201702_CouldYouBeTheNextPhishingVictim_
21/02/2017

Could you be the next phishing victim?

I still remember the days when companies used to receive faxes or letters from people in distant African countries asking for help to transfer sizable sums of US dollars in return for a generous commission. All the fraudsters needed was a sheet of the company’s headed paper and its bank account details. Any companies naive enough to comply were soon left with an empty bank account as their only thanks.
A fraudster needs just one employee to click on a malicious link or open a malware attachment to gain access to a company’s entire network.
Today, crooks operate from anywhere in the world and use internet technology to swindle people. As a result, it’s more important than ever to be on constant alert when you’re online and to make information security awareness part of your professional lifestyle. 

A fraudster needs just one employee to click on a malicious link or open a malware attachment to gain access to a company’s entire network.

Phishing: the fraudsters’ favorite

One of the most commonly used con tricks is ‘phishing’: a form of online fraud in which emails are sent out in an attempt to convince people to share sensitive information. The email typically directs the recipient to a website where the user is asked to ‘update’ personal information such as their password, credit card and/or bank account details (which are then used for fraudulent gain). Some phishing messages also include malware attachments. Sharing information or opening a malware attachment can paralyze the entire company. Cybercriminals have countless possibilities, ranging from stealing confidential R&D information or customer details to holding the organization to ransom.

Watch out for phishing techniques that are more personalized and therefore more difficult to spot, like spear phishing and CEO fraud.

Phishing techniques

Besides ‘deceptive phishing’ in which huge volumes of seemingly legitimate emails are sent out (as described above), other types of phishing are more personalized and therefore more difficult to spot:
  • Spear phishing: the scammers send personalized emails including details such as the recipient’s name, job title, phone number or other specific information. Sometimes the fraudsters even gather information via social media platforms to prepare a more targeted attack.

  • CEO fraud: phishers impersonate the CEO or other high-ranking executives in the organization in order to ask other employees (e.g. Finance) to make fraudulent transfers. They usually impersonate the CEO by stealing his credentials (e.g. in a spear phishing attack) or by using technology to send an email seemingly on his behalf. 

How can you avoid taking the bait from phishers?

There is no single golden rule that will completely safeguard you from falling prey to a phishing attack, but you should always keep the following pointers in mind:
  1. Check the sender’s email address: if the email address doesn’t match the name of the organization it is claiming to come from, then it could be a phishing email.
  2. Beware of the content of the email: phishers try to trigger emotions such as fear (if you don’t provide the requested data then you will lose access), greed (you can earn money), pity, etc.
  3. Check the links in the email: phishing emails often contain links to a website that does not match the name of the organization the email is supposedly from.
  4. Don’t immediately click on attachments: if in doubt, never open attachments in an email.
  5. Use your common sense.
The quality of phishing emails and the techniques scammers use are improving all the time, so it is increasingly important for all employees to be aware of the risks of phishing and of the dangers when sharing sensitive personal (or corporate) information. But probably one of the best ways to increase the overall security awareness is a well-thought-out ‘fake phishing email’ campaign.

As the CIO, online security is my daily concern. However, in a digitalized world, we all have to do our bit to protect our company’s confidential data. So, be prepared and resist the temptation to bite!



Author: Steven Fleurent. You can follow Steven on Twitter or connect with him on LinkedIn