Phishing attacks are already targeting your employees. Can they spot them?

phishing attacks

When you look at your company’s security, do you pay as much attention to what’s happening inside of it as much as outside?

The changes in how – and where – your organization gets work done make your employees more susceptible to social engineering attacks.

Opportunistic attackers are really profiting from the massive transformations that keep coming one after the other. They’re taking advantage of the increased pressure created by uncertainty and fear. They’re exploiting people’s need to stay informed and the people or organizations they trust and rely on.

It’s much likelier you’ll click on a malicious link or on a phishing email when you’re tired, distracted, or anxious.

Sometimes knowing this can happen – and how – is enough to train the mind to spot threats like these.

That’s why we’re publishing this primer on phishing, going through the main types of attacks you and your employees could face. You don’t have to know the ins and outs of these forms of phishing to protect against them, but you can share this fundamental knowledge throughout the organization.

In the blink of an eye

Phishing attacks are deceptive, and they tend to target businesses in order to extract sensitive information like bank details. Before you realise what happened, a fraudster has got hold of your money or your business’s or customer’s information, without a trace.

Thankfully, being aware of phishing attacks in the first place and understanding the red flags to look out for can put you in a stronger position when protecting your business from phishing attacks.

I’m going to take you on a little journey where we explore some recent phishing threats that you might not know about yet.

What is Whale Phishing?

Whale phishing, or whaling, is one of the kinds of email security threats with a funny name but very serious consequences.

Malicious hackers target business executives by hiding behind legitimate emails. This type of fraud is designed to trick the end-user into performing an action, like a financial transaction or providing sensitive information.

The idea is that fraudsters can take advantage of the bigger fish by targeting senior executives who have access to more valuable information. As you might imagine, some of the biggest industries to be hit by whale phishing are financial institutions and payment services.

However, other businesses are seeing more whale phishing attacks in 2020. Tricksters have their eyes on businesses who hold sensitive files and information, such as, virtual servers, cloud storage hosts, and file hosting sites. They’re going for maximum impact with minimal effort.

How to spot a whaling attack

Whaling emails are very sophisticated, which is why attackers are so easily able to get what they want from their victims. However, this doesn’t mean you can’t spot a whaling attack.

Whaling emails usually:

  • Contain personal information about the business or individual the email is aimed at
  • Convey a sense of urgency by giving time-sensitive deadlines
  • Get dressed up in a good understanding of the business’s language.

The main ways whaling emails hook you in are by:

  • Inviting you to click a link to a website that delivers malware
  • Requesting funds to be transferred to the attacker’s bank account
  • Asking for additional details regarding the individual or business.

Undoubtedly, phishing attacks are scary. 94% of malware is delivered via email and we all know that businesses can receive hundreds, if not thousands of emails, each day. It’s enough for one of these whaling emails to slip by.

But, by being aware, alert, and suspicious of unsolicited emails – especially those requesting personal or business information – you’ll protect yourself and your business against whaling attacks.

What is SIM swapping?

Picture this, you’re at work and your mobile phone stops working. You have unlimited data, calls, and text messages, yet you can’t use any of these features and can’t make contact with anyone. Your phone provider then notifies you that your SIM card has been activated and used on another device. Suspicious, right?

Well, that’s probably because you’ve become a victim of SIM swapping. SIM swapping is when a scammer identifies a weakness in two-factor authentication, whereby the second step of verification is in the form of a text message or telephone call to your mobile.

The scammer then contacts your service provider, convinces them they’re you (as they have your personal details) and requests your number is ported to a new device. Usually, this is justified by the current device being lost or stolen.

Most individual and business mobile phones are linked to passwords for banking, PayPal, Amazon, social media, etc. Malicious hackers can reset your passwords and take control of them, eventually accessing your businesses bank account and making a run for – and with – your money.

How to combat SIM swapping

While you may not be able to completely eliminate the risk, you can certainly minimise it. Here are three things you should be doing to protect your business from SIM swap identity fraud.

  • Port block: You can contact your mobile phone provider and see if they offer a service called port blocks. This blocks potential identity thieves from porting your number across to a new device.
  • Two-factor authentication (SMS): Although two-factor authentication is designed to add protection to your business accounts, it can make them vulnerable to SIM swapping. If you are concerned about this, you can choose not to use SMS two-factor as an authentication method and choose an alternative.
  • Personal information: Phishing attacks are successful when individuals or businesses respond to them by answering calls, replying to emails, and giving personal information via SMS. If you ever receive a call or text requesting information – do not provide it. Legitimate companies would never ask for this. If you’re worried, you can contact the company directly, rather than answering a call where someone is pretending to be them.

6 ways to protect your business from modern phishing attacks

While many phishing attack emails look legitimate, you can protect your business. Here are just some of the things you can do:

  1. Don’t click or download – If you receive an email that you weren’t expecting and it asks you to click on links or download files, just don’t open it. Only to open attachments if you know what they are and what they contain.
  2. Protect your information – Guard your financial and personal information like your life depends on it. Never give out personal details or bank details via email, and be suspicious of emails asking you so. If you ever need to provide personal information on a telephone call, make sure you initiated it.
  3. Know the red flags – There are common things that scammers do in their emails, e.g. requesting urgent responses, scare tactics, and using strange-looking email addresses. Go over each email with a suspicious eye and be aware of the things to look out for.
  4. Passwords – Ensure that all of your passwords are strong, and use different passwords for different accounts. If you have trouble remembering multiple complex passwords, use a password management app like LastPass or Dashlane.
  5. Perform checks – It’s good to be suspicious of phishing activity. Regularly check your emails, bank accounts, etc. to make sure there hasn’t been any unusual activity or logins to your accounts.
  6. Get a second person involved – Always have a second person verify and vet payments, changes in invoicing details, or giving out confidential information. A fresh eye can help spot a potential phishing attack and nip it in the bud.

Phishing attacks are deeply harmful and there are many schemes out there. But, if you’re aware of them, and know what to do if you’re hit, you can protect your business long-term.

In 2018, a whopping 62% of businesses experienced phishing and social engineering attacks, just like the whaling and SIM swaps. Whilst these statistics are scary, there are plenty of things you can stop phishing in its tracks.

Make sure your company is secure by implementing rigorous cybersecurity measures and keeping up to date with the latest types of attack.

This is a guest post by Georgie Peru:

Georgie is a Content Contributor for UKWebHostReview. She is passionate about sharing her enthusiasm for technology through her content writing work, with a mission to help others learn and understand what makes the digital world so successful.

    Related articles​

    DefCamp #11: Arturo Cedillo on how to keep your ..

    BY andra.zaharia
    It takes a special kind of person to take on an incident response role. It’s a high-pressure, high-stakes ..

    ⏱ Less than one month until DefCamp Capture the ..

    BY florina
    If you get a thrill solving cybersecurity puzzles and enjoy collecting awesome experiences (and prizes!), CTFs..

    An open letter to the DefCamp community

    BY florina
    Back in 2011, when DefCamp started, we didn’t even imagine that we would take the small meetup among friends..