30% of recipients open phishing messages!!
Wow – 30% of recipients open phishing messages… and 12% open malicious attachments! With these stats, it’s no wonder that two-thirds of cyber threats can be traced to phishing attacks!….. but, what is a phishing attack? Read on as we look into this: Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. This is direct from Wikipedia… but what does it mean? Well, often Phishing will be in the form of an email. Commonly sent from a 3rd party but disguised as being from an internal employee or staff member. The initial email will often be something quick; a question to gain engagement: > How much does the bank charges for Chaps Payment. > > Regards These hackers are clever and research well. Often using social media it doesn’t take long to build up a picture of the likely staff having these conversations. The message above will likely be from the CEO to the accounts department…. messages this short from the CEO are often though of as high priority and so warrant a quick response. Once engaged, the email chain will likely go back and forth but ultimately lead to a request for payment : So, everything looks and sounds pretty genuine… So how are staff supposed to tell or defend against it?
- Always check the senders email address carefully. We’ve seen emails that match very closely to the actual subjects address … but never the same. Ultimately, the sender needs to receive a reply so it cannot be identical
- Check the language of the message: Often the messages are short and abrupt. The hacker is after a quick response and does not want to engage in detailed dialogue. If this is not the same language that the proposed sender normally writes in it should be investigated.
- Check for spelling: Not always the case, but many of the emails we’ve seen have basic spelling and grammatical errors. This is often the case if English is not the hackers native language
- Implement a ‘No bank details’ email policy. When money is involved and the payee is not known it’s best to have a double verification – i.e – Email and Phone.