© Systems AXIS Limited,
2024.
axisfirst is a trading style of Systems AXIS Ltd. Head Office: AXIS House, 53/55 St Mary Street, Bridgwater, Somerset, TA6 3EQ. Registered Company 2370905 | VAT No. GB 515 8599 12
Growing up in the 1970's, I was subjected to numerous public safety messages from the UK government on television aimed at keeping children safe. I have to be honest, I do miss "Charley" the ragged ginger moggy and David Prowse AKA "The Green Cross Code Man".
In homage and a nod to the 1970's public service announcements, here is my own version for a modern day threat we all need keeping safe from... Phishing Emails!
When you receive a suspicious email, the best defense is to STOP and take a breath. Don’t be compelled to immediately click a link or open the attachment.
One tactic often used by hackers is urgency. This is because psychologically people just impulsively react under pressure making this an effective way phishing emails compel you to take action. Social engineered attacks use authority figures known to the individual to solicit personal information, pressure you into making financial transactions or to download malware infected documents.
Where you read your email can also impact on how likely you are to react immediately without the same presence of mind. If you are out of the office and reading your emails on your mobile device, you may be less thorough and diligent in examining the validity or authenticity as it is much harder to do on a small screen using your fingers and thumbs. This is why taking a moment to pause and plan your next action is vital.
Were you expecting this communication? Is it from somebody you know? Would that company request you to act or share your personal information in that way?
Phishing for sensitive information is a numbers game. Hundreds of thousands of emails sent on the hope that a handful of recipients react. These typically are the types of emails you receive impersonating a banking company, courier company, online streaming service or social media platform. They are not designed to fool everyone but even a 0.1% response rate is massive.
In recent times, the visual design of these emails has significantly improved and some phishing emails look incredibly genuine so you do have to be alert and vigilant. Similarly the landing pages which you make be taken to appear more authentic and resemble the brands that they are trying to imitate.
With a more targeted email attack, hackers will take a more personal approach and will be looking to direct their email as a specific individual. This technique is known a spear phishing and is used to obtain the trust of somebody within an organisation who is authorised to make decisions or financial transactions. The language and the composition of the email may be familiar to the recipient and make appear from a more trusted source such as a company director, line manager or supplier. Spear phishing attacks are commonly targeted at company secretaries, office managers, accounts departments and those who would act upon instruction.
Having taken the time to STOP and to THINK you can now take precautionary action. These are things that need to become instinctive whenever you receive email. If you remember to do these simple but effective checks then you will reduce the risk of being a victim of a phishing scam.
Are they who they say that are? Hover over the name, is the email from the right address? It is easy to mascarade or impersonate another email address. But often when you check the actual address of the email it is not who they claim to be. Be aware that support-microsoft.com is different from support.microsoft.com so look carefully at the domain name and make sure there are no hyphens or joined up words which do not belong.
Were you expecting that invoice? Call your supplier and check they sent you an attachment. Spear Phishing attacks can be planned over several months to mimic the timing and language of known associates or colleagues. Check account numbers match with previos payments as it can be a subtle change in bank details which is the difference between genuine and fake emails.
Hover over the links to see where they go. If you are being asked to renew passwords or update payment card information, visit the company website directly rather than using a link and log in there instead. It might seem obvious to many but you will be surprised what people do in the heat of the moment. Especially when in a rush or distracted with other tasks.
Final Thoughts
If something looks suspicious, it usually is so trust your instinct. Any element of doubt or uncertainty, delete it. If it is that urgent, the person or company will contact you another way.
Always… STOP, THINK before you ACT
One way to stay alert is to enroll on cyber awareness training or sign up to simulated phishing attacks to measure and test the vulnerability and susceptibility of your users. This is a safe environment by which users can be tested and measured and appropriate training given to fill any gaps in their knowledge and understanding.