What is Phishing and How to protect against phishing

Gone Phishing – What is Phishing and How to Prevent it


Welcome to the first of our educational articles on Cyber Security. Over the next couple of months, we will look at how you can Manage your Online Risk, and we are going to start with Phishing.

What is Phishing?

Phishing is a way of using e-mail to send messages to users pretending to be from social media sites, banks, online stores or even your IT department. They attempt to exploit our trustful natures into revealing valuable information such as login credentials or bank account details.

Phishing, like social engineering generally, is used because it is usually easier to exploit a human being’s natural inclination to trust than it is to hack a computer directly.

Phishing attacks usually follow a theme to entice you into the scam and are often related to:

  • That the file attached in the e-mail is of use to you.
  • The message is one you have been waiting for
  • Your help is needed
  • That you’re a winner
  • That there is a problem with your account and you need to verify some security information.

We will have all probably seen an influx of e-mails like this to our inboxes over the last year, and the way they are written or look is becoming better and better.

These types of e-mail may also have hidden malicious code that is downloaded or installed when you click on the attached file or click the embedded weblink.

But if you or your company are unlucky enough to be the victim of a Phishing attack the potential impact could be huge. For your company there could be regulatory or legal fines, loss of reputation and loss client confidence or even market position.

On a personal level it could result in identity theft, embarrassment, financial loss (which is not always covered by banks or credit card providers) or maybe even disciplinary action if its proven that your negligence caused the incident.

How to protect against phishing threats

So how do we defend against this, well from a business level most companies have some form of e-mail gateway screening, for reviewing incoming mails and removing or holding e-mails that look like spam or contain malicious code. (hosted systems such as Office 365 have this built in.). But these can sometimes be basic and depending on how deep you wish to search you e-mails you might go for an external mail filtering service such as Mimecast or similar.

Modern Anti-virus now contain advance system monitors that can protect against harmful programs running on your PC but we can’t just rely on technology to provide the solution; as end users we play a huge role in keeping ourselves and our data safe, so here are some simple steps can we take to try and avoid being part of these statistics:

  1. Whilst this may not seem related to Phishing using strong passwords and different passwords for all your online accounts is key, that way if you are compromised it will only be one account and not a host of accounts that the hackers have access to.
  2. Verify the identity of callers or senders of messages that ask you to do something. This might be calling the number listed on their website and not the one in the e-mail you received. Checking the domain name looks right – john.smith@yourhacked.co.uk looks a lot like john.smith@your.hacked.co.uk (see the extra full stop?).
  3. Report suspicious e-mails or calls to your IT Department or IT Security Team, they would much prefer you to report something that turned out to be legitimate then not to check and potentially infect the network.
  4. Look at the language used, is that how your boss or that person usually talks to you in a mail? Is the grammar, spelling and punctuation, right? Especially in e-mails where a sense of urgency or high pressure is being conveyed or they are asking for security credentials or the transfer of money.
  5. In e-mails look at the layout of the e-mail and content, do the logos look correct, does the e-mail all look aligned, check the details e.g. like contact details, address etc are these correct?
  6. And most importantly never reveal sensitive or personal information to anyone in phone calls or e-mails.

Following basic steps like these can make a real difference and can help you stay cyber aware as once you spot these signs the first time it makes it easier to see them time and time again.

Next month we will look at Social Engineering, but if you want to talk more about this month’s subject feel free to contact the CEME IT Team.

As usual, here are a few links that you might find interesting:

LinkedIn’s 1.2B Data-Scrape Victims Already Being Targeted by Attackers
Brits have lost over £1bn to fraud so far this year
16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines
DuckDuckGo launches privacy-focused @duck.com email forwarding

Stay Vigilant and stay safe.

Chris George,

Head of IT, CEME