What is phishing?
Phishing is emails, SMS messages, instant messaging, phone calls, or other message types pretending to be from a reputable company or person to trick people into opening bad links or files. This can result in the victim revealing personal information such as passwords, credit card numbers, and other sensitive information. It can also be used as a means to deliver viruses or ransomware to computer systems, and in this scenario, email and SMS are the most common delivery means.
Social engineering
Social engineering is the science behind this type of attack, which tries to trick us into disclosing data or opening files that might infect our systems. Whole books have been written on ‘Tricking the Human’. Social engineering attacks will try to manipulate, influence, or deceive a victim in order to get them to act before properly thinking it through. Their goal is to gain control of a computer system or to steal personal, sensitive, or financial information.
What are the consequences from a successful phishing attack?
- Monetary loss as a result of bogus payments to scammers;
- Reputational damage leading to loss of customers, resulting in loss of revenue;
- Civil actions from staff and/or customers following data breach, leading to monetary loss; and
- Inability to provide critical services to patients and customers when attacks like ransomware are not impeded.
Types of phishing attacks
- Email: Scammers create emails that impersonate legitimate companies or businesses in order to attempt to steal your information, or the information of your customers.
- Spear phishing: This is similar to email phishing, but the message is more sophisticated. For example, a message may appear to come from a work colleague or your boss. A message may ask for you to make a payment to a supplier for an outstanding invoice by clicking on a link, or by providing bank credentials for you to make a payment.
- Clone phishing: Scammers will replicate a genuine email that you have received. However, this email may include a malicious link or attachment.
- Whaling: Scammers target high ranking employees or executives in an attempt to gain access to sensitive data, or may include a request for money or payment.
- Pop-up phishing: In this case, scammers will use pop-up messages or banners to try and trick victims into clicking on links or install malicious software. Scammers have been known to use fake “unsubscribe” buttons on spam or marketing mail to get people to click a malicious link.
Red Flags to look out for
- A message asking you to pay an invoice by using supplied credentials or by clicking on a link;
- A message asking for your PIN or access codes;
- A message asking for a PPSN or other sensitive identifier (medical card number, prescription number etc.), to avoid some fake consequences;
- A message requesting sensitive information (like bank details), or details that the supposed sender should already have;
- A message asking you to share a one-time code issued to you alone;
- A message is asking you to download an attachment;
- A message asking for you to click a link or visit a website;
- A message requesting you fill out a form that contains sensitive or personal information.
- The communication often contains misspelt words or bad grammar;
- The communication is often unsolicited or unexcepted;
- A message asking for a personal address, Eircode or date of birth;
- A message trying to worry or create a sense of urgency to the message, for example “Immediate Action Required”;
- A message pressuring you to bypass or ignore company policy or procedure;
- The name of the sender does not match the email address or domain (name, surname, name@domain.com), where it claims to come from; or
- The message appears to come from an official email (such as your boss), but the email address or the logo does not look right – it has the red flags.
“We always need to be careful. The same way we would be careful opening our front door to a stranger.”
Phishing email example
How to disable a social engineering attack
Stop, pause, do not respond, ask for help.
How to avoid becoming a victim of phishing – the red flags
- If you receive an unexpected or suspicious email, look at the email address. Does it look right?
- Look at the visuals. Has the scammer used recognisable logos to trick you?
- Hover over a link before clicking, is it going to a website that you recognise?
- Is your name on the correspondence (or has it been misspelt)?
- Does the communication contain a salutation (Dear (name), title etc.)?
- Were you expecting this message?
The way we beat these types of attacks is with ongoing awareness training to keep us alert, and to remind us of what to look at when we receive an email or other communication. It is easy to become complacent and click an email or link because we think we recognise a logo as being legitimate. However, we always need to be careful. The same way we would be careful opening our front door to a stranger.
Cybersecurity is a shared responsibility we all have our part to play in ensuring that we maintain a secure practices within our work environment. Remember, there is no shame in admitting if you clicked a link in an email that you suspect may be a phishing email. The faster you alert someone, the faster measures can be taken to block any potential attacks.
Remember, don’t click links, or download documents from emails that you don’t recognise. Never use links or details (such as phone numbers) in a suspect communication to try and verify the authenticity of a communication.
If the content just does not seem right, trust your instincts.
