THE ULTIMATE GUIDE TO PROTECT AGAINST PHISHING ATTACKS

Introduction
In the real world we have developed practices to keep ourselves, our families and businesses safe from criminals. We lock car doors, secure home front doors, and you probably wouldn’t walk down a dark alley in a strange city late at night not knowing where it was leading to. Unfortunately, we are still only developing those equivalent best practices in our digital lives; and many are still at a loss to understand what to do. Saving your passwords in your browser, for example, is like leaving the keys of your car on the front seat so that you can find them easily when you return; and feel like heading alone down a dark alley, clicking on an unsolicited email link will get you there.

Companies have tried to protect against criminals by implementing various security technologies like Anti-Virus and Firewalls etc. This is all necessary but not sufficient. You would not leave your keys outside your house and expect the police to be successful in protecting them from falling into the hands of an opportunistic criminal. Research has shown that Spam/Phishing filtering software only has a success rate of 93%. Given the sheer quantity of Phishing E-mails in circulation at present, this gap of 7% ensures that a significant amount of Phishing E-mails end up in the inbox along with legitimate e-mail - and this is where the danger lies.

The News tells us that Cybercrime is growing at an alarming rate. The success rate is also growing because Cyber Criminals now know to target staff and humans because it has been proven time and time again that they are your weakest link. With your reputation on the line the other critical fact to know is that the vast majority of cyber security breaches start with a simple Phishing attack. At its most simple phishing is carried out by a criminal impersonating another company or another individual for the purposes of extracting information from you that they then can use to either access your systems or steal your data. This has been taken to a whole new level with Business eMail Compromise also known as CEO fraud. This is where the illegal attacker impersonates the CEO, President, or other C-level executive within a company, using their presumed status to gain access to privileged information such as customer data or bank accounts. These attacks can cost a company tens or even hundreds of millions of dollars, virtually overnight, such as when Ubiquiti Networks lost nearly $47M.

So, if your company uses eMail and you are not proactively working with your staff to help them avoid these threats, then you are taking a significant risk with your information.In order to help people, understand and mitigate these risks we put this paper together based on our experience. To guide you through this minefield we look at the
• Eight Quickest ways to Spot a Phishing Attack

After reading it you should be aware of the types of threats that are out there and the steps that you need to take to protect yourself against them. The blunt reality is this - technical defences alone won’t keep you safe and you need to be investing in helping you staff recognise these risks in order to mitigate them. It has been shown too many times already that if you are not training your staff and assessing the level of risk in your organisation you will almost certainly fall victim to one of these attacks. Prevention is always better than cure.

It is human psychology that makes Phishing Attacks effective for criminals.

According to the 2018 Verizon Data Breach Report, 4% of people will click on every single email without discretion. Amusement and Entertainment also figured strongly within the study of why people click on links. Attackers know that if they can also link these emotional manipulation elements within their attack, they have a greater chance of succeeding. Here are the key indicators that an eMail or Link may be part of a phishing attack :

1. The Message Contains a Mismatched URL

One of the most obvious signs of a phishing attack and a malicious piece of content is that the content doesn’t match the URL. But because many people are becoming wise to this type of clue, attackers are now changing the URL to match their message. However, in some cases, users will find that if they mouse over the URL, the URL doesn’t match the text link. This is a significant sign of a scam and should be reported

2. The URL Doesn’t Match the Domain

Another trick employed by cyber criminals is to use a URL that doesn’t match the domain of their site. For example, they might use the name of a legitimate company such as Apple or Microsoft in order to get the user to click on the link and go to their malicious content. The name of the legitimate company will be the main domain, and then the fraudulent company will be a child domain within the link. In this example, a user might see something like “www.apple.scamwebsite.com”.

3. The Sender of the Communication Doesn’t Appear Legitimate

In some cases, it’s possible to determine whether the communication involves a phishing scam simply by looking at the sender of the information. While phishing attackers are becoming better at disguising their address, there are still small differences between legitimate communications and fraudulent communications in terms of the email address of the sender. For example, the common PayPal phishing scam involves senders using Gmail or Hotmail email addresses, and not an original PayPal address.

