It's happened to us all right? An email drops in your inbox and before you know it you've opened the attachment or clicked a link, before checking the validity of it. Even the best spam filters will let a few rogue emails through, cleverly written to disguise the real intention of causing harm.
Geographically speaking the UK is the most aware nation of phishing with 69% of people understanding what phishing is, compared with 66% in Australia and Japan (Source: https://www.proofpoint.com/uk/resources/threat-reports/state-of-phish) but being aware doesn't mean you won't get caught out!
How Do Hackers Go Phising?
Phishing is largely carried out by email, with 96% of attacks coming from this method and just 3% via websites, leaving just 1% via phone but that doesn't mean they're any less damaging. This twitter thread, from Monzo bank, shows exactly how spammers can target you, via text, and what to look out for.
Text scams will either be asking you to click a link and verify details or requesting to call a number and verify details. In either case you will be redirected to a fake site, or call centre, and if you give away your credentials the hackers have access to your bank account.
Some simple steps to recognising a fake link can be found further down.
🚨 FRAUD ALERT: PHISHING SCAMS 🚨
Is that text from your bank, actually from your bank? 👀
We'd never send you a link to verify your account via text, or ask you to log in to a website to confirm any account details.
Here are the red flags of a phishing scam...
— Monzo (@monzo) February 16, 2022
What's the Gain?
It all comes down to money and what's the most valuable thing to people and companies? Data! Lose your data, compromise your data or handover personal data and you've cost yourself in time and money, not to mention your reputation. Whilst it might be in your competitors best interest to cause such damage, the likelihood is they are also being attacked and it comes down to who's the most secure and knowledgeable to protect themselves.
Whilst the end goal is most likely money, the route to success is achieved in different ways:
If someone knows your login and security credentials for one account, they possibly have access to all your accounts, depending on how savy you are with your passwords. Login credentials can then be used to access bank accounts, email accounts or any account that may hold your credit card information, for example. Once access is gained the account can be locked to you with password changes being made. Not only will this cost you or your company time and effort to rectify you could potentially be losing money in the mean time.
The sums of money involved in this sort of attack are colossal! Essentially a computer or network is infected, locking access to files or network admin with the only route out being to pay a ransom, sometimes without success.
Antivirus.com have shared the top 10 high profile ransomware attacks in recent times and in the case of number 10 they suggest the damage has been $6million.
In 2020 34% of companies hit by ransomware agreed to pay, of which 60% regained access after this first payment. A further 32% gained access after paying further demands leaving 8% who either walked away after receiving second demands or simply never regained access. (Source: https://www.proofpoint.com/uk/resources/threat-reports/state-of-phish).
Backups that are stored on network drives will become redundant in these types of attack as any network drive can also be locked.
This type of attack can take a little longer to detect as it's basically someone gaining enough personal data to impersonate you.
How many times are you asked for a Mothers maiden name, date of birth or name of first pet as a security check? This sort of information can be freely available across your social media profile, without even needing to interact with you.
With enough knowledge a hacker can access your accounts, pretend to be you on the phone or sound convincing enough to persuade others to part with their cash, seemingly to help you out.
I have personal experience of this type of attack and I know what I'm looking out for! Thankfully my bank was more alert than I was but it showed me how, if you're caught at the wrong time, anyone can fall into the trap of making a payment! The warning signs were clear and yet, my mind was elsewhere and I didn't give enough care and attention to what was going on.
Phishing By Email
Focussing on emails there are 3 approaches used to cause harm:
- a link (68%)
- data entry (23%)
- attachment (9%)
In terms of success rates the attachment approach has a 20% success rate, so 1 in 5 emails achieve their goal.
COVID Pandemic & Phishing
The best targets for phishing scams are those that are vulnerable. That can be by getting lucky and hitting someone at a vulnerable moment (see my Gumtree story above), or by using fear to make someone feel vulnerable. "You're about to lose you email access if you don't click here to verify your account" as an example.
COVID would seem to provide a breeding ground for vulnerable people. Many have been afraid to go out, others are more fearful of socialising and it would seem that this plays in to the hands of the scammers, opening up new opportunities for them to exploit. For example:
- "Register here for your vaccine."
- "Be the first to know if COVID rates increase in your area."
- "Do you need support with your shopping during isolation, click here to get help"
Add to the fact it's a global pandemic the potential audience is huge!
Many of us may also be in a new working arrangement, either full time working from home or a hybrid arrangement. When the need to work from home first hit, many companies were simply not set up for such a significant change to their IT requirements. It led to personal computers being used, on personal networks, opening company data, as well as personal data, on unsecured networks.
COVID themed attacks peaked in the spring of 2020 but they haven't completely gone away and should be treated as spam until you can confirm otherwise.
Spotting A Phish
Depending on the sophistication level of the attack, identifying a potential issue can range from the obvious to the seemingly impossible. If ever in doubt then follow these first 2 rules first:
- If it seems to good to be true, it probably is!
- If you have any doubts, do nothing and ask a professional
If you take a gamble, believing "I'm sure it will be OK!", you may regret the cost in both time, money and effort of waht you have to go through to rectify it.
There are some generally simple steps that you can go through initially to see if anything obvious is wrong.
How to Protect Yourself
You're not going to be able to stop spam emails and texts being sent to you and even if you have the knowledge to be vigilant about it you're only human and you can still be fallible to a mistake, so here are some measures you can put in place to make your data more secure: