Let’s Go Catch a Phish

As part of our Safer Internet awareness theme, I wanted to delve into the depths of the murky world of phishing.

Phishing remains to be one of the cyber criminals’ favourite tool in their arsenal. It often achieves results, and often indicates to criminals that their victim is a ‘soft touch’.

Research conducted by Bondgate IT, revealed that 68% of the public have been inundated with phishing emails from March to August 2019.

Criminals have become masters of impersonation and have shifted from the ‘Crown Prince needing help’ emails, to targeting organisations pretending to be suppliers, members of the senior management team and even the IT department.

Now work-related emails are those most likely to convince people to part with their details, and cyber criminals know this and have adapted their technique accordingly.

As with any criminal tactic, phishing has evolved over time, and now targets victims across multiple channels.

What are the types of phishing?

  • Phishing – this is the most obvious form of phishing email and usually asks for money or offers prospects of romance. They’re what people commonly refer to as ‘The Crown Prince Emails’. . There is usually a link or an attachment in the email, which the ‘sender’ encourages the recipient to open or click on. These attachments/links can then trigger viruses to be downloaded onto your computer, or execute a ransomware attack. These types of phishing emails usually contain grammatical and spelling errors, and although they pertain to be from a company they’re never personalised.
  • Spear Phishing – these are emails that use personalised information to convince victims that these emails are from genuine senders. Cyber criminals have learnt that by starting the email with the victim’s name, they’re more likely to follow the instructions in the email.Phishing no longer affects our private lives; they’ve also worked their way into our work lives. Recent research has shown that email that purport to be of a work nature, informing employees that they need to change their passwords tend to have great success for criminals looking to harvest personal information
  • Whaling (CEO Fraud) – this tactic demonstrates no one in an organisation is exempt from phishing emails. Whaling emails target executives and senior leaders in businesses, and usually request funds to be transferred quickly, usually as the result of a late paid invoice.Since 2016, this type of fraud is set to have had a total worldwide cost of £21bn
  • Smishing – this cyber tactic isn’t just restricted to email. Smishing is the text message equivalent.Criminals purport to be from reputable companies in order to seduce individuals to reveal personal information. For example, you may get a text message from a criminal pretending to be your mobile phone provide, stating there has been an error when collecting your previous bill payment. It then asks you to click on a link to sort the problem. When you click on the link and follow those instruction, you share the date you input (usually financial details) with criminals who will then use them to commit further crime.
  • Vishing – this is the telephone version of phishing. It is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to seduce individuals to reveal person information, such as bank details and credit card numbers.A recent case of this has seen criminals purporting to be from the online market seller Amazon offering customers refunds on their recent orders or informing them of an issue regarding their Prime account payment.

Not much is known about vishing, as it isn’t a well-known sub tactic deployed by cyber criminals yet. But when it is used it can have drastic consequence.

It cost one organisation £200,000 when a top executive in an energy company received a phone call from his ‘boss’ who asked him to transfer the funds. The scam, which used deep-fake technology, and is said to be the first of its type, tricked the businessman into thinking a telephone requesting the transfer of funds urgently was coming from his boss.

As these tactics continue to yield results, it’s not hard to see why cyber criminals continue to use the well-known method.

Cyber crime is said to cost the UK £27billion a year, and phishing takes the lion share of this.