What is a Phishing Attack

What is a Phishing Attack

According to the 2019 Cyber Security government survey by the Department for Digital, Culture, Media, and Sport, the most common cyber-attack that businesses face is fraudulent communications that appear to come from a reputable source, usually through email; known as Phishing.

So What is Phishing?

An example of a phishing email, disguised as an official email from a (fictional) bank. The sender is attempting to trick the recipient into revealing confidential information by “confirming” it at the phisher’s website. Note the misspelling of the words received and discrepancy as received and discrepancy, respectively. It is also worth noting that, although the URL of the bank’s webpage appears to be legitimate, the hyperlink would actually be pointed at the phisher’s webpage.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators. Source: Wikipedia

You are in the equation

Phishing attempts are only successful with user interaction. An unopened phishing email is harmless and will only be destructive if the user replies with information or clicks on malicious links for example. Here is a great example provided by HMRC to help highlight related phishing scams relating to HMRC via an email threat.

click for larger view

Emails from authoritative sources such as a bank, the Government or well-known organisations like PayPal. They also might appear to come from a known contact, using logos and branding to make emails convincing.

* Check the sender’s address carefully to see if the domain is correct. It may look familiar, but subtle spelling errors can be easy to miss.

Fake emails are usually not very well written.

* Look out for odd use of language, unusual phrases, poor sentence structure, spelling errors or poor grammar.

A seemingly genuine email can contain an unexpected link/attachment or might ask you to provide information or even to make a payment.

* Take a moment to check the email source before clicking any links or attachments. If in doubt, call the sender to ask what they have sent you.

Links to fake websites can for details that can lead to unauthorised access to your computer. Malicious emails can be sent to your contacts without your knowledge.

* Avoid clicking any links or supplying information

Attachments can contain viruses or malware designed to compromise computer security and retrieve sensitive information such as usernames, passwords, card details etc. They can be sometimes be disguised as invoices.

* Never reveal usernames or passwords or make payments to any bank details sent to you via email.

How phishing can affect your business

Company Reputation

Reputations are precious and can take a long time to build. Announcing a data breach immediately hits a company’s reputation and can take years to fade from memory.

Loss of Custom

News of data breaches travels fast and tends to make customers nervous, leading to lack of trust.

Loss of Custom

News of data breaches travels fast and tends to make customers nervous, leading to lack of trust.

Regulatory Fines

Under GDPR, the penalties can total €20 million or 4% of a company’s annual global turnover – whichever is higher.

Business Disruption

Phishing attacks can have a profound effect on disrupting business’ day-to-day operations, leading to large financial losses over a period of time.

ilicomm has over 25 years of delivering cost-effective information security and regulatory compliance solutions. Contact us to discover how we can ensure your business’s security is at its most efficient and cost-effective. Remember, the best way to help prevent phishing attacks is to train your employees and make them aware of the pitfalls and common tactics of phishing attacks.