The vast majority of cyber breaches within small organisations are due to some form of social engineering, with phishing the most common and well known variant on the theme. The basic idea behind phishing is that the criminal will pretend to be a trusted organisation in order to solicit private information from the victim, or to trick them into clicking on a link to download some nasties.
Anyone with an email account is likely familiar with phishing emails. Indeed, if you are anything like us you receive many per day. But, therein lies a danger – familiarity breads overconfidence. That some phishing emails are ‘obvious’ does not mean that all of them are. And it is clear that most people simply don’t appreciate how sophisticated phishing attacks can be. Some phishing attacks are basically impossible to spot. So, nobody is immune from falling for them.
This problem may well be exasperated by the way we train people to spot phishing attacks. The National Cyber Security Security guidance follows the conventional path in pointing out ways to spot a phishing email – poor grammar, not addressed personally, too good to be true etc. This is fine advice to weed out most phishing emails. But the criminals are not dumb: if grammar is a problem then they can easily fix it; if your name is needed then they can find it, indeed it is often sitting there in the email address; if they need the sender to look genuine then they comprise someone else’s account. The criminals evolve their tactics. Indeed, it is in the criminals interests to send out ‘obvious’ phishing emails so that we are blissfully complacent when the ‘professional’ one arrives at our inbox late on Friday afternoon.
So, how do you spot a professional phishing email? In all likelihood you cannot. Instead you need to be skeptical of any and all emails. You need to have a good anti-malware. And, perhaps most importantly you can follow the advice to Take Five. A critical component of this advice is Challenge. Ring up a colleague or organisation to verify they sent the email, or are requesting funds etc. This may seem burdensome, but a little bit of effort can stop a whole lot of trouble.