Don’t be fooled – long gone are the days where phishing scams were clumsy, clunky, and oddly written, suggesting that you transfer money or claim your free prize. Now, the oh-so-sophisticated scams make us feel safe and looked after. They often gently request an update of information and, seemingly, nothing more. However, we are still surrounded by multiple misconceptions and false truths when it comes to phishing – and that is where it gets dangerous.
When we think of phishing, we often think of a relatively generic, albeit personalised, communication purporting to be from a trustworthy source, asking for personal facts, bank details, or the transfer of a large sum of foreign currency. Just like the sort of impersonal email you’d expect from your bank, or your mortgage lender. We think that there would be some clue that makes it sound ‘not quite right’ – the use of the wrong tense, a misspelt word, a blurred logo …
But these misconceptions are too often proved to be just that. Such ‘bulk’ phishing scams are now oh-so-sophisticated. They are clever and complex and getting increasingly so. In addition, ‘spear-phishing’ is becoming more commonplace, with phishers using their time and energy to research specific companies or, worryingly, individuals. Why? All to increase the likelihood of their phishing success.
However, this isn’t *always* how it works and it is these misconceptions, or stereotypes, that are so very dangerous. Assumptions can too easily lead to complacency and that is the real risk.
How do we know? Because it is this that ‘almost’ caught us out…
Our story involves spear-phishing – direct, personal and knowledgeable. It starts with our new hire. After receiving an email from one of the directors and as requested, our new staff member passed on his mobile number so that they could communicate more easily. A series of messages went back and forth but after a short while, our staff member felt he should check. Check he did, and the number he was being contacted from wasn’t the director he claimed to be.
The scammer spoofed a legitimate-looking email, pretending to be a senior member of staff communicating with the new guy. Thank you social media! At this point, our staff member had passed on his number – nothing too sensitive but as the communication started to get more intense, alarm bells rang. Happily, our new hire followed protocol. He alerted the relevant people, blocked the number and reported it to Action Fraud.
With such vast amounts of information on each and everyone of us out there – from information that we chose to share, to information that we have no intention of sharing – we are, effectively, just waiting for a phisher to spear us in an intimate and confident scam.
The Biggest Risk
Put simply, the biggest risk is you – the individual staff member. Undeniably the weakest link, it isn’t just small, unassuming organisations that get caught out. Employees in global corporations get hit all the time. Google and Facebook are just two worldwide examples where employees have fallen foul to phishing.
According to the ICO, phishing was the number one cause of cyber-related data breaches in their 2019 – 2020 reporting period, and this is set only to rise. Since 2017, the percentage of businesses experiencing (and reporting) phishing attacks has risen from 72% to 86%. 2020 hasn’t been called the Year of Phishing for nothing.
As the biggest threat to data breach for your company, it is vital that staff understand the risks involved when it comes to phishing scams and data security. They need to have the correct training to understanding phishing, to challenge the misconceptions and be alert: they need to know how to act in such circumstances to prevent both financial and reputational damage to your business.
Lucky: We Live & Breathe Security
We were lucky: we live and breathe security. Our staff are all over it, but, just as any company should, we regularly test both our technical defences and our team’s knowledge of phishing and company policy.
We weren’t complacent, we challenged the common misconceptions with phishing. We spotted the scam, we contained it, we reported it. One Compliance 1: Phishers 0.
We’re here to help your company do the same – call us today on 020 3855 0895 and let us help you keep your company safe. Our team can conduct an in-depth phishing assessment, can search the dark web to ascertain what information regarding your company is out there, and can help train your staff and remove complacency and misconceptions. We help you recognise the risk and offer simple, bespoke advice to help develop cost-effective job security with minimal impact to your business.