top of page
Search
3 days ago

Phishing 101: Understanding the Basics

Most people have experienced a phishing attempt in one way or another. But what is it? This blog is going to take it back to basics and give you a one-stop refresher on what phishing is, and the many different forms it can take.


a guide to phishing

At its most basic level, phishing is a type of cybercrime where attackers attempt to deceive individuals into revealing sensitive information- this can be in the form of usernames, passwords, financial details, or any sort of confidential information. Whilst phishing is a type of fraud that has been around for a long time, its methods have evolved, and in today’s digital world phishing attempts have become increasingly sophisticated. Both individuals and businesses are frequent targets of phishing attacks, but the tactics used can vary. Some of the common types of phishing will be explained below.


Email Phishing:


One of the most common forms of phishing, email phishes target people in both their personal and working life. Attackers will send seemingly legitimate emails, which appear to be from trusted sources, such as banks, online retailers, government agencies or business suppliers. These emails often contain urgent or alarming messages that urge the recipient to click on a link or open an attachment. This could be to resolve an issue such as a blocked account or password, or for a supposed positive reason, such as winning a competition or a prize.


Spear Phishing:


This type of phishing can be slightly more sophisticated, as it is designed to target specific individuals or organizations. Attackers will gather specific personal information about their targets, such as names, job titles, and interests. This could be from social media profiles or public sources. By using this information, attackers can make their attack more personalised and harder to detect.


Smishing (SMS Phishing):


Smishing is a phishing attempt that happens via text message. These messages, whilst a different format, will often contain malicious links or prompts to call/text a fake customer service number. As with email phishing, these texts will appear to come from a trusted source. This could be a government department, HMRC, courier services or other online retailers.


Vishing (Voice Phishing):


Vishing involves the use of voices, often phone calls, where attackers will impersonate legitimate organizations. These may include government agencies, banks, insurance companies, or telecommunication companies. These attackers may use high-pressure tactics or threats to try and make the recipient comply, to extract sensitive information.


Social-Media Phishing:


Attackers use social media platforms such as Facebook, Instagram, LinkedIn, and Snapchat to reach potential victims. They may send friend requests, direct messages, or even hack legitimate accounts to post malicious links. They may offer rewards, competition prizes, or nefarious financial advice to try and trick you.


Business Email Compromise (BEC):


This type of phishing is targeted specifically at businesses. Attackers may pose as high-ranking employees or executives within the company, sending emails to employees that appear legitimate. These may be directed towards employees in financial or accounting departments to try and infiltrate those with access to financial resources. Since the email may appear legitimate, these attacks can be harder to spot so it is always important to confirm with the person, outside of the email, before proceeding with anything.


Whaling:


Whaling is a type of phishing that is specifically targeted at senior executives or high-ranking officials within a company. The attackers will often craft messages or emails that appear to come from a legitimate or trusted source, such as a business partner or regulatory body, asking for sensitive financial information or corporate data. In these attacks, the stakes are higher as the individual that is targeted has access to substantial company assets.


phishing

How can people protect themselves from phishing attempts?


To protect yourself from phishing attempts, one of the most important considerations is remaining vigilant and sceptical of any unsolicited or unexpected emails, phone calls, or messages, particularly if they are asking for any personal, sensitive, or financial information. Always carefully verify the source before clicking on any links or downloading attachments, and make sure that any URLs are double checked for legitimacy. If a link or download is saying it will take you to your account, exit the message and log on to the account via the internet instead. If a phone call or message is saying they are your bank, or another important company, then exit the message and contact them directly. Use email filtering and security tools to catch malicious messages before they reach you and stay wary of any contact that is urging you to act quickly. These proactive steps will help you to stay wary of phishing, and not find yourself being caught off guard.


How can the ECRC support?


By joining the ECRC as a free member, your organisation will be supported in making the small changes that make the biggest difference when it comes to cyber resilience. Becoming a free member means you will receive the latest cyber resilience guidance via email, which will drip feed you ways in which you can improve your cyber resilience without costing any money.


The ECRC website also contains several links to helpful National Cyber Security Centre (NCSC) resources, which are all free, up-to-date, and easy to use. Tools such as Exercise in a Box and the NCSC Cyber Action Plan are particularly useful in terms of identifying areas where you could improve your cybersecurity. They also have many informative guides that are sector specific, which will give you useful and detailed information.


If you would like more information about how the ECRC can help your organisation specifically, please book a chat with us today!


 Reporting a live cyber-attack 24/7:


If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.


Reporting a cyber-attack which is not ongoing:


Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.


Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)


the eastern cyber resilience centre

Comments

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page