Whether you think your business is too small or too big to be a target, don’t be fooled… Phishing scams can affect businesses of any size, operating in any sector and can have a devastating effect.
On this page, we cover everything you need to know about phishing scams, including:
- What is a phishing scam?
- How do phishing scams work?
- Different types of phishing scams
- Why phishing scams are dangerous
- How to recognise a phishing scam
- How to prevent phishing scams
- How to protect your business from phishing scams
- Cybersecurity awareness training
- Phishing scam resources
What is a Phishing Scam?
Phishing (pronounced the same as fishing), is a type of scam used to trick users into revealing personal information. Like actual fishing, hackers use bait (in this case, an email or text) to capture their prey. Typically, cybercriminals use phishing scams to steal passwords, bank details, telephone numbers and addresses.
Phishing is a type of social engineering attack, as it uses deceptive techniques to convince a user to hand over their information. As phishing relies on the user making an error or dangerous action, important to understand how phishing scams work and how to spot them.
How Do Phishing Scams Work?
There are usually two parts to a phishing attack, a deceptive email or text and a fake landing page. We explain how these work together in the next sub-section.
A Deceptive Email or Text
The phishing attack begins when the attacker sends an email or SMS to a mass of unsuspecting victims, posing as a trusted contact or reputable business.
Hackers will often spoof communications from Microsoft, Apple, Google or a bank.
Cybercriminals write these messages prompting users to urgently click on a link to log into their account.
A Fake Landing Page
The link will lead to a fake landing page, created to mimic the login page related to the email.
Once the user enters their details, they will be sent to the criminal and the user will typically be redirected to the real website.
To the user, this will appear as if the ‘login’ was unsuccessful – leaving them unaware of what actually happened.
Varieties of Phishing Attacks
There are different types and terms for phishing scams, depending on how the cybercriminal targets their victim. These include:
- Spear phishing
A spear-phishing attack targets a particular user or user group within a user organisation, for example, system administrators.
Very similar to spear phishing, whaling targets the ‘bigger mammals’ in a business, for example, the Managing Director, Head of Finance or Chief Operations Officer.
A successful whaling attack could lead to CEO fraud.
Smishing relates to the practice of using SMS or text messages to conduct a phishing attack. During a smishing scam, users will receive a text message pressurising them to click on a link included in the message.
Vishing (or voice phishing) is when cybercriminals will call users claiming to be from a reputable company in order to collect personal information.
It’s a very popular technique used by cybercriminals pretending to be from a bank, utility company or HMRC.
Quishing is a fairly new type of phishing attack which tricks users into scanning a QR code that redirects to a malicious website – cutting out the need to send an email or SMS.
Related: What is quishing?
Why Are Phishing Scams Dangerous?
Successful phishing attacks enable cybercriminals to carry out more serious crimes, such as fraud, data and identity theft.
This depends on what information the hacker has.
As the number of Microsoft 365 users hits over 340 million, it’s common for opportunist hackers to pose as the US-based technology giant.
But why? With more businesses and organisations migrating to SharePoint and Outlook, Microsoft 365 accounts have become a goldmine for sensitive information.
Let’s consider what information a cybercriminal could have access to via a successful phishing attack:
- Internal and external communications
- Employee data (names, addresses, telephone numbers, ID)
- Customer information (billing details, emails, card information)
- Confidential company information (processes, financial documents, marketing plans)
With access to all of this information, a hacker is in the perfect position to use the data for their own gain.
The possibilities are endless, but here are a few things a cybercriminal could do.
- Sell company and customer information to a competitor
- Use the compromised email address to continue phishing more people
- Delete files and wipe databases
- Make fraudulent transactions with bank details
Any of the above can lead to serious implications for your business. From reputation damage and diminished customer confidence to a loss of trade and operational problems, this isn’t an ideal situation to be in.
Take, for example, the great British Airways data breach.