4. The Content Contains Poor Spelling and Grammar

While most people aren’t perfect when it comes to spelling and grammar, the vast majority can spot misspelled words and poor English if they look closely at the content. But many still miss this vital clue in addressing phishing attempts. In a legitimate piece of content, the style, grammar, and spelling will be checked by the writer and probably several other people within the company. But those producing spam and conducting phishing attacks don’t always have the finest grasp of the language. They will misspell words and their sentence structure might not make any sense. Make sure employees read all communications carefully and look out for errors.

5. The Content Requests Personal Information

In an initial email to a client, a company will rarely ask for personal information to be provided. They might ask that the recipient subscribe to their communications or that they call company directly, but a bank, for example, will never require a customer to complete information via an email within its first initial communication. This is a common sign that the attacker is simply looking to extract as much information as possible from the target in the shortest amount of time.

6. The Action Wasn’t Initiated by the Recipient

In cases where an email is received, and the initial contact was unsolicited, the communication is likely to be some form of spam. Legitimate companies will rarely send out first emails directly unless the recipient has signed up to a newsletter list or has agreed in some other way to the communication. For employees that receive emails seemingly out of the blue, it’s important to look closely for signs of a potential phishing scam.

7. The Offer is Too Good to be True

We’ve all heard of the Nigerian Prince scam in which the recipient receives a letter from a member of the Nigerian royal family asking for a small loan, with the incentive of a large reward once the loan is paid. This is a clear example of a case in which the offer is too good to be true. A national lottery will not announce its winners via email. A long-lost uncle will not suddenly appear via email ready to give away their millions of pounds. If the offer is unbelievable, it’s best ignored completely.

8. The Message Contains Threats

One of the most common phishing scams involves a message purporting to be from a government agency detailing a very specific threat against you or a member of your family. The communication might involve the recipient owing money to the government. Or it might detail other illegal activity that the recipient is said to be involved in. Inevitably, the sender will ask for money to resolve the legal issue. It’s important to note that government agencies rarely send out email as their first form of communication and that threatening emails impersonating a government representative are an exceptionally serious crime in the EU.

 

  Under Attack ?
   E-Mail Us Now

 

Get a SPA Appliance

Layer 2 Dynamic FW with A.I

Contact our sales department to arrange for a demo or get a quotation. 

Contact us

 

THE ULTIMATE GUIDE TO PROTECT AGAINST PHISHING ATTACKS

Introduction
In the real world we have developed practices to keep ourselves, our families and businesses safe from criminals. We lock car doors, secure home front doors, and you probably wouldn’t walk down a dark alley in a strange city late at night not knowing where it was leading to. Unfortunately, we are still only developing those equivalent best practices in our digital lives; and many are still at a loss to understand what to do. Saving your passwords in your browser, for example, is like leaving the keys of your car on the front seat so that you can find them easily when you return; and feel like heading alone down a dark alley, clicking on an unsolicited email link will get you there.

Companies have tried to protect against criminals by implementing various security technologies like Anti-Virus and Firewalls etc. This is all necessary but not sufficient. You would not leave your keys outside your house and expect the police to be successful in protecting them from falling into the hands of an opportunistic criminal. Research has shown that Spam/Phishing filtering software only has a success rate of 93%. Given the sheer quantity of Phishing E-mails in circulation at present, this gap of 7% ensures that a significant amount of Phishing E-mails end up in the inbox along with legitimate e-mail - and this is where the danger lies.

The News tells us that Cybercrime is growing at an alarming rate. The success rate is also growing because Cyber Criminals now know to target staff and humans because it has been proven time and time again that they are your weakest link. With your reputation on the line the other critical fact to know is that the vast majority of cyber security breaches start with a simple Phishing attack. At its most simple phishing is carried out by a criminal impersonating another company or another individual for the purposes of extracting information from you that they then can use to either access your systems or steal your data. This has been taken to a whole new level with Business eMail Compromise also known as CEO fraud. This is where the illegal attacker impersonates the CEO, President, or other C-level executive within a company, using their presumed status to gain access to privileged information such as customer data or bank accounts. These attacks can cost a company tens or even hundreds of millions of dollars, virtually overnight, such as when Ubiquiti Networks lost nearly $47M.

