According to Microsoft, phishing (pronounced like fishing) is a cyber-attack that attempts to steal your money, or your identity, by getting you to reveal personal information – such as credit card numbers, bank information, or passwords – on websites that pretend to be legitimate.” The term was coined in the 20th century to represent how internet scammers use e-mail ‘lures’ to ‘fish’ for this sensitive personal information.
In contrast, spoofing is when someone impersonates a trusted contact, a well-known brand, or a trusted website to fool you into revealing private information so that malicious activity can take place.
Both are a form of deception which threaten organisations as well as groups and individuals. Being aware and informed will take you and your organisation one step closer to preventing being caught by phishing and spoofing scams.
There are many different phishing techniques. These are the most common:
Email phishing is currently the most prominent type of phishing. A person receives an email from what appears to be a legitimate source asking them to click on a link or download a file. It is often used to spread ransomware through links or attachments in the emails. Once you click on an attachment, you might be asked to sign in to another site, such as email or file sharing websites, to open the document. The cybercriminal now has access to personal information about you.
Spear phishing uses a customised ‘lure’ to target a specific person. It usually happens through emails, text messages, direct messages on social media or in even in video games. Criminals have conducted thorough investigations into your internet presence, and they use that information (such as real names, places of employment, and email addresses) in the scam. Their aim is to get you to log into a fake site and offer up your login credentials or click on a link or document and install malware onto your device. This then leads to a more sophisticated attack which can extend over quite some time.
Whaling is like spear phishing, but the target is higher up in the organisation. The aim of this level of cyber-attack is generally to gain access to the organisation so that criminals can conduct an advanced persistent threat (APT) and mine highly sensitive data.
How to spot a fake
- Check the address where the email is coming from. If the email claims to be from your bank, but they’re using an email domain like Gmail or microsoftsupport.ru it’s probably a scam.
- If you receive an email from an unknown sender, someone you have never dealt with before, this could be phishing. Take the time to check the email address and scrutinise the content.
- Is there a sense of urgency? Do they ask you to act now? This is a trick used to get you to act without thinking. Instead of talking to someone and checking the legitimacy of the email you might just click on the link as requested to not miss out on the so-called opportunity.
- If there are attachments or links in the email don’t click on them. Rather hover over the link or attachment first to check if the address where it redirects to is correct.
- Are there any obvious spelling or grammatical errors? Most professional organisations would ensure their correspondence is without errors to create a good impression.
- There might also be calculated misspellings in the domain names, such as a zero instead of an ‘o’, or one where the ‘m’ in the address is replaced with an ‘r’ and ‘n’ such as in rnicrosoft.com.
- Is it a tech support scam asking you to call a hotline to fix a software issue that you don’t even have?
Since 2020, 81% of organisations around the world have experienced an increase in email phishing. Organisations need to actively monitor their websites, social media pages, blogs, mobile apps, and email channels, for any activity that is impersonating their brand and putting their brand reputations at risk.
One method of ensuring your personal information is taken care of is to make use of RADMARC Domain Security. RADMARC uses DMARC (Domain-based Message Authentication, Reporting, and Conformance) to protect a company’s domain from being used to send emails associated with phishing, social engineering, spoofing, spam, and other types of fraud. There are three different policies to choose from to cater to your different needs.
Ideally you would use RADMARC in association with a tool like Acronis Cyber Protect. This would make sure that you are not only protected from email attacks but also viruses, malware, and ransomware, and your data is backed up to a secure cloud ‘vault’. Making sure that even if one of your employees brings a virus into your network, your critical information is safe and backed up.
If you’re worried about your cybersecurity, or if you just want to find out how the team at Radical Cloud Solutions can assist in further securing your domains, get in touch with us.