As human beings we have a strong tendency to protect the things around us that are most important – be it our personal safety, family, homes and even our cars. We put measures in place to mitigate risks of theft, being scammed by imposters, and protect ourselves from other criminal activity, however low levels of phishing awareness are leaving us vulnerable to cyber attacks.
When it comes to our inboxes, how secure are we?
2020 saw a huge increase in phishing attacks via email, text, and phone calls, where users were encouraged to click a malicious link, give confidential information or open an infected attachment.
Cyber attackers work with terrifying speed, take 2020 as an example, the global fear driven by the Covid pandemic certainly gave cyber criminals a theme to instantly leverage. Within days of covid strategies being instigated, lockdown starting, track and trace being launched etc. – the public were being targeted with seemingly genuine calls, emails and texts, the majority of which were scams.
Spam and phishing software minimises the risk of phishing emails, research has shown that Spam/Phishing filtering software have a success rate of 93%. So considering the huge quantity of phishing emails in circulation at any one time, the 7% of phishing emails that do get through to inboxes is significant. And with phishing rates increasing across most industries and organisation sizes; via multiple communication channels, seemingly no organisation is immune.
With the vast majority of cyber security breaches starting with a simple phishing attack, our cyber security training partner Cyber Risk Aware state that over 90% of security incidents are caused by lack of staff awareness. Of course we all know that it takes just 1 person to click on 1 link or to download 1 attachment and that’s it, your entire organisation is compromised.
Increasing phishing awareness, and having users who are trained to spot phishing attacks and report suspicious emails, texts and calls can make the difference to keeping your organisation secure.
However, with cyber criminals often using sophisticated approaches, phishing and scamming attacks can be difficult to spot especially if the emails or text messages show no signs of being malicious. Many attacks originate from hijacked business email accounts, and attackers often go a step further and host fake login pages which seem legitimate, making the scam even more difficult to spot. Phishing awareness is typically low. In fact it is reported that 97% of people are unable to identify the most sophisticated phishing emails.
To increase phishing awareness here’s an overview of things staff should look out for:
- Poor quality content
The content contains poor spelling and grammar so make sure employees read all communications carefully and look out for errors. - The sender details do not ring true
This can be a hard one to judge, however employees should verify the sender – look at the email address to see if it looks genuine, and hover over or click on the senders email to see the actual name of the email account it has been sent from. - Contains login links
Most genuine organisations that hold confidential information about you, will not send emails with links to login, they encourage users to login on addresses typed into web browsers and not via links from emails or other websites. - Destinations of links aren’t genuine
If there’s a link, always hover over and look at the URL of the link to see if it takes recipients to a genuine or a fraudulent destination. With scammers trying to steal login credentials quite often the links on phishing emails will take users to phishing websites which appear genuine. A fraudulent page may well use a ‘child domain’ within the link, for example a user might see something like “www.paypal.signin.com” for a page ‘pretending’ to be the legitimate Paypal login page which in fact is https://www.paypal.com/signin. - Too Good to be True
So much more sophisticated than the age-old Nigerian prince emails, staff should be aware of emails and texts saying they’ve won the lottery or a holiday. As much as we all would like these things, genuine ‘big win’ competitions very rarely get announced via email or text. - Unsolicited Contact
In cases where an email or text is received out of the blue without an employee opting-in, so the contact is unsolicited, it is likely to be some form of spam, and potentially a phishing scam, it’s important to look closely for signs of a potential phishing scam. - Unnecessary Urgency
Yes there are genuine occasions when time is of the essence i.e. a sale is ending, limited time offers, insurance is up for renewal etc..however employees will probably have a relationship with organisations where offers and deadlines are genuine. Content telling staff to act urgently about something they know nothing about should ring alarm bells.
Staff should be encouraged to be wary, and to use their gut instinct. If an email, text or even call seems ‘phishy’ then they should listen to their intuition and escalate internally or contact the genuine organisation directly to validate. If it’s a phone call that’s set their radar off, then they should use a different device to call out on, scammers can keep the line open, meaning they can stay on the line and still hear the next call, even if you’ve ‘hung up’ on them.
Regular staff training and a cyber risk aware culture is critical to increase phishing awareness and mitigate against all the latest risks. When was the last time you trained your staff? With the pace of change being so fast it’s important that staff training is current with regular reminders to drive home a strong cybersecurity mindset.
