Written by Syan Bateman

What is Phishing?

One of the most common cyber security attacks are phishing attacks – a type of social engineering to gain access to your data without having to write a word of code! These could be where your company is impersonated, voice phishing, or emails sent to staff. They may have links that download malware, or requests for confidential information.

83% of data breaches come from phishing attacks, according to a gov.uk 2022 survey. 51% of businesses and 54% of charities have only experienced phishing attacks, so how do you protect yourself from them?

Mass vs Spear Phishing

First, it’s important to note the two main attack vectors of a phishing attack – mass phishing and spear phishing.

Mass phishing a wide-spread attack, often impersonal, and focused on stealing personal data. It targets an individuals’ assets, and is normally targeted at your clients or customers. These often use generic messaging, so keep an eye out.

Spear phishing is a targeting attack, where the hacker impersonates a trusted source, and is focused on gaining fraudulent access. They may be from a ‘squatted’ website name similar to the official ones (such as google vs g00gle), so check the URLs.

How to tell?

When receiving a call or email, here’s a PHISH checklist to figure out whether or not to ignore it!

P – Promises

Does the message promise unbelievable things? If it looks too good to be true, it often is.

H – Harassment

Does the message aim to scare you, or to trick you into acting without thinking? Does it contain unexpected and/or specific information? The wording may be unnerving, or vaguely threatening.

I – Instincts

Does something feel wrong? Trust your instincts if they tell you to be suspicious.

S – Sense of urgency

Does the message insist you do something, right this second? By convincing you that the clock is ticking, the hope is that you’ll panic and make a mistake. This could be both in a threatening way (‘Your account will close in 48 hours’) or a promising one (‘Click now to win the grand prize’).

H – Hit delete

Report the message to your IT team and remove the temptation to engage in the message.

What to do?

Here are a few steps you can take to protect your organisation against phishing attacks.

• Educate all staff members. Training sessions with mock phishing scenarios can be enlightening.
• Use stringent email security and SPAM filters. These should block viruses and detect blank senders.
• Develop a security policy, and ensure your cyber security is up-to-date.
• Encrypt all sensitive company information.
• Whenever you receive a link from a company, go to the official site before entering in confidential details, rather than through the email.
• Never respond to emails requesting personal financial information.
• Don’t click on suspicious image attachments – they can also contain malware.

If you need help developing an Information Security Policy, or to get help with training or next steps, Bivika is here to help. Feel free to get in touch via our contact form below, or email us at info@bivika.com now.