Over the last few months we have seen an increase in Phishing email attacks. Resulting in serious fraud being committed when clients are tricked into responding to a simple; short email which appears to be from an internal member of staff, often a trusted figure of authority.

 What are phishing attacks?

Phishing is a way for unscrupulous hackers to gather your protected information. Often tricking users into giving away personal details such as bank credentials, passwords, social security numbers, and more.  Phishing emails are considered one of the main vehicles for identity theft.  They look legitimate and most users do not realise they are actually a scam until it’s too late.

The particular types of Phishing attacks we have seen in recent months which use simple targeted emails called ‘Spear Phishing’. They are far more direct & are often aimed at a specific person who has been identified & subsequently targeted.  These are becoming more common & in recent years target SME businesses.

What does it look like?

Often the original Phishing attacks email which appears to be from ‘the boss’ or a trusted senior member of staff. Regularly starts with something like ‘are you at your desk today’. If the email is replied to, the attacker carries on a conversation with the respondent. Finally resulting in the request for a money transfer.

We know of companies who have not had policies in place for two stage authorisation of money transfers. Having paid the email requests for sums based on these types of request, resulting in fraud and police involvement and significant down time.

Social Media Scouring

The attackers are becoming very cunning and often scour social media and other public channels. All to ascertain as much information as possible about a company and its staff. Allowing them to make their emails as authentic as possible, but there can be warning signs which you and your staff can look for.

Clues to Check For

• The email will be  asking for personal information. It might say something like your password has expired, please update it here by clicking this link (directing you to a spoofed website).  We recommend that users do not nurture a culture of password complacency and keep their passwords secure, not on post-it notes and not shared liberally around other staff members.
• Most phishing scams have  grammar errors. This could be one misspelled word or random capitalisation in the emails. The errors are usually very subtle, and often resemble something that would have come from a trusted source.
• The email will often contain a subtle clue it is a fake, for example, it might say ‘Sent from my iPhone’ but the sender uses an Android, or it might use an unfamiliar sign off, such as a full name when normally the sender would use a nick name or abbreviation.
• Many phishing emails will have the  proper banners edited into the emails to make them more convincing, but they may slightly a colour shade off or use very slightly different fonts. This can trick users into thinking they are corresponding with a trusted Bank, Government department or financial authority.
• The hyperlink goes somewhere else. Anyone can change the hyperlink in an email to say something completely different. Before you click, hover over the link to check where it will really take you and if you are suspicious never click on it.
• Beware of anything BEFORE the forward slash & misspellings. Adding periods or dashes before the forward slash tricks people into clicking the link because it looks like the right URL at first glance. For example http://ebya.co-uk.info/ isn’t going to ebay.co.uk By adding periods or dashes before the forward slash or using a misspelling that’s hard to spot, it takes users to a different domain.

 Where can I report these phishing attacks?

We have found a site where you can report scam emails which you may find useful; http://www.actionfraud.police.uk/scam-emails we have not used this site ourselves but we have started to research where we can suggest clients submit this type of scam.  You are also able to contact the police themselves locally and ask how you can report this.

We do appreciate the severity of these types of contact & how it can be potentially dangerous.  We strongly recommend that staff are educated not to click on emails and not to use email as ‘text messaging’. Ensure that there are verification and procedures for money transfers which involve telephone calls, rather than simply using email requests.