So, if your company uses eMail and you are not proactively working with your staff to help them avoid these threats, then you are taking a significant risk with your information.In order to help people, understand and mitigate these risks we put this paper together based on our experience. To guide you through this minefield we look at the
• Eight Quickest ways to Spot a Phishing Attack

After reading it you should be aware of the types of threats that are out there and the steps that you need to take to protect yourself against them. The blunt reality is this - technical defences alone won’t keep you safe and you need to be investing in helping you staff recognise these risks in order to mitigate them. It has been shown too many times already that if you are not training your staff and assessing the level of risk in your organisation you will almost certainly fall victim to one of these attacks. Prevention is always better than cure.

It is human psychology that makes Phishing Attacks effective for criminals.

According to the 2018 Verizon Data Breach Report, 4% of people will click on every single email without discretion. Amusement and Entertainment also figured strongly within the study of why people click on links. Attackers know that if they can also link these emotional manipulation elements within their attack, they have a greater chance of succeeding. Here are the key indicators that an eMail or Link may be part of a phishing attack :

1. The Message Contains a Mismatched URL

One of the most obvious signs of a phishing attack and a malicious piece of content is that the content doesn’t match the URL. But because many people are becoming wise to this type of clue, attackers are now changing the URL to match their message. However, in some cases, users will find that if they mouse over the URL, the URL doesn’t match the text link. This is a significant sign of a scam and should be reported

2. The URL Doesn’t Match the Domain

Another trick employed by cyber criminals is to use a URL that doesn’t match the domain of their site. For example, they might use the name of a legitimate company such as Apple or Microsoft in order to get the user to click on the link and go to their malicious content. The name of the legitimate company will be the main domain, and then the fraudulent company will be a child domain within the link. In this example, a user might see something like “www.apple.scamwebsite.com”.

3. The Sender of the Communication Doesn’t Appear Legitimate

In some cases, it’s possible to determine whether the communication involves a phishing scam simply by looking at the sender of the information. While phishing attackers are becoming better at disguising their address, there are still small differences between legitimate communications and fraudulent communications in terms of the email address of the sender. For example, the common PayPal phishing scam involves senders using Gmail or Hotmail email addresses, and not an original PayPal address.

4. The Content Contains Poor Spelling and Grammar

While most people aren’t perfect when it comes to spelling and grammar, the vast majority can spot misspelled words and poor English if they look closely at the content. But many still miss this vital clue in addressing phishing attempts. In a legitimate piece of content, the style, grammar, and spelling will be checked by the writer and probably several other people within the company. But those producing spam and conducting phishing attacks don’t always have the finest grasp of the language. They will misspell words and their sentence structure might not make any sense. Make sure employees read all communications carefully and look out for errors.

5. The Content Requests Personal Information

In an initial email to a client, a company will rarely ask for personal information to be provided. They might ask that the recipient subscribe to their communications or that they call company directly, but a bank, for example, will never require a customer to complete information via an email within its first initial communication. This is a common sign that the attacker is simply looking to extract as much information as possible from the target in the shortest amount of time.

6. The Action Wasn’t Initiated by the Recipient

In cases where an email is received, and the initial contact was unsolicited, the communication is likely to be some form of spam. Legitimate companies will rarely send out first emails directly unless the recipient has signed up to a newsletter list or has agreed in some other way to the communication. For employees that receive emails seemingly out of the blue, it’s important to look closely for signs of a potential phishing scam.

7. The Offer is Too Good to be True

We’ve all heard of the Nigerian Prince scam in which the recipient receives a letter from a member of the Nigerian royal family asking for a small loan, with the incentive of a large reward once the loan is paid. This is a clear example of a case in which the offer is too good to be true. A national lottery will not announce its winners via email. A long-lost uncle will not suddenly appear via email ready to give away their millions of pounds. If the offer is unbelievable, it’s best ignored completely.

8. The Message Contains Threats

One of the most common phishing scams involves a message purporting to be from a government agency detailing a very specific threat against you or a member of your family. The communication might involve the recipient owing money to the government. Or it might detail other illegal activity that the recipient is said to be involved in. Inevitably, the sender will ask for money to resolve the legal issue. It’s important to note that government agencies rarely send out email as their first form of communication and that threatening emails impersonating a government representative are an exceptionally serious crime in the EU.

 

  Under Attack ?
   E-Mail Us Now

 

Get a SPA Appliance

Layer 2 Dynamic FW with A.I

Contact our sales department to arrange for a demo or get a quotation. 

Contact us