What is Phishing and Spoofing?

We’ve included a free infographic for your reference, download it here

This year has been a breeding ground for malicious cyber-attacks, the most common of which have been phishing attacks. As an attack that targets thousands at a time, and even affects big names such as Lloyds Bank, a Phishing attack preys on unknowing users and big brand legitimacy. This week, we take a look at all things Phishing.

Put simply, phishing is a malicious attack that tricks users into sharing sensitive information by mimicking a legitimate source and, for example, calling for users to update details – at which point, breaching the user’s account security. Phishing often targets login credentials or credit card information.

How does phishing work/What does a phishing attack look like?

While pronounced similarly to actual Fishing, Phishing in a malicious sense plays off how fisherman bait and catch fish. Hence the name phishing.

Often touted as a social engineering attack on users, phishing often involves attackers masquerading as a legitimate and trustworthy source, often over email, and tricks users into unknowingly taking a malicious action, such as clicking a harmful link, downloading malware or submitting details.

As phishing can be performed through a targeted or mass-produced manner, therefore in order to understand what a phishing attack looks like, it’s important to first learn about phishing techniques.

Email Phishing

Email phishing is often mass-produced and attacks thousands of recipients. In simply targeting masses of people, attackers can guarantee the capture of significant information or stolen money. Email phishing attacks will often closely resemble a legitimate brand, with attackers going to great effort to mimic widely recognised brands – using phrases, typefaces and logos to appear legitimate. Email phishing is often identified by the sense of urgency they attempt to create and a domain which looks legitimate but with a small discrepancy.

Spear Phishing

As the name suggests, spear phishing is often targeted at a specific enterprise, as opposed to the general public. Spear phishing will often have targeted information about the organisation it’s attempting to attack. Spear phishing attacks often utilise publicly available information about its structure or userbase in order to mimic the identity of a recognisable individual. For example, an attack can often take shape as an invoice being sent from a recognised member containing a password-protected file, upon clicking on the link and entering credentials, the attackers gain access into the employee’s account.

What’s the difference between phishing and spoofing?

While it can be difficult to tell the two apart, email spoofing is when a sender’s email address has been forged to appear as though it was sent from a credible source, one other than the actual source. While a phishing attack mimics credible sources on a wider scale, spoofing occurs when the email address has been forged to look as though it was sent from a credible source, such as your bank.

How phishing attacks can damage your business

Phishing attacks against businesses continue to skyrocket, and as hackers advance in how they use phishing and other malware, the cost to businesses can be detrimental. Microsoft estimates the potential cost of cyber-crime to the global community as a staggering $500bn USD, and an average data breach costing a company around $3.8m.

A company’s defence against cybersecurity is only as strong as its weakest link, which often results in unknowing employees being exploited by email phishing attacks. The best defence against phishing attacks on your company comes from increased education to employees about what to look out for and how to report malicious activity.

At Fitzrovia, our cybersecurity specialists understand the importance of education for your teams, that’s why we work with you to ensure awareness and resources for employees. Chat to us today about how we can help.

Did you know, a successful attack can often result in:

• Identity theft
• Loss of data
• Theft of sensitive or client data
• Loss of IP
• Financial theft
• Credit card fraud
• Malware and ransomware attacks
• Data sold to malicious 3^rd parties

Why phishing peaks during a crisis

According to a survey from GreatHorn, companies have experienced an average of 1,185 attacks every month since the pandemic started. After reports of increased attacks during COVID-19, it’s worth wondering – why does cybercrime boom during a crisis?

Cybercriminals rely on deception and urgency to see success in their attacks, in times where individuals are panicked and seeking information, resources or answers – they often overlook warning signs that would typically cause concern. At times like these, it only takes an impulsive click that results in downloads of malicious files.

How to protect yourself against an attack

1. Invest in security software/raise the issue internally
2. Update software regularly
3. Enable 2FA across all accounts
4. Back up data regularly

How to report a phishing attack

If you are in the UK and believe you’ve received a suspicious email to your private accounts, you can forward the email to the National Cyber Security Centre at report@phishing.gov.uk. After which, the NCSC will analyse the email and any linking addresses and could result in:

• An entire block of the email address’ ability to send emails
• Removal of malicious links from web hosts
• Public awareness campaigns

If you believe you have fallen victim to a phishing attack, contact Action Fraud at https://www.actionfraud.police.uk/ or by calling 0300 123 2020.

*Did you know: More than 2.3 million reports have been lodged to the NSCS? Resulting in over 9,315 scams and 22,000 URL’s being removed.