While the art of magic is ancient, its traits of manipulation, misdirection and deception are increasingly used by modern day cyber criminals to create an illusion of legitimacy, enabling them to trick users into revealing sensitive information. Phishing is the term used to describe these efforts to bait victims into revealing usernames, passwords, birthdates, email addresses, phone numbers etc. Criminals then use this information to access other online accounts or to start fraudulent transactions. They go to great lengths to impersonate legitimate companies and unless users are paying very close attention, they can fail to spot very subtle changes. Phishing’s relatively lazy cousin, spam-email, does not actively seek log-in information in quite the same way. A play on the word fishing, developments have given rise to several new terminologies which describe various methods of phishing:
- Spear-phishing –is when a specific individual or group of people are targeted.
- Clone-phishing – criminals identify a legitimate recently sent email, then follow that up with an ‘updated’ version which will contain a fraudulent link.
- Vishing – the attack involves a voice element. The UK National Fraud & Crime Reporting Centre Action Fraud was impersonated in a vishing attack. Victims received a call which claimed to be from Action Fraud. It informed users their online banking had been compromised and led to victims providing remote access to cybercriminals.
- Smishing – the attack involves a text message (SMS) element.
Unlike magic, phishing does not defy rational explanation - you can take steps to protect your corporate network by ensuring your staff know what to look out for. There are several common tactics adopted: emails will appear to be from a legitimate source, often having a sense of urgency and a request to click on a link or provide information. They will often appear to be business related, perhaps a shipping confirmation inviting you to click a link to track shipping, or a corporate email asking to update online security. Your team should be aware not to click on links within emails, always start with a fresh web search. Two factor authentication (2FA) should always be enabled where possible. Then, even if the cyber criminals obtain email addresses, user names etc they will not be able to access accounts.
While many phishing attempts seek sensitive information, others contain a link to malware with the aim of infecting your network. This approach will only work if your IT security is not up to date; they are hoping to find unpatched operating systems and other security flaws. Lucky charms and superstition won’t help here – but a multi-layered approach to cyber security will. We can advise on all aspects of your IT support and security systems and as ACE Practitioners of Cyber Essentials we can guide you through well trusted systems of protection which you need. Why don’t you contact us today for more information and a review of your IT networks.
RedMosquito provide IT support to SMEs across Glasgow, Edinburgh and throughout central Scotland.