You better watch out, and keep a sharp eye... phishing scams are coming to town
Just in case you don’t know what ‘phishing’ is, it’s a deceptive tactic where email is used to dupe the recipient into responding to a fraudulent message. This deception may involve clicking on a link, downloading an attachment or calling a helpline number.
Phishing works by convincing the victim that the email is from a reputable source: for example, a government department, a supplier, colleague or a customer. While phishing scams go on all year round, it’s during the run-up to Christmas that they tend to spike in frequency.
With the busiest retail season underway, and with many of us searching for gifts for friends and family, sending and receiving festive greetings, ordering things online, booking Christmas-party venues, or browsing for winter-sun getaways, it’s all too easy to fall for an authentic-looking phishing email.
Cyber-criminals will use the names and logos of all the big brand retailers in their phishing emails to trick you into believing the scam message is legitimate. Often the message will use a sense of urgency to make you act without thinking.
Deceptive phishing – could you spot a scam email?
The most common type of phishing scam is one where the cyber-criminal sends an email that imitates a message from a bank, retailer, government agency or service provider. This type of fraud is called deceptive phishing.
One such email that’s been doing the rounds claimed to be from the online security team at a major global web services provider. It warned the recipients that their email account had been infected with a virus and that they must click on a link to run a security scan. The email went on to warn the email account holder that if they ignored the notification, then their account would be suspended without further notice.
If clicked, the link in the email redirected the account holder to a fraudulent website, which asked them to resubmit their account details, including their email address and password. Once in the cyber-criminals’ hands, these credentials could then be used to hijack the user’s account to distribute more scam emails to their contact address book, as well as take control of any linked services.
Of course, this type of scam relies on how convincing the phishing email is – and there is evidence that some emails are very convincing indeed. So, as a precaution, you should look out for generic salutations and spelling and grammar mistakes in any promotional, marketing or service emails you receive. You should also check links to see if they redirect to an unknown or suspicious website. You can do this by hovering your mouse-pointer over the link (do not click it) to reveal the URL’s destination site.
Spear phishing – impersonating a trusted contact
Like the phishing email scam, spear phishing is used by cyber-criminals to steal confidential data or install malware on the victim’s computer. However, unlike a standard phishing email, which tends to be mass-produced and lack any personalisation, the spear-fishing email will include the recipient’s name and other relevant personal information to convince them that the sender is trusted and legitimate.
To achieve this, the hackers will lift personal data on the victim from social media sites and other online sources. This may include who their family and friends are, where they work, what sort of places they regularly visit, what they like to buy, and how and where they prefer to do their shopping. The attackers will then use this data to craft an email that contains highly relevant information and appears to be from a friend or a trusted organisation.
What makes spear-phishing so attractive to criminals is its effectiveness, low cost and versatility. Hackers with limited skills can use spear-phishing to steal credentials and distribute ransomware. Organised crime can use it to carry out blackmail and fraud, and nation-state actors can use it to infiltrate and compromise target businesses and institutions.
It's vital, therefore, that individuals and organisations educate themselves about the tactics that cyber-criminals use. Employees, in particular, should be trained how to spot phishing emails and vishing scams.
Additionally, people need to be careful about the browsers they use – especially during the Christmas season when ‘spoofed’ websites spring up. Read all URLs from right to left. The last address is the true domain. Secure URLs that don't employ https are likely to be fraudulent, as are sites that begin with IP addresses.
Finally, don’t publish sensitive or corporate information on social media. If there’s anything you think a hacker could use, then don’t post it and make sure that you’ve set privacy settings to control what others can see.
Vishing and smishing – phone and SMS scams that are ringing alarm bells
Another approach that criminals will use to steal your account details and passwords – especially, at this busy time of year – is to call or leave a voicemail and claim that they are from your bank or another organisation that you trust. As with phishing emails, they will adopt an urgent tone of voice – perhaps claiming that your account has been compromised – to spur you into action without giving you time to stop and think. They may try to get you to disclose your personal information over the phone or send you to a fraudulent website where you will be asked to resubmit your personal details.
Vishing fraudsters may use a false caller ID to hide their identity or mimic a caller ID or number that you recognise – for example, your bank or credit card company. If you don't respond to their initial attempt, they may leave an urgent voicemail, hoping to alarm you into reacting to the hoax call at a later time.
Of course, fraudsters may choose a different emotional response to exploit other than fear or urgency. They may instead try to provoke a sense of curiosity or excitement by telling you about a fantastic free offer, for instance, or informing you that you've been randomly selected in a prize draw and a package is waiting for you to claim. All you need to do is confirm your details to redeem your prize. It's at this point that they will try to persuade you to reveal personal information that they can use to access your credit card or bank account.
If you suspect that a call is a hoax and want to check its authenticity, then you should contact the caller concerned using a different phone line or wait at least ten minutes if you are using the same number. This is because criminals can keep the line open by not hanging up and can intercept your call. You may think you are talking to a legitimate representative at the other end of the phone when, in fact, you are still talking to the vishing fraudster or an accomplice.
Smishing is a variation on phishing where text (SMS) messages are used instead of email to trick the recipient into clicking a malicious link or opening an attachment that contains malware. So, never reply to these types of messages. Instead, ignore them and delete them.
No one is immune from email fraud – so take precautions
The National Cyber Security Centre's website is an excellent place to start if you want to learn what steps you can take to avoid falling victim to a phishing email scam.
However, online security awareness may not be enough as cyber-criminals are continually evolving their phishing techniques to outwit and deceive us. So, it would be wise if you also considered getting Cyber Insurance.
Clear's specialists can help you put together a cyber-risk management programme that is supported by cyber-liability insurance.
To find out more, visit our Cyber Liability page.