Have you received an email or a message with a clickbait and the kind of information it requires is personal or sensitive? Well, you might be experiencing what is called phishing.
Phishing is an attempt to fraudulently obtain sensitive information. Those trying to obtain your information will pose as legitimate individuals or even organizations, especially finance organizations like your bank.
Phishers use social engineering tactics, including guilt-tripping and creating a sense of urgency to convince their targets. Tools of trade include fake or hijacked email addresses that seem similar to legitimate email addresses, phone numbers, logos, and other false business credentials, all helping trick the target into divulging sensitive data or clicking on a link.
While most people think instantly of email when it comes to phishing, attacks can also be carried out using social media, phone calls, voice messages, text messages and more.
Today, these fraudsters have become increasingly sophisticated in their approach.
Cisco's 2021 Cybersecurity Threat Trends Report found that phishing was responsible for a staggering 90% of data breaches.
Those responsible for phishing have a range of goals including stealing information or money, sabotaging a company's systems, installing malware or sometimes luring the target to a website as part of the ruse.
Phishing scams often put pressure on recipients to act immediately, by sending a response, clicking a link, or both. Common methods of pushing recipients include stating that there has been a security breach or claiming that an urgent complaint has been received.
The cybercriminal reaches out in the hope that someone will "bite" and engage in conversation with them. When someone does, it allows the criminal to get a foot in the door and take further steps to try to fool the individual into taking additional actions. These actions are carried out with the intention of persuading the victim to divulge information (such as passwords or account numbers) or download something they should not.
Allan Lwanyaga, the SGA Group IT Manager gives some insights on how to deal with phishing:
How can businesses prevent phishing?
Some businesses are more appealing to fraudsters than others when it comes to the target of phishing attacks. Financial service providers such as banks and credit card companies spring to mind.
Here are some steps that such businesses can take to help protect their customers.
- Implementing multi-factor authentication makes it harder for criminals to bypass these processes - though not impossible.
- Configuring email security technologies - Email services can also implement email authentication technologies that verify where messages originated and can reject messages that are spoofed. Check with your provider to see what security options are available.
- It is also important to remember that an organization's defences are as strong as its "weakest" employee: A staff member who falls for phishing scams is enough to unwittingly bring down a business. Educate both customers and employees about what phishing is and what they should look out for. Ensure your customers know which bits of information you will never ask them for.
- Always check email and message sources and IDs, from email headers to URLs.
- Deploy and maintain anti-virus software - If the phishing attack aims to install malware on your computer, up-to-date anti-virus software may help prevent the malware from installing.
How can individuals defend against phishing?
As an individual, you can defend against phishing by educating yourself about what it is and how it works. Knowing which warning signs to look out for could make a huge difference.
It is important to trust your instincts. If something does not feel right, stop and check. Phishing scams can be very sophisticated but sometimes all it needs to avoid falling victim is for you to step back from the situation and think twice before clicking a link or sharing a piece of information.
Remember: If something is too good to be true, or if an urgent request is unusual in that context, it is probably linked to fraud. If unsure, contact the purported sender yourself using a number or email address from their official website, which you ought to get from a search engine, not an email link.
What should you do if a phishing attack is successful?
If you believe you may have fallen victim to a phishing attack, here are some suggested steps:
- Change any affected passwords - If possible, immediately change the password for any affected accounts. If this password was also used for other online accounts, change the passwords for those accounts to something unique and strong.
- Contact the fraud department or the information security department of the breached account - If the phishing attack compromised your company's account at a financial institution, contact the bank immediately to report the incident. Monitor unauthorised transactions to the account.
- Notify appropriate people in your company - follow your company's incident response plan to ensure the appropriate personnel are aware of the incident.
- Notify affected parties - if the personal data of others (e.g., customers, suppliers) was compromised, be sure to notify them. Compromised personal data could be used for identity theft.