First of all, why is this spelled with ph and not f? It all started with phreaking, which was a way of making free phone calls, so they used the ph from phone. This changing of consonants has now come to denote something that does not mean what it used to mean or has different connotations. The process of trying to draw information from someone without asking a direct question has always been known as fishing. When a similar process is done with malicious intent, that’s phishing.
A phishing email is a message you were not expecting but purports to be from someone you know or have dealt with before. The simple advice we are often given is not to open these emails, but curiosity can lead us to have a look – and that can open a can of digital worms that lead to big trouble.
Anatomy of a Phishing Email: The Red Flags you Must Never Ignore
Let’s say you have a message asking you to “confirm” your bank details. If you’ve given them once, these people have got them. If you’re still thinking you could be missing out on something or could potentially get in trouble by missing a payment, contact the company through their website. It’s the same story if you are asked for login details or – red alert – passwords. If in doubt, contact the company that has apparently sent this email, but by phone or their online enquiry form. You could even do it by email, but not by replying to the one you’re suspicious of.
Look at the email address. If this is a big company, why does the message come from someone at Hotmail or Yahoo rather than their own domain name?
Look at the language, the way it is written. If it doesn’t sound professional, it probably isn’t genuine. If it sounds aggressive or too urgent, don’t respond. If it sounds vague or generalised, it’s probably a scam. If they use your first name in the same way as unwanted sales phone calls, don’t trust it. If they don’t even know your name but start with Dear Customer, they are up to something.
Spear Phishing vs. Mass Phishing: Why Targeted Attacks are More Dangerous to SMBs
These are two modern terms that have been coined to describe variations of this very 21st-century criminal phenomenon.
Spear phishing targets individuals and can be very unsettling, even if it comes to nothing. The perpetrator uses the target’s personal information to create a convincing message that can lead the unwary into replying to them and making themselves even more vulnerable. The same idea is also used in text messages, which can be even more alarming.
The best response is no response. Let them fail and move on to someone else.
Mass phishing is exactly what it says: a phishing attack aimed at many individuals and relying on the law of averages to get some response. Again, the best response is to ignore it. Don’t be the naïve person who makes the whole exercise worthwhile for the attacker.
Targeted attacks are particularly dangerous for small and medium businesses (SMBs) because they are less likely to have an IT department or even a solitary specialist. Instead, a staff member is given the task (which they might not think even qualifies as a “responsibility”) of checking the email and making sure messages go to the right colleagues.
People in charge of email can be trained to do this, in the same way as a receptionist or telephonist can be trained to be selective as to who is allowed to enter the building and who gets put through on the phone.
The Human Firewall: Training Your Team to Spot and Report Suspicious Activity
If your email traffic is administered by someone other than yourself, or perhaps several people, the first step is to make sure they take phishing seriously. One way to start the process of staff awareness would be to get them to read this blog. You can also illustrate the potential dangers by finding some examples: there are plenty of online horror stories about this sort of thing, so find one that has similarities to your company.
There are online security firms that will carry out this kind of training, and if the people you entrust with your digital safety offer this service, you may want to bring them in.
It is important to make your staff feel able to ask “silly” questions, because no question when it comes to security is silly, but a lack of awareness is. If the person checking your email is a bit of a technophobe, it would be wise to get them trained up in some of the basics to boost their confidence.
Immediate Action: What to do if you Clicked a Malicious Link
It can happen to the best of us. Maybe you didn’t notice anything suspicious about an email, or you hit a key by accident. Whatever it was, something has happened that has immediately worried you.
Step One: Disconnect from the Wi-Fi or unplug your Ethernet cable. If there is something malicious on your computer, don’t let it spread to everyone else’s.
Step Two: Run your protection software to check for malware. Do a full scan, not a quick one.
Step Three: Back up any files you’re concerned about.
Step Four: Change passwords in case you have given one away. This can be a good moment to think about your passwords in general and put some work into them. If you have been using one that’s easy to remember, it is also easy to guess, and hackers thrive on that kind of laziness. Make each one unique and keep a record of them, but somewhere safe.
Step Five: Report the incident to people who need to know, from the IT manager to the chief executive. Externally, report it to your email provider (Gmail, etc.) and your IT services provider.
Step Six: Keep an eye on relevant bank accounts are anything that a cybercriminal might attack.
The overriding message here is to keep yourself and your staff up to date with the very real threat of cybercrime. Just as you make sure the doors and windows are locked, keep your information locked and don’t allow anyone to access it through phishing. Contact Nerds 2 You for expert assistance with malware protection and cybersecurity training.
