Phishing: How to Spot the Red Flags and Protect Your Business

Phishing is one of the common cyber attacks and is an umbrella term for various types of phishing attacks. According to the National Cyber Security Centre, as of August 2023, the number of reports of phishing attacks stands at more than 23 million.  

Phishing often serves as a common gateway to initiate various, more sinister cyberattacks, including the deployment of malware and ransomware and others to gather valuable credentials for sale on the dark web or further targeted cyber assaults. 

Although most commonly executed through email, attackers may also employ phone calls and text messages. We’ve compiled the top 5 types of phishing attacks with advice and guidance on how to confidently protect your organisation against them.   

Email phishing

Email phishing is one of the oldest and most common types of phishing attacks. Cyber criminals attempt to deceive individuals by posing as reliable senders. They typically copy genuine emails from reputable businesses and employ malicious links, documents or image files that can deceive the user into revealing their personal or financial information or downloading malware or viruses.   

How to identify a phishing email:

• Look for spelling & grammatical mistakes: Phishing emails often contain spelling or grammatical mistakes; however, it’s important to note that this issue can be combatted by using ChatGPT to craft more convincing phishing emails.  
• Check the sender’s email address: Phishers may use email addresses similar to legitimate ones but with slight misspellings or substitutions. Always check that the email address’s domain matches the legitimate domain of the organisation it claims to be from. 
• Verify suspicious attachments or links: Hover your cursor over any links without clicking to preview the URL and always ensure the URL matches the legitimate website of the organisation it claims to be from. Do not open attachments unless you are certain of the sender’s identity. 
• Beware of urgency and threats: Phishing emails often use urgency or threats to pressure you into immediate action. Be wary of emails that demand quick responses or threaten consequences. 

 If an email doesn’t look right, it probably isn’t. If you can’t verify that the message originated from a trusted source, it’s best to delete it. 

Spear phishing 

Spear phishing is a targeted attack on specific individuals or organisations that uses malicious emails. Unlike general email phishing campaigns, spear phishing attackers conduct extensive research to personalise their phishing emails based on the characteristics, interests, and vulnerabilities of their targets.

The goal is to make the phishing email appear highly personalised and convincing to increase the chances of acquiring sensitive information like login passwords or infecting the target’s device with malware.  

Business Email Compromise (BEC), also known as CEO Fraud, is a type of spear phishing attack aimed at tricking employees into taking harmful actions, such as sending money to the attacker. By assuming the identity of an authoritative figure, like a CEO, cybercriminals exploit this trust to deceive employees. 

Vishing (voice phishing) 

Vishing is a type of phishing attack that is conducted over the telephone or VoIP systems instead of email, where scammers impersonate legitimate organisations in order to trick the victim into giving away sensitive information such as credit card numbers, passwords, PINs or other confidential data.  

With the rise of AI and voice cloning technology like ElevenLabs, it is making it increasingly easier for scammers to clone a person’s voice in order to trick a victim into giving away sensitive information. 

Smishing (SMS phishing) 

A smishing attack involves sending fraudulent text messages (SMS) to individuals with the goal of tricking them into taking certain actions. Similar to email phishing, smishing messages often contain urgent or exciting content, such as compromised bank accounts, package delivery notifications, or a prize announcement.  

It is important to be cautious when receiving unsolicited text messages, particularly those that request personal or financial information. Always verify the authenticity of the message and avoid clicking on links from unknown sources. It’s crucial to avoid responding to suspicious messages as doing so may flag your phone number as active, making you vulnerable to further attacks. 

Quishing (QR code phishing)

Quishing attacks use QR codes to deceive users into scanning malicious codes via email. This leads them to fake websites that steal login credentials, and financial data, or distribute malware. These attacks are simple and evade many email security measures.  

As QR codes have become an integral part of daily life, users have grown accustomed to trusting them, making them susceptible to such attacks. Cybercriminals leverage this trust, initiating malicious campaigns.  

What happens if you scan a malicious QR code?

• You could be taken to a phishing website: By scanning the QR code, unsuspecting victims are led to what appears to be a legitimate website, where they are prompted to enter their payment information. Once entered, the cyber criminal can access credit card information. 

• Your device could be infected by malware: Users can be tricked into installing malware onto their own devices by scanning an unknown QR code, resulting in major security and privacy issues.

To avoid being a victim of QR code scans, always preview the QR code link before clicking on it. When you scan a QR code, a preview of the URL should appear on your phone. Exercise caution when scanning QR codes, especially if the sender’s identity is unknown.  

How can we combat phishing?

It is important to take preventive measures to protect yourself and your business from phishing attacks. Below are several steps you can take:  

• Practising good cyber hygiene: Cyber criminals are much more likely to target those who lack security knowledge than IT professionals who will recognise a phishing or impersonation attempt. Cyber security awareness is critical so that your employees understand the risks, know how to spot threats and take the right actions accordingly.  

• Using an email security solution: Implementing an email security solution, like Mimecast, provides advanced protection against phishing. With its cutting-edge threat intelligence and multi-layered detection engines, the solutions offers unbeatable protection against spear-phishing, malware, and spam. 
• Endpoint Detection Response (EDR): EDR solutions are effective in identifying and mitigating phishing threats by detecting unusual or malicious behaviour on endpoints and has the ability to scan files and URLs accessed by endpoints in real time. If an endpoint attempts to download a malicious attachment or visit a phishing website, the EDR system can flag and block the activity. 
• Implement a data backup plan: Having a data backup plan is crucial to ensure business continuity. Storing backup data remotely or in the cloud enhances protection and accessibility, even if the primary backup fails. 
• Protect your accounts: Multi-factor authentication (MFA) can significantly enhance security and help mitigate the risks associated with phishing attacks. By requiring additional verification beyond just a password, MFA makes it much harder for attackers to gain unauthorised access to an account.

Strengthen your IT Resilience through Email Security

Over the last 6 months, the threat landscape has undoubtedly worsened. While advancements in technology drive innovation for businesses, they also empower cyber criminals to become increasingly inventive in their tactics.

Phishing attacks pose a significant threat to businesses worldwide and the consequences to falling victim to these attacks can be dire. For example, financial losses, data breaches, and reputational damage. Therefore, implementing proactive measures such as email filtering solutions, EDR and providing sufficient training to your team can significantly reduce the risk.

Keep in mind, that prevention is far more cost effective than dealing with the aftermath of a cyberattack!

There are plenty more things SMEs can do to improve the condition of their IT and cyber security posture. Discover these strategies in our blog, Strengthening your IT Resilience in 2024 & Beyond!

Alternatively, contact us to further strengthen your security posture through cyber resilience!