We like to cover security basics here at Beaty Consultancy, and Phishing was certainly on our list to cover. But after Dominic Raab’s (UK Secretary of State for Foreign Affairs) speech around cyber security yesterday (05/05/2020), we wanted to get the information out now. There’s no magic to phishing, and it’s easy to protect yourself if you know how. So: Phishing, And How To Protect From It?
What is Phishing?
Even though it is spelled with PH instead of an an F, it is still pronounced the same as normal old fishing. That’s an example of the crazy jokes us IT folks get up to.
When you’re fishing, you put some bait on a line, and toss it into a pool of unsuspecting fish. There’s a good chance all the fish want what’s on the end of your hook. There’s also a good chance that the fish will be so focused on the delicious worm that they won’t see the bright shiny hook sticking through it. The fish gets greedy and scoffs the glistening brown wiggly worm, only to be yanked out of the water by the fisher.
I hope my mental picture of waterside antics helps to you understand how this relates to cyber security. The bad-actor sending out phishing emails casts out something that everyone receiving the email will want. They hope that the recipient is so taken in with the good thing on offer, that they don’t stop to check anything.
How to Spot Phishing Emails
Email providers and system administrators are in a constant battle with the scammers, to try to keep their phishing emails out! If the bait never gets into the water, then all of us fish are happy and safe, right? But the scammers are super-motivated, so they try really hard, and some phishing emails do get through.
Look and Feel
Does the email you just received use the right logos and graphics for the company it purports to come from? Does it read as if it were from the real source? But look closely. Are the graphics the right ones, and are of high quality, or are they wonky and blocky?
Your bank, credit card company and utility company all probably have pretty big marketing departments. They wouldn’t allow a communication to go out to customers unless it stuck rigidly to the company branding guidelines and message. And some scammers know this, so spend a long time to craft a message which is almost indistinguishable from the original. But, most of them are not like that. Most are written by people for whom English is not their first language, and you should look out of that.
Calls To Action
In advertising, there will always be a call to action at the end of a piece of persuasive writing. It focuses the reader on what you want them to do next. Seriously, look at our other blog posts and check to see how many say “contact us today for…”
Check out the call to action in the suspicious email you just received. What is it they want you to do, and why might a bad-actor want you to do that?
Let’s say the message says you have had a large deposit made into your PayPal account that you weren’t expecting. The temptation is to click the “Log In” link handily placed at the bottom of the email to go check it out, right? Why might an attacker want you to do that?
The link takes you to the attacker’s webpage which looks very much like the real PayPal. They hope you sign in with your username and password, which of course you are actually giving to the attacker’s website, not PayPal’s.
If anything in an email does raise your suspicion, but you do want to check your bank accounts etc., just in case, that’s fine. Just don’t follow any of the links on the email. Close the email, open up your web browser of choice, and you go to the webpage you know you want. Make sure to spell it correctly, since a popular method attackers use is to buy a domain name very similar to a reputable one. Beaty Consultancy spelled with a zero instead of an ‘o’ looks a lot like the real url in the small address bar of your browser if you’re not concentrating on it.
As I already said, don’t click the links in an email, but often if you hover over a link, the destination of that web link will appear at the bottom of your screen. Then you can ask the pertinent questions like; why does the PayPal login link go to www.rickys-scam-website.com?
Knowledge Is Power
The best strategy to defeat phishing emails is to just be aware of them. Now you know what to look out for, you’re half way there! Phishing attacks don’t need to work on lots of people, they just need to work well on a few. Email campaigns cost very little to send out (and are often sent from hacked systems anyway), so an attacker can send millions out in the hopes of just a few people falling pray to them. Don’t be one of the few.
And on the subject of knowledge – spreading that knowledge is the best weapon against phishing emails. If you receive one, report it here; https://www.gov.uk/government/news/reporting-a-phishing-email-scam
For more cyber-security hints and tips, check out our other security blog posts here; https://beatyconsultancy.co.uk/blog/category/security/