According to a recent report, 90% of all data breaches can be traced back to phishing attacks. Despite how common they are, however, few businesses know how to effectively protect themselves from this damaging cybercrime.
With the average cost of a successful phishing attack now costing a medium sized business $1.6million, it’s vital that you know how to identify a phishing scam and educate your employees about the risks they pose.
What is a phishing scam?
Phishing is a type of cybercrime in which an individual is contacted by someone who has adopted the guise of a respected institution, organization or individual in order to lure the target into giving confidential information – including passwords, banking details and personally identifiable information – to the hackers.
This information will then be used to access the accounts of the target, often leading to significant financial loss. When targeting businesses, phishing scams can also lead to the loss of sensitive company information, such as revenue figures.
Phishing scams were traditionally only carried out via email. However, in recent years there has been a significant rise in the number of phishing scams being carried out via text message (smishing) and phone calls (vishing).
Additionally, the occurrence of spear phishing – personalized phishing attacks which deliberately target a select target – has risen dramatically.
From messages ostensibly from your bank asking you to update your account information, to those supposedly from your employer asking you to a sign an important document, the prompts used in phishing attacks are both varied and often difficult to identify.
Phishing Scams & Ransomware
As well as gaining invaluable confidential information from the target, phishing scams can also be used to impart ransomware on to your device.
Ransomware is a specific form of malware that encrypts your data, meaning you can no longer access your files and information. The cyber criminals will then demand the payment of a “ransom” for these files to be decrypted, though paying the ransom is definitely not recommended.
According to a 2016 report by PhishMe, 93% of all phishing emails contained ransomware. As the cyber attack on the NHS showed in 2017, ransomware has the capacity to bring even the largest of organizations to a standstill.
Ransomware is most often spread by attachments located in the fraudulent emails. Once opened, these files will then begin to download the ransomware directly on to the device. With the risks associated with phishing scams being so high, it’s essential that you know how to identify a phishing scam.
Four steps to identifying a phishing email
1. Spelling and grammar mistakes
One of the easiest ways of knowing whether the message you’ve received is legitimate is by reading it closely. If you get an email from your bank asking you to update personal details, it is unlikely that they would contain spelling and grammar mistakes.
It’s worth remembering that even though the hackers may have adopted the display name of the genuine person or organization, that does not guarantee that it’s definitely from them. By adopting complex subdomains, the sender can often mask themselves so that they appear to be someone they’re not.
Similarly, if you receive an email that’s supposedly from a colleague at an unusual time that contains unusually poor spelling, then be cautious and check first with the sender before clicking on any links contained within the email.
2. Unwarranted sense of urgency
Hackers will often try to use a sense of urgency to make you miss the more obvious telltale signs that it’s a fake. A particularly common way of doing this is by suggesting that your account has been hacked and needs to be reset.
Another common way of creating a sense of urgency is by promising time-specific promotions, prizes or rewards. By doing so, they intend to lure you into providing information without properly checking the links, attachments and files contained within the email or text.