Enquire
Knowing how to identify a phishingA type of scam where attackers try to deceive people into revealing sensitive information or installing malicious malware. Phishing attacks are most commonly delivered by email. email is crucial for safeguarding your organisation against cyberthreats. According to Microsoft, nearly 15 billion suspicious emails are blocked every day by their email platform, Outlook.
A phishing attack is defined as a type of cybercrime. Attackers target individuals via email, telephone or text messages, pretending to be a reputable or known person to trick individuals into sharing sensitive information.
Email phishing is an increasing problem for businesses of all sizes and across all sectors. Sophisticated attackers are wise to many of the security measures organisations use and have developed strategies to circumvent them. Advanced phishing attacks are highly targeted, more difficult to detect, and can bypass traditional security filters.
In this blog, we discuss the impact of phishing attacks, the different types and tactics, how to identify a phishing email, and the measures to consider for safeguarding your organisation against these cyber threats.
Many phishing attacks are motivated by financial gain, but this isn’t always the only objective. Obtaining unauthorised access to an organisation’s systems can serve a variety of malicious purposes. For example, acquiring sensitive information for espionage or disrupting operations with malware for revenge or activism.
A phishing attack can cause a host of problems for organisations:
To reduce the risks of email phishing you need to first understand the various types of phishing attacks your organisation might encounter and the different tactics used.
The type of email phishing attack refers to the method of delivery, target or objective.
The tactics used by attackers refers to the specific strategies and techniques used within those types.
PHISHING TYPE | DETAILS |
Spear phishing | Attackers tailor emails to specific people. Unlike traditional phishing, that aims to deceive as many people as possible, spear phishing is focused and personalised |
Whaling | Attackers target senior executives who have significant power, access and influence within a company |
Clone phishing | Attackers clone a legitimate email and replace an attachment/link with a malicious version |
Email bombing | Attackers flood an email inbox with numerous spam emails to distract the victim from important emails |
Business email compromise (BEC) | Attackers target businesses working with foreign suppliers and/or businesses that regularly perform wire transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. payments |
Man-in-the-middle (MITM) | Attackers secretly intercept and alter a communication thread between two people who believe they are communicating with one another |
PHISHING TACTIC | DETAILS |
Email spoofing | Attackers create email messages with a forged sender address |
Link manipulation | Attackers use misspelled URLs or subdomains to trick people into thinking they are visiting a legitimate website |
Pop-up windows | Attackers collect personal information or trick people into downloading malicious hardware through a pop-up window |
Image phishing | Attackers embed malicious code into image files, which link to phishing websites |
Website spoofing | Attackers create a fake domain that looks like a legitimate one |
Despite the sophistication of advanced phishing attacks, there are tell-tale signs that can help you to identify a phishing email. These are the key areas to scrutinise:
You also need to trust your instincts. If something feels wrong, proceed with caution and always report suspected phishing attempts to your organisation’s IT or security team.
Phishing is a form of social engineering that exploits human tendencies such as trust, curiosity and fear. An email that appears to be from a trusted colleague or a reputable organisation can sometimes trip up even the most careful of employees.
Therefore, awareness training is a critical first line of defence for any cyber security strategy. In addition to this, you should consider strong technical defences and well-prepared cyber security policies.
A multi-faceted approach is the best way to safeguard against phishing threats and reduce your risks of a data breach. Let’s take a look at these areas in a little more detail:
The training should cover a wide range of topics, including password security, email filtering and how to report a suspected phishing email. Use real examples of targeted phishing attacks to ensure employees understand what to look for and how to spot the red flags.
Training should be conducted regularly, providing employees with practical tips and best practices.
Your cyber security policies should outline the responsibilities of all employees and the steps they need to take when they receive a suspected phishing email. The policies should also cover all aspects of cyber security, including password management, use of company devices, use of personal devices for company work (Bring Your Own Device), and how to handle sensitive data.
Regularly review and update your policies to reflect any organisational or operational changes and make sure they are up to date with current threats and best practices.
Be aware of the risk factors and challenges of a Bring Your Own Device (BYOD) policy, especially with mobile phones. An employee’s personal phone can bring several security risks and logistical challenges, including unintended data sharing, data protection compliance issues, and general IT control options. It is harder to balance security and privacy rights with employees’ personal devices. We advise enrolling in a Mobile Device Management (MDM) or Remote Monitoring and Management (RMM) platform to help address these concerns.
It is important to ensure your systems are regularly updated and protected against known threats, using specific anti-phishing and URL defence software.
The technical defences that should be set up by organisations include:
You should also consider these important steps:
Keep in mind that a comprehensive cyber security strategy is one that includes multiple preventative measures. You shouldn’t solely rely on technical security, or staff training and policies. The most effective strategy is one that includes all these elements, as well as having a well-planned response protocol to ensure swift action and minimal impact if any incidents occur.
For more information about handling a data breach, read Data breach management: 5 tips for an effective response
The UK’s National Cyber Security Centre offers a free check your cyber security service to help UK organisations check for cyber vulnerabilities.
The European Union Agency for Cybersecurity (ENISA) provides various resources and key services, including certification schemes, events and guidance. Find out more about ENISA’s services
Canada’s Communications Security Establishment (CSE) launched a national cyber security awareness campaign on 1 October 2022. Get Cyber Safe provides public information about cyber security and how to secure accounts, devices and network connections.
If you need support with your data protection awareness training, The DPO Centre can help.
We have worked with over 850 companies across the span of industry sectors and have one of the largest teams of experienced Data Protection Officers (DPOs) available.
We provide a range of data protection compliance training that is tailored to your organisation and staff needs
Contact us for more information
______________________________________________________________________________________________________________________________
In case you missed it…
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Enquire
Fill in your details below and we’ll get back to you as soon as possible