Don’t take the bait: Recognise and Report Phishing

In this increasingly digital world, all of us need to stay aware of and protect ourselves, our families and organisations from various types of cybercrimes we’re subjected to.

It is Cybersecurity Awareness Month and Wanstor have joined this campaign with the Cybersecurity & Infrastructure Security Agency to raise awareness about cybersecurity practices in our daily lives and at work. We will be sharing best practices with you throughout the month.

In this blog, we’ll be talking about phishing - one of the easiest cyber-attacks that people fall prey to. The 2024 DCMS Cyber security Breaches Survey reported that of the organisations who reported any cyber-attacks last year, 84% were the result of phishing.

What is Phishing?

Phishing is a form of social engineering and one of the most common cybercrimes. Modern technology and modes of communication make it easier for all emails, phone calls or emails to be falsified or spoofed.

An attacker will contact potential victims via email, phone, text message or other digital means, impersonating a legitimate person or institution, and attempt to obtain sensitive data to use to their own advantage.

There are typically three main purposes of phishing:

Steal credentials: Links leading you to fake login pages for well-known websites (Google, Apple, Amazon). When details are entered, they are captured by criminals.

Install malware: Delivered through malicious links or attachments

Ask users to take action: These emails might evade antivirus software detection since they don't contain any links or attachments. Typical actions often involve asking for sensitive information or requesting payments.

Recognising Phishing Attempts

As people are becoming more and more aware of phishing attempts, so is the sophistication of attempts made by attackers. But there are common signs of a phishing attempt. Urgent or emotionally appealing language: Attackers can either simulate urgency around a certain action being taken - for example, receiving an email about a tax return not having been filed or updating personal details to avoid termination of an account are likely to elicit an immediate response.

Request for personal or sensitive information: Phishing attempts usually involve demands for sensitive information – whether it is financial information, PIN numbers or passwords – for example receiving an email from your bank claiming that someone has tried to access your account.

Grammatical errors: Always check emails and messages for inconsistencies, spelling or grammatical errors, which could be a sign that they are not from a genuine source.

Unusual attachments: Do not immediately open attachments from unknown senders without checking authenticity.

Untrusted URLs: Hover over a URL to determine its authenticity. Always google or search suspicious links instead of clicking on them.

Incorrect email addresses: Hover over email addresses to ascertain authenticity, especially if the email message conveys particular urgency, is urging you to break policy, or is unexpected.

Reporting Phishing

Why Reporting is Important:

Reporting phishing attempts is important and can play a huge role in helping people identify and prevent phishing attacks. In addition to raising awareness, in a work context, if IT teams are kept informed of potential phishing attempts, then you can work together to rectify the situation. If no-one knows about it, nothing can be done.

How to Report Phishing

Most organisations have internal IT teams to whom you can report phishing emails. For any phishing attempts outside the workplace in the UK, you can use the following channels:

Email Phishing: Forward the suspicious email to report@phishing.gov.uk. This service is run by the National Cyber Security Centre (NCSC) and helps to take down malicious websites.

Text Message Phishing (Smishing): Forward the phishing text message to 7726 (which spells 'SPAM' on your keypad). This will alert your mobile provider to investigate and block the sender.

Action Fraud: You can also report phishing attempts to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. Visit their website at actionfraud.police.uk or call them at 0300 123 2040.

Your Bank or Service Provider: If the phishing attempt involves impersonating a bank or service provider, contact them directly using the contact information on their official website to report the incident.

Best Practices to Avoid Phishing

Phishing attacks can be quite deceptive, but there are several effective ways to protect yourself:

1. Be Sceptical of Emails and Messages: Always be cautious of unsolicited emails, messages, or links, especially those asking for personal information or urgent actions.
2. Check the Sender’s Email Address: Phishers often use email addresses that look similar to legitimate ones. Verify the sender’s email address carefully.
3. Look for Red Flags: Poor grammar, spelling mistakes, and generic greetings like “Dear Customer” can be signs of phishing.
4. Hover Over Links: Before clicking on any link, hover your mouse over it to see the actual URL. Ensure it matches the legitimate website.
5. Use Multi-Factor Authentication (MFA): Enable MFA on your accounts to add an extra layer of security.
6. Keep Software Updated: Regularly update your operating system, browser, and other software to protect against vulnerabilities.
7. Educate Yourself and Others: Stay informed about the latest phishing tactics and share this knowledge with friends and family.
8. Use Security Software: Install and maintain reputable antivirus and anti-phishing software.
9. Verify Requests for Sensitive Information: If you receive a request for sensitive information, verify it by contacting the organisation directly using a known, trusted method.
10. Report Suspicious Activity: If you suspect a phishing attempt, report it to your email provider, IT department, or relevant authorities.

In addition to these practical steps, in a corporate scenario, organisations can invest in security awareness trainings. This training is a great way to make teams more aware of attacks like social engineering and learn about other cyber security best practices. They may also incorporate phishing simulations.

Staying vigilant and informed is key to avoiding phishing scams. Have you encountered any suspicious emails or messages recently?