Official definition of phishing
The word “phishing” is a portmanteau of “fishing” and “phreak”, which is itself a portmanteau of “phone” and “freak” and historically designates people who elaborated phone calling tricks to avoid paying charges during the twentieth century.
The National Cyber Security Centre defines phishing as follows: “Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website. [...] it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data.”
The three components that qualify a cyberattack as “phishing” are:
- the fact that the attack is carried out on telecommunications networks: emails, but also phone calls, social networks or texts;
- the hacker pretends to be a trustworthy third party: a recurring contact or a reliable organisation, such as your bank;
- It targets the theft of sensitive information: personal data such as your social security number, bank account data or your credit card.
What does a phishing email look like?
Protecting yourself well from cyber attacks first of all implies knowing how to recognise them. A phishing attempt can take various forms. You could receive a call from your bank, a message on social networks, a text message, an email.
Those messages might seem to come from a recently visited ecommerce site, your phone company, public service, or your energy company. In any case, the hacker is using the logos you already know to gain your trust.
What are the most common phishing messages?
Usually, phishing scams are based on two main types of content:
- You are accused of being late in settling a sum of money, a delayed invoice for instance, and you are threatened with financial penalties or legal action;
- You are led to believe that there was an error in your favor, which grants you the right to a refund.
There are also other trends in phishing emails:
- Payment order failure: the message indicates a billing problem regarding a recent purchase. It links to a fraudulent page that asks you to fill your banking information in a form.
- The gift: the email lures you into believing you are the winner of a contest, or the lucky recipient of an exceptional offer. However, this requires your providing certain data;
- Unpaid taxes, or any other threat that emanates from a public service and takes advantage of your fear of the authorities to coerce you into paying.
- The plea for help, in which the hacker poses as a relative in a difficult situation requiring financial help. Those attacks can also be carried out via telephone scams or "vishing".
- Tax refund: a technique widely used by phishers during tax reporting periods, which of course always involves communicating them banking information.
- A message from “the bank” alerts you to suspicious activity, and invites you to confirm your personal information.
- Any email that urges you to act out of panic and to disclose personal and sensitive information.
How to spot a phishing attempt?
Fortunately, a phishing attempt can be identified through a few criteria which are recurrent in this kind of emails:
1 / The offer seems too tempting, or the demand too urgent. Public services always leave several opportunities for their users to regularise their procedures, no need to pay urgently.
2 / The object of the email is rather vague, or is the same as your email address username. Also, on some occasions, the message is not directly addressed to the recipient.
3 / Spelling, grammar or syntax errors.
4 / Shortened or misspelled links, due to spoofing of legitimate websites. So mouse over the links to check them, without ever clicking on them.
5 / Attachments you were not expecting.
6 / Any request concerning the confirmation or communication of your personal data and sensitive information.
7 / A request issued by a company that is not one of your suppliers, or which you have no specific interaction with.
8 / An unusual website address (domain name), you must always check the address of the organisation that is supposed to contact you.
Finally, what is the difference between spam and phishing? The distinction between spam and phishing emails lies in the intent of the senders. Spammers flood with unwanted advertisements, but without any other harmful consequence. Phishers, on the other hand, use fraudulent techniques to steal sensitive data from you.
Who are the main victims of phishing attempts?
In France a 2020 study conducted by the Experts Club on Digital and Information Security (CESIN) found that phishing constitutes the most frequent way of carrying out the cyber attacks CISOs from French corporate companies have to deal with.
All companies are therefore directly concerned by fraud attempts, be they SMEs or large groups listed on the stock exchange.
However, large groups are better prepared for them than SMEs. The latter ones tend to think they are less targeted than the former ones, and as a result, suffer attacks more often.
The European Union Agency for Cybersecurity (ENISA) indeed reports that 70% of European SMEs use basic security controls only. Furthermore, phishing constitutes the most common method of cyberattack for these companies (41% of the reported incidents).
Additionally, European banking information is often targeted by cybercriminals, a known breach is via European PSD2 regulation which often constitutes a good way in.
What are the negative outcomes of a phishing cyberattack?
Phishing mainly jeopardises the security of confidential data of a company, as well as its finances:
- the majority of phishing attempts result in theft of identity and/or funds;
- many phishing scams also support corporate espionage;
- some of them pave the way for bigger cyber crimes such as ransomware attacks, where a ransom is demanded in exchange for retrieving data that has been held hostage.
From a legal perspective, phishing falls under different types of offenses:
- Identity fraud, under the Fraud Act, the sentence may be between 2 and 7 years imprisonment;
- Breaking the Data Protection Act, is punishable by a fine of up to 500.000 GBP;
- Online fraud, which can lead to a sentence of five years imprisonment and a fine of 5000 GBP;
- counterfeiting and forgery (fraudulent means of payment): fine and imprisonment;
- counterfeiting of trademarks in messages: fine and imprisonment.
Transform how you model, measure, and manage cyber risk.
Don't wait for the inevitable cyber incident. Build a resilient, risk-based cybersecurity program with CRQ.
How is phishing done?
Regardless of the medium, the phishing process remains the same. It is about conveying a message that relies on social engineering to convince the victim to click on a link or an attachment. The end goal is gaining access to their personal data. This strategy is based on different media, but fortunately you can learn how to recognise the various techniques that might be used.
