Data Security – Phishing

phishing

45% of phishing attacks are successful, according to Google’s December 2014 report.   Indeed, the infamous 2013 Target data breach was due to a successful spear phishing attack on one of the company’s suppliers. The reported cost to the business was a massive $162M plus additional expenses resulting from class action lawsuits and reputational damage.

Many data breaches are a direct result of the attacker using individuals or employees to access systems or data, and it’s worth noting that 58% of large organisations and a third of SMEs fall prey to staff-related data breaches (*UK 2014 Information Security Breaches Survey).

With that in mind, I thought it would be helpful to summarise some points to help recognise and deal with phishing emails.

What is phishing?

Phishing is a deceptive means of trying to acquire personal information such as your identity or data that you hold and access – for example your user name, passwords, credit card details, contact directories and so on.  Phishing is typically carried out by email or instant message, which may ask you to provide the data directly, or it may send you to a website or phone number where you will be asked to provide data.

Why Phishing Works

A phishing effort can be hard to recognise, particularly if it comes from a source that you are inclined to trust – for example a friend or colleague (who may have been phished themselves), or your bank, social media site, telephone provider etc.

  • Phishing emails are designed to look like real emails from real, sometimes large, reputable organisations.
  • They are likely to seem to come from an organisation or individual you know and would expect to hear from – for example your bank or building society, your insurer, a business with whom you are in regular contact, your social networking sites, an online auction site or even a friend whose email sits in your address book
  • They may look absolutely authentic, including using legitimate logos
  • They may well contain information that you would not expect a scammer to know – for example personal data (that they may, for example, have picked up from one of your social networking sites)
  • They may include links to websites which will require you to enter personal information – and that website may also look very similar to the legitimate website it is pretending to be.

How to spot a phishing email

There are ways to recognise and avoid being caught out by fraudulent emails or the links they contain.

  • Are you expecting the email you’ve just received? Any email which asks you for personal information or log in details or to verify your account must be treated with caution – most reputable companies will never ask for your personal details in an email
  • Don’t be pressured just because the email looks urgent
  • Beware of attachments – these may pretend to be an order summary or an invoice for immediate payment or a receipt or any manner of other things.  If you haven’t placed an order, or your bill is already paid, then be careful.   If in doubt, simply do not open the attachment.
  • Check the email’s spelling, grammar and formatting – if they’re not correct, treat the email as suspicious
  • Never respond to an email that asks you to update your credit card or payment details
  • Watch out for free giveaways with links to websites – it’s likely that such websites will attempt to embed a virus into your computer which allows them to  capture your keystrokes to get your login details or financial details such as your bank account

How to spot a phishing link?

Such links are likely to include all or part of the legitimate website address.

  • Be aware than any change to the legitimate address may lead to a false website – a spelling mistake, a missing letter – just one character’s difference can take you somewhere you just don’t want to go,
  • It is generally safer to go to the online website using your own bookmarks or by typing in the website address yourself
  • Where a website link is provided, it may be “masked” so that what you see will not take you where you expect.  Using your mouse to “hover” your cursor over the link may enable you to see the actual address – DO NOT CLICK ON ANY LINK unless or until you are completely certain it is the legitimate website

Protect against phishing

Being aware and understanding how to spot a potential phishing effort is helpful, but additional steps should be taken to protect your computer and system against such attacks.  There is no single solution – the best option is to adopt a multi-layered approach:

  • Good security software will help to prevent successful phishing by spotting “bad” links and blocking fake websites.
  • While not providing all-encompassing protection, anti-virus, anti-spyware and anti-malware applications should be used, and kept up-to-date. Ensure that at least two different supplier technologies are in operation.
  • Ensure that all firewall settings should be used and updated regularly to help prevent phishing and block attacks.
  • Subscribe to cyber-intelligence services which may be used to identify on-line threats, misrepresentations, or online fraud’s targeting brands – for example, RSA or Verisign
  • Ensure that applications and operating systems are up-to-date and fully patched

What to do if you have opened a phishing email

Just opening the email is unlikely to cause a problem.  However, it is helpful to report phishing emails:

  • To the ISP (internet service provider) that was used to send you the email so that ISP provider can close the sender’s email account
  • If “report spam” buttons are available, use them
  • Report the email to the legitimate organisation the sender is pretending to be
  • Delete the email from your device
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud – the UK’s national fraud and internet crime reporting centre – at https://reportlite.actionfraud.police.uk/

What to do if you click on a phishing link

  • Immediately run a virus check on your computer whether or not you have provided any personal details
  • Change your password for organisation which the phisher is mimicking
  • If you use the same password for multiple accounts, you need to change all these passwords too
  • Notify the relevant financial organisation(s) if you have entered banking or credit card information
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud at https://reportlite.actionfraud.police.uk/

As phishing attacks predominantly targeting end-users, it is a good idea to invest in a security education and awareness programme to raise the profile of risk.  It’s also helpful to include your clients in such a programme.

If you have any concerns about your organisation’s vulnerability to phishing attacks and you’d like a chat about staff training or prevention, just call 01787 277742 or email dc@datacompliant.co.uk

Data Compliant Services

Services at December 2014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s