. 

How does Phishing Work?

Phishing is basically tricking the recipient into providing personal/company-specific details. Also explained as a fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information. An attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. Phishing is one of the many types of social engineering attacks which are often used to steal user data, including login credentials and credit card numbers.  

Luckily there are really only two main types of phishing campaigns: 

1. Malicious attachments 
2. Links to malicious websites 

And once you click on the link in your highly believable phishing email, you’ll be sent to a malicious site or landing page. These sites, should you click through to them, could be any of the following: 

• Pharming/DNS cache poisoning = a more advanced technique to get users credentials by making effort to entering users into the website 
• URL hijacking/Typosquatting = phishing emails directing their victims to enter sensitive information on a fake website that looks like a legitimate website 
• Clickjacking/UI readdressing/iframe overlay = an attack that tricks a user into clicking a webpage element that is invisible or disguised as another element. 

Or 

• Tabnabbing and Reverse Tabnabbing = a type of phishing attack that manipulates inactive web pages. 

There are also targeted phishing attacks 

• Clone Phishing 
• Whaling/CEO Fraud 
• BEC (Business Email Compromise) 

And some others, but they’re not as widely used as those listed above. 

How to Spot Phishing Email Scams

Some phishing scams are easy to spot as they’re just not very well designed. Strange sender addresses, spelling mistakes, incorrect phrasing, and inconsistent language for example. Others are highly sophisticated, they imply urgency, are well branded, well researched and written to solicit an urgent response. 

Here are the top 5 things to look out for when receiving an email, we suggest, at the very least, your staff should be trained on these main points*: 

• Public email domains 
• The spelling of domain names 
• The content of the email, spelling, grammar and phrasing 
• The location of any links, hover over a link to check the URL before clicking through 
• The phraseology of the email, is it demanding urgent attention?  

Regular Phishing Training

The most effective way to ensure your staff can be an effective first line of cyber defence is to undertake regular staff training and testing. The cyber landscape changes regularly, and most of your staff are connected to the internet and receiving emails daily; therefore they need to be aware of the dangers from cybercriminals.  

The biggest, most recent threat to businesses becoming cybercrime victims is the move to remote working. During the recent pandemic, phishing was at its height with home workers ill-prepared to spot or fight cybercriminals, many using their home computers and home internet set up to undertake their work. With remote working here to stay, it’s imperative that businesses ensure their staff are fully aware of their role in the fight against cybercrime. Ensure you check out our recent blog for more information 5 Remote Work Cybersecurity Risks. 

Gaining Cyber Essentials

To ensure your company is well protected, and if you haven’t already, we highly recommend gaining Cyber Essentials. It’s a government scheme providing certification of your cyber hygiene, practices and training. You’ll receive an accreditation that you can display, and you’ll be listed on their website as Cyber Essentials Accredited. With the Cyber Essentials Plus certification, you’ll also be able to bid for Government contracts. We can help with either of these certifications, find out more here. 

Start protecting your business better today.  

Chat with our cybersecurity experts 

References not linked in blog body text:
FBI.gov