03 Jun Phishing for a Scam – What to look out for with unsolicited emails
‘Before you click, step back and think, will this email trick, make me sink’?
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication (email).
The term ’phishing’ is ultimately a spin on the word fishing, mainly because criminals are dangling a fake ’lure’ (the email communication that looks legitimate, as well as the website that looks legitimate) hoping users will ’bite’ by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, usernames, and more.
In a world where cyber-crime is rife and only ever increasing, keeping ahead of the curve and protecting your staff and the devices which they use to carry out their work is a crucial aspect for any business.
In the past, putting an infected memory stick into your laptop or downloading a dodgy file from a website could cripple your device, or worse, spread to other devices and negatively impact your organisation’s network. These sorts of attacks were designed to disrupt your ability to work, by deleting, encrypting or preventing you from accessing your data. More recently however, attacks are not necessarily intended to wreak havoc, but instead, silently infiltrate your company and extract any information out which may be deemed valuable or sensitive to your mission. The latter predominantly relies on us …. Humans!
Social engineering has been one of the most effective and damaging form of attacks yet. And the worst part is that it is very simple. Social engineering exploits rely on the member of staff (or multiple members of staff) not being fully aware of the security of the device or services which they use, and therefore, to their untrained eye, they can simply hand over the information needed for an attacker to access the necessary platforms through which they can use to further dig into your business, contacts and data.
Social engineering comes in many forms, however, the most common is through the use of phishing emails. These emails can come from a single user who the member of staff knows, from a company that the member of staff deals with, or from an internal colleague who the member of staff works with on occasion …. except, it’s not actually them! Unfortunately, email has a very simple exploit, which if not managed properly, can allow anybody, no matter who they are, to impersonate (or spoof) another person. Again, without knowing where to look, you may have no idea that the person who’s email you just received, opened and actioned, is not actually them.
At Academia, we take the threat of scam emails very seriously and have a few parameters and rules in place to help safeguard our own private information, as well as offering resolute and expert advice to our own customers.
99% of hackers target computers via spam emails that have hidden code and feature the virus that can encrypt and lock your computer if opened. The idea is to stay vigilant and get all staff to understand the key threats – our 5-step guide is as follows:
- If you’re not expecting an email and don’t know the sender, be extremely wary and don’t double click any attachments if you don’t need to
- If something that’s supposed to be “official” (and email or web page) has grammatical errors or seems in any way not quite professional, don’t touch it
- If the sender’s email domain doesn’t look quite right (the domain isn’t one you know – such as academiastuff.com – or if it has Latinletters replaced with similar looking Cyrillic or other characters – such as academia), don’t trust it
- If in doubt, check with the sender – nobody is going to be annoyed with you double checking the origin of an email
- Wherever possible, utilise systems that don’t store files locally (e.g. Office365/OneDrive/SharePointonline only – not using the desktop sync agents - or apps such as Foldr which take network shared drives and put them in a browser, so your machine doesn’t look at the share directly)
Ultimately, ‘phishers’ cannot get to files that you only access via a browser to encrypt them. Therefore, worst case if you do become infected, you just wipe your machine and don’t lose any data.
It is essential that all your systems have the latest security patches installed and that backups are regularly taken. Consult your head of IT or your service operator if in doubt.
How can Academia help?
Academia have partnered with Sophos, a security first software and hardware company with over 30 years’ experience in IT security. Speak to us today to learn about the service we can offer your business or school on info@oldsite.academia.co.uk or call 01992 703 900