What are the different media for phishing?
Phishers most often send emails, but it is not their only means to get to you:
- Phishing emails urge you to click on malicious links or infected attachments.
- Voice phishing, or "vishing", means the criminal is trying to obtain personal information about you over the phone.
- Spoofed sites are copies of legitimate websites. They enable the hackers to collect connection data in order to reuse it on other accounts.
- Skimming involves phishing by text message, you are invited to click on a link or download an application which carries malware.
Social media phishing involves hacking into your accounts to send malicious links to your contacts. This method also relies on creating fake user accounts. This type of phishing particularly affects companies for which “social engineering” is key to business. In this case, phishers collect information about the company to plan their future cyber attacks better.
There are also phishing attempts through Linkedin accounts. Hackers send links to their victims, who provide their usernames and passwords. The criminals then use it to take control of the Linkedin account and send fraudulent messages to their contacts.
What are the phishing main tricks?
As detailed above, hackers use different methods to pass as reliable interlocutors. When they target companies, they use more specific methods:
- Deceptive phishing means impersonating a company in the same industry, allegedly interested in a collaboration;
- CEO fraud is, impersonating the head of the company or a high-ranking manager The attack aims at obtaining banking data or confidential information;
- Whaling consists in targeting the most important personalities of a company. This type of attack makes it possible to recover the necessary information to carry out a “fake president fraud”;
- The “Google Docs” - or any other similar cloud service - phishing consists in displaying spoof cloud interfaces to get login data from your employees and then access online-stored files;
- Clone phishing means the hackers copy your legitimate emails in order to send them to your legitimate contacts but with illegitimate new links.
Among the phishing attacks that everyone has been talking about, one may remark that databases of partner hotels of Booking.com are particularly affected. The users of this website all had been the target of fraudulent attacks via Whatsapp or text messages.
Much has also been said about the phishing attack experienced by Target stores in 2013. It had resulted in a data breach for 110 million consumers. That event has had a lasting impact on the reputation of this American brand.
How can you defend your company against phishing?
The first step in protecting your business from phishing scams is to train your employees on the communication situations they should be wary of. You should also invest in the right anti-phishing software. Once an attack has been carried out, however, there are a few good practices that can help mitigate negative consequences.
Preventive measures against phishing attempts
Here are some essential preventive measures against phishing attempts, you may want to communicate them to your staff:
- Never provide sensitive data by email or with your phone. Administrations do not ask for bank details or passwords by email or text message. If a company contacts you, immediately make sure of what their intentions are by taking the initiative of the communication.
- Mouse over email links to check the validity of displayed URLs. If necessary, visit the legitimate website yourself and compare its URL to the links displayed on the suspicious email;
- Use complex passwords, different for each account, renew these passwords regularly;
- Whenever it is possible, activate double authentication and check the dates and times of the last connections.
- Beware of pop-up windows, or use a pop-up blocker. When those display, always click on the usual cross that closes the window, and not on the large highlighted one ;
- Display your emails in plain text: a trick that allows you to reveal concealed images, and doing so, to have a visual on any fraud attempt.
How should you deal with phishing emails?
If the above recommendations lead your employees to spot one or more phishing attempts during their professional activities, here are a few steps you should follow:
- Have Cloudphish Antiphishing Extension or any other anti-phishing web browser extension installed on your company’s computers ;
- In the event of a phishing alert, simply click on the extension's button to report the message. Certain messaging providers, such as Outlook, already provide for this type of report mechanism.
- You could also contact the spoofed company to warn them about hackers counterfeiting their brand for fraudulent purposes;
- Delete the phishing emails.
How should you react when you are the victim of a phishing attack?
In the event of a successful phishing cyber attack, by which hackers have obtained confidential data or money from you:
- contact your bank to object to possible fraudulent withdrawals;
- keep the evidence, particularly the illegitimate message;
- call your cybersecurity crisis management team ;
- file a complaint with the police station or any other competent authority;
- report messages to Google via your anti-phishing extension;
- change the passwords and usernames of all of your online accounts;
- contact your cybersecurity provider for further guidance.
In the case of bank phishing, will your business be compensated for its financial losses? The courts do not have a universal decision on that matter. The possible compensation depends on the appearance of the fraudulent message: indeed, considering whether the email looked illegitimate, whether the demanded amount of money was delusional, or whether the request seemed illogical, your behavior could be deemed negligent or not .
This is what happened in a legal case between Crédit Mutuel Nord Europe and one of its clients. The local jurisdiction had recognised the fraud, arguing that the hackers had stolen her bank details. The highest French court (Cour de Cassation) preferred to agree with the bank, suspecting the client of gross negligence in handling her bank details.
What is phishing and how to spot it?
Phishing is a form of cyber attack that grants the hacker access to confidential data: personal file or banking credentials. The hacker usually resorts to emails, text messages, or phone calls, pretending to be a legitimate interlocutor.
How can I know if I am being the victim of a phishing attempt?
If you come across a questionable email, mouse over the URLs to make sure they correspond to legitimate websites. If in doubt, end the communication (text, call, email) and contact the official sender yourself to make sure that it is indeed a message on their behalf.
What should I do with a phishing email?
You can report spam and other phishing emails to Google via certain extensions.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.