Types of cyber attacks: phishing
Episode #2 of the course Cyber security for small business by Cat Paterson
Phishing is when emails, phone calls, or websites purport to be a person or organization that you trust with the sole aim of gaining your personal information, such as passwords, account details, or credit card numbers.
Essentially, phishing is social engineering, where a feeling of trust is created through psychological manipulation and exploiting human weakness to steal your personal information.
Most of these attacks are subtle—an email message alerting you of an unpaid bill or security breach and asking you to follow the link in the email to solve the problem immediately.
Other types of phishing attacks are more aggressive, with cyber criminals lifting personal information you may, accidently or otherwise, have made publicly available through social media channels.
Spear phishing is also a common type of attack against small businesses with a specific targeted objective—when sending emails to company employees purporting to be from a trusted partner, emails are more likely to be opened.
Here are some examples:
– Wishing your mom a happy 50th wedding anniversary with comments about her maiden name. A cyber criminal just loves this type of information, as lots of old security questions use “mother’s maiden name” as a security check on credit cards or bank details.
– Posting pictures of your favorite pet along with its name on social media channels; you may happen to use this in passwords across several of your online logins for your personal and/or business digital life.
– A phone call telling you that your PC firewall is out of date or expiring and offering a discounted price to install new security software if bought immediately.
– An employee posting data on social media that provides company information as part of a social engineering scam.
– An email to the company stating they are from your company bank or other trusted partner, and an employee clicks on the link.
Protect yourself and your business
1. Bad grammar or spelling mistakes are common in emails that are part of a phishing scam.
2. Suspicious links in emails can be checked by hovering your mouse pointer over the link without clicking. You can see where the link leads, and it more often than not won’t match the text in the link within the email. Don’t click!
3. If the message in the email creates a sense of threat and urgency, there is a good chance that it is a phishing scam.
4. Email addresses that look like they are from trusted organizations may have slight differences on closer inspection, e.g., an additional letter or the spelling is altered.
5. Treat all unsolicited phone calls with skepticism and suspicion. Most big companies will not cold call you.
6. If unsolicited phone calls have an element of threat and urgency, hang up immediately.
7. Create awareness for all employees about spear phishing scams. This could be added to the company induction pack or briefing.
Phishing scam emails can usually be reported within your email provider by dropping them in the junk or spam folder, then having the option to “report” and delete.
If you get a phone caller’s information, you can report it to the relevant authorities:
1. USA: FTC Complaint Commission.
2. UK: Action Fraud, OR Register your number to prevent cold calls: TPS online.
3. Canada: Canadian Anti-Fraud Centre.
Tomorrow, I’ll introduce you to malware attacks, what they are, and what to do about them.
“Future Crimes: Inside the Digital Underground and the Battle for Our Connected World” by Marc Goodman
Share with friends