How to Recognise a Phishing Scam
Although phishing scams can pose a serious threat to your business, they can be quite easy to spot (if you know what you’re looking for).
Phishing scam success relies on deception and human error, so it’s important to be aware of the characteristics of a phishing scam and how to recognise one.
Most phishing messages create a sense of urgency and contain a link. However, upon closer inspection, you will also likely see:
- Simple spelling and grammatical errors
- The message isn’t personalised with your name (e.g. Dear User)
- The message was sent from a peculiar email address or number (for example, an official email from Microsoft sent from a Gmail account)
- Miss-matched colours or fonts
- Poor alignment
Many organisations, such as banks have resources highlighting information that they will never ask for via telephone or email. It’s a good idea to make yourself familiar with your bank’s protocols which could ultimately help you recognise a spoof communication.
Most banks have the same protocols and will never ask you for your PIN or full password.
As phishing scams create a sense of urgency and panic, many overlook some of the tell-tale signs of a phishing scam.
In the next section, we look at what you should do if you have received a phishing message.
What To Do If You Receive a Phishing Scam
Receiving a phishing message is pretty harmless, however, it becomes dangerous when you interact with it. This includes when you download attachments and click links.
If you think you have received a suspicious email or message, there are a series of steps you should follow which we have outlined below:
- It goes without saying but don’t click on any links or download any attachments
- Do not reply to the email or text message
- Contact the sender via a different channel asking if they sent the message
- Let your IT support provider know
- Delete the email or text message
- Report the phishing scam
What to Do If You Fall Victim to a Phishing Scam
Some phishing scams can be extremely convincing and can fool anyone.
If you think you have fallen victim to a phishing scam, it’s important that you let you IT support know at once.
If you don’t have an IT support provider or department, you can follow these steps:
- If the scam involved money or your card details, call your bank and let them know
- If you use the same (or similar) password for multiple accounts, change these at once
- Force a log out for all sessions
- Enable 2-Factor Authentication on the affected account(s)
- Report the incident to the relevant authorities
How to Protect Yourself from a Phishing Attack
Although we can’t stop cybercriminals from sending phishing emails (as hard as we may try), there are steps we can take to protect ourselves from phishing scams.
As we have already mentioned, human error is the main reason for phishing scam success. However, a multi-layered approach centred around prevention, identification, protection and response can help prevent your business from becoming a victim.
- Review information online
- Use tools to filter and block phishing, such as web filtering
- Provide users with relevant training
- Define request processes that cannot be easily mimicked
- Create a culture where people can talk about cybersecurity
- Ensure 2-Factor Authentication is enabled on all of your accounts
- Use tools such as proxy servers to protect users from malicious websites
- Protect your devices from malware with an antivirus software
- Create, refine and rehearse responses for different types of phishing attacks
- Encourage users to report suspicious activity immediately
As technology develops, it’s only likely that phishing attacks will become more sophisticated. So, it’s important that we remain aware of the latest phishing techniques and stay ahead of cybercriminals.
Remember, phishing attacks don’t discriminate and businesses of any size and sector could become a victim.
Our cybersecurity awareness training covers how to spot and manage a phishing attack in more detail, closing any knowledge gaps.
With bite-sized and interactive videos, we deliver tailored training to target each user’s unique vulnerabilities and weaknesses.
Take advantage of our Cybersecurity Awareness Training
Based in the South West of the UK, Systemagic provides business IT support, cybersecurity, cloud and connectivity solutions to SMEs and organisations.
As a Microsoft Gold Partner and Apple Specialist, we support businesses using Windows, macOS and Linux machines (or a hybrid of all).
With award-winning customer service, no long-term contracts and competitive ‘per user, per month’ pricing, over 350 businesses across the UK trust us with their IT.
If you’re looking to change your IT support provider, or want to consider outsourcing for the first time, we’d love to hear about your requirements and how we can help.
UK Bank Pages
Where to Report a Phishing Scam