You know what they say, give a man a fish…

…and he’ll eat for a day. Teach a man to phish and he’ll bombard your inbox with irritating, bogus emails about the latest song, app or even phone case (?!) that you apparently bought with your Apple ID. Okay, maybe that’s not quite the ancient proverb – but that doesn’t mean it’s not necessarily true.

What is phishing exactly? Like the traditional sense of the word, you’re throwing out some bait and hoping that you’ll get a bite. Except, rather than worms, you’re using fraudulent emails peppered with offers, threats and other incentives. And rather than attempting to catch a fish, you’re hoping that someone will click one of your phoney links or open your attachment (the most common entry point for a phishing attack) and you can then steal their credentials. This can be information such as usernames, passwords or even credit card details.

Phishing is a huge a problem. Why? 14.5 billion emails are sent daily, 73% of those are spam. Hackers are fine tuna-ing their emails – they’re getting more sofishticated, they look a lot more realistic and, because of this, more people are falling for them. Secondly, it’s a relatively straightforward and low-cost method used to obtain your information. Once they’ve been extracted from you, the hacker can sell the stolen information on the dark web for profit. And finally, some people just simply don’t have the security awareness to recognise a phishing attack. It’s not all doom and gloom though, Verizon found in their annual Data Breach Investigations Report that the click rate on phishing emails was down to 3% – hurrah! Not quite. The attackers only have to be successful once remember…

But it’s not just phishing that’s a problem. The attacks have now evolved to include spear phishing, or even whaling! Spear phishing, like hunting for marine life with a harpoon, is a targeted attack – and is actually the most likely attack to cause a business to flounder. Rather than contacting a bass – sorry, i meant mass – of people, the hacker chooses a specific group or individual to target and personalise their emails accordingly. But how can a hacker personalise their emails for someone they don’t know? Well, it’s easy really. All information comes from the public domain. Information we willingly publish about ourselves on social media, such as where we work, our colleagues and bosses, what we do; in fact, enough information to know what will work and what won’t. The more personal information a hacker can obtain from open source intelligence gathering, the better the phishing attempt and the easier it is to get a catch and reel them in – hook, line and sinker.

Which brings me to whaling. Whaling is when an attacker hunts down a senior employee at an organisation and uses social engineering methods to capture their attention. Whaling is exactly the same as spear phishing, just with a bigger target (and a bigger potential pay out!). Recently, the City of Naples was subject to a phishing attack, costing them $700,000!

All of these attacks – particularly spear phishing and whaling – are becoming increasingly common-plaice. It’s getting harder and harder to distinguish between what’s reel and what’s not. Who can you trust on the internet nowadays – is it really a Nigerian prince in dire need of your help? With increased internet usage in our daily lives, we need to start thinking about threats online too. If you receive an unexpected, debaitable looking email or come across something that doesn’t look right – the spelling or language is incorrect, the content is unexpected, or seems like it could potentially cause haddock, do not react. Although technology is often used to filter out the dab from the good, our email servers can’t always correctly decipher legitimate emails and fake ones; sometimes they just slip through the net. Without a shadow of a trout, do your due diligence before you do anything else. Don’t reply to it, don’t click on any links and, lastly, do not open any attachments!

Always remember to:

  1. Check the sender – is the email address legitimate?
  2. Hover over included hyperlinks – is the destination address what it claims to be?
  3. Attachments – are you expecting anything from the supposed sender?
  4. Read the content – if you’re being asked to do something to avoid consequences, don’t do it.

Remember, if you’re unsure, you can always call the named sender on the email to check. Or if you want a bit of advice on how to protect yourself and your organisation from phishing attacks, drop us a line! (Sea what I did there?)