CYBER SAFE WALES PHISHING KNOWLEDGE BASE
What is Phishing
Phishing is a social engineering technique used by attackers to try and “fish” for sensitive information. Criminals carry out phishing attacks in the hope of getting access to confidential information, such as passwords or credit card details, usually by pretending to be a trustworthy entity such as a service you use often or even a governmental organisation.
The ultimate result of these attacks might include financial theft, identity theft, or disruption of systems and services. Attackers can achieve all of this by directly utilising the information stolen from their victims, and by infecting victims’ devices with malicious programs (malware), such as computer viruses.
How Does it Works?
Historically, phishing attacks were carried out mostly via email. Nowadays, there are other mediums for phishing: SMS texts, phone calls, and instant chat messages are some examples.
Phishing is commonly associated with luring messages enticing the victim to download malicious attachments or click on malicious links.
These links often lead to a fake copy of a website you know well, where you attempt to log in with your username and password – however, instead, this leads to the attacker gaining access to your login credentials.
Phishing emails and messages can also be used as a vehicle for computer viruses and other malware (malicious software/programs), which infects devices. This can be achieved by getting victims to download a malicious attachment or click on a link.
Malware can perform actions such as giving the attacker remote access to the information stored in your device, or even locking you out of it (as is the case with ransomware).
Life Cycle of a Phishing Attack
Common Phishing Indicators
- An unknown sender or a
misspelled sender’s email
address that tries to
mimic a company or person you do
know. Attackers use the latter
to try to trick you and gain
- Subject lines with
statements or alerts designed to
grab your attention and lure you
into opening the email. Some of
the most common topics include
failed payments, payment
invoices, winning a
large sum of money (even
though you never bought that
lottery ticket!), alerts
about account closures,
and other general alerts that
something is wrong with your
- A generic salutation, such as “dear customer”. Most companies will address you by name is legitimate communication.
- Spelling and grammar mistakes throughout the email.
- An email where making you click on a link or download an attachment seems to be the main aim. This is especially true when coupled with a sense of urgency and authority in the email. Phishing messages often ask you to perform some action within a short deadline.
- Attackers often pretend to be from a trustworthy entity of authority, such as a governmental organisation (e.g. revenue office), a bank, or even a manager at your company. Remember: there is plenty of information online – it’s easy for attackers to find out names of real people at your organisation and their roles!
- The real destination of a link doesn’t match the company name or the link on the body of the email. For example, you get an email that seems to be from Dropbox and the link reads “dropbox.com”, but when you hover over the link you see that it’s sending you to “phishy-website.com”.
Why Does Phishing Work?
Conducting phishing attacks is essentially free or very cheap, so attackers employ this technique extremely often, increasing the likelihood that someone will fall for it. Phishing attacks target and exploit our natural trusting instincts, curiosity, as well as our desire to be efficient and helpful. Phishing messages typically follow themes which specifically target human vulnerabilities, such as:
- Emotion: for example, through an email from someone pretending to be an old school friend or a distant relative. The attacker might even create a fake email address and use a real name of an old friend of the victim’s, which can easily be found on social media platforms.
- Financial worry: the email might offer a large sum of money, or threaten the victim with fees if they don’t act quickly.
- Impatience: perhaps by sending fake and seemingly urgent delivery status updates from common online shopping websites.
Some phishing emails are poorly written and quite obvious, but many phishing emails are extremely well-crafted and believable – especially if the attacker is targeting a specific person or organisation. This is called spear-phishing and it is becoming increasingly more common.
What You Should Do
You might have arrived at this page because you were looking for guidance. If you suspect a phishing attempt…
- Do not click on links or open/download attachments sent within suspicious emails, SMS texts, or chat messages.
- Do not fill out forms sent through suspicious emails and messages. These forms usually ask for some type of confidential information such as your bank account or credit card number, your date of birth, or the answer to a typical security question (e.g. mother’s maiden name).
- Do not reply to the email or message.
- Report it to IT at your organisation immediately, so that they can alert other employees who may also be targeted. Visit our report page to learn more.
- Now that that’s out of the way…
- Double-check the sender email address. Is it misspelled? Do you really know this person?
- If you do know this person, did you expect this email? Do they usually send you similar emails or does this seem odd to you? Can you make a call and verify if they sent you the email or message? Attackers often pretend to be someone you know.
- Hover over the link with your mouse in order to see its real destination – but don’t click on it!
- You should NEVER attempt to open attachments sent in suspicious emails.
Why is this Important?
- Disclosing your login credentials on a fake website or getting your device infected with malware can lead to serious consequences for yourself and the organisation you work for.
- Attacks targeting organisations can lead to serious financial loss and reputational damage, so companies must take phishing awareness training and implementation of other security controls seriously.
- We all need to remain vigilant and think twice when an email or message seems suspicious, no matter our role or job title.
- It’s important to know that your personal data may be at stake too, as the attacker might lure you into disclosing your own confidential information – for example, one of your passwords or your credit card number – or if you use your own device at work.