Phishing: How to protect yourself from a phishing attack?

Official definition of phishing

The word “phishing” is a portmanteau of “fishing” and “phreak”, which is itself a portmanteau of “phone” and “freak” and historically designates people who elaborated phone calling tricks to avoid paying charges during the twentieth century.

The National Cyber Security Centre defines phishing as follows: “Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website. [...] it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data.”

The three components that qualify a cyberattack as “phishing” are:

• the fact that the attack is carried out on telecommunications networks: emails, but also phone calls, social networks or texts;
• the hacker pretends to be a trustworthy third party: a recurring contact or a reliable organisation, such as your bank;
• It targets the theft of sensitive information: personal data such as your social security number, bank account data or your credit card.

What does a phishing email look like?

Protecting yourself well from cyber attacks first of all implies knowing how to recognize them. A phishing attempt can take various forms. You could receive a call from your bank, a message on social networks, a text message, an email.

Those messages might seem to come from a recently visited e-commerce site, your phone company, public service, or your energy company. In any case, the hacker is using the logos you already know to gain your trust.

What are the most common phishing messages?

Usually, phishing scams are based on two main types of content:

• You are accused of being late in settling a sum of money, a delayed invoice for instance, and you are threatened with financial penalties or legal action;
• You are led to believe that there was an error in your favor, which grants you the right to a refund.

There are also other trends in phishing emails:

• Payment order failure: the message indicates a billing problem regarding a recent purchase. It links to a fraudulent page that asks you to fill your banking information in a form.
• The gift: the email lures you into believing you are the winner of a contest, or the lucky recipient of an exceptional offer. However, this requires your providing certain data;
• Unpaid taxes, or any other threat that emanates from a public service and takes advantage of your fear of the authorities to coerce you into paying.
• The plea for help, in which the hacker poses as a relative in a difficult situation requiring financial help. Those attacks can also be carried out via telephone scams or "vishing".
• Tax refund: a technique widely used by phishers during tax reporting periods, which of course always involves communicating them banking information.
• A message from “the bank” alerts you to suspicious activity, and invites you to confirm your personal information.
• Any email that urges you to act out of panic and to disclose personal and sensitive information.

How to spot a phishing attempt?

Fortunately, a phishing attempt can be identified through a few criteria which are recurrent in this kind of emails:

1 / The offer seems too tempting, or the demand too urgent. Public services always leave several opportunities for their users to regularise their procedures, no need to pay urgently.

2 / The object of the email is rather vague, or is the same as your email address username. Also, on some occasions, the message is not directly addressed to the recipient.

3 / Spelling, grammar or syntax errors.

4 / Shortened or misspelled links, due to spoofing of legitimate websites. So mouse over the links to check them, without ever clicking on them.

5 / Attachments you were not expecting.

6 / Any request concerning the confirmation or communication of your personal data and sensitive information.

7 / A request issued by a company that is not one of your suppliers, or which you have no specific interaction with.

8 / An unusual website address (domain name), you must always check the address of the organisation that is supposed to contact you.

Finally, what is the difference between spam and phishing? The distinction between spam and phishing emails lies in the intent of the senders. Spammers flood with unwanted advertisements, but without any other harmful consequence. Phishers, on the other hand, use fraudulent techniques to steal sensitive data from you.

Who are the main victims of phishing attempts?

In France a 2020 study conducted by the Experts Club on Digital and Information Security (CESIN) found that phishing constitutes the most frequent way of carrying out the cyber attacks CISOs from French corporate companies have to deal with.

All companies are therefore directly concerned by fraud attempts, be they SMEs or large groups listed on the stock exchange.

However, large groups are better prepared for them than SMEs. The latter ones tend to think they are less targeted than the former ones, and as a result, suffer attacks more often.

The European Union Agency for Cybersecurity (ENISA) indeed reports that 70% of European SMEs use basic security controls only. Furthermore, phishing constitutes the most common method of cyberattack for these companies (41% of the reported incidents).

Additionally, European banking information is often targeted by cybercriminals, a known breach is via European PSD2 regulation which often constitutes a good way in.

What are the negative outcomes of a phishing cyberattack?

Phishing mainly jeopardises the security of confidential data of a company, as well as its finances:

• the majority of phishing attempts result in theft of identity and/or funds;
• many phishing scams also support corporate espionage;
• some of them pave the way for bigger cyber crimes such as ransomware attacks, where a ransom is demanded in exchange for retrieving data that has been held hostage.

From a legal perspective, phishing falls under different types of offenses:

• Identity fraud, under the Fraud Act, the sentence may be between 2 and 7 years imprisonment;
• Breaking the Data Protection Act, is punishable by a fine of up to 500.000 GBP;
• Online fraud, which can lead to a sentence of five years imprisonment and a fine of 5000 GBP;
• counterfeiting and forgery (fraudulent means of payment): fine and imprisonment;
• counterfeiting of trademarks in messages: fine and imprisonment.

‍