Welcome back to the world of phishing. In part one of this blog, we explored what phishing is, how it works, and the many different forms it can take. Make sure you read it [Click here] and get up to speed before continuing. Today, we’re going to look at how phishing can damage your business and how you can protect yourself.
How does phishing affect my business?
Phishing can significantly impact your business. In fact, the consequences can be catastrophic, from financial losses and data breaches to damage to your reputation and even closure. Phishing attacks can lead to the theft of sensitive data, including customer data, financial information, and intellectual property. This can also result in significant downtime and lost productivity.
To protect your business from phishing, you should implement security awareness training for your employees, use multi-factor authentication and strong passwords, and regularly monitor your accounts for unusual activity.
How to Protect Yourself
What to do when you receive a phishing email/suspicious message
If you receive a phishing email, the first thing you should do is not panic. You should also not click on any links or attachments in the email. Instead, if your spidey senses tell you something is off, trust yourself and ignore any requests made in the email.
Next, check if the links in the email are pointing to a legitimate website. Usually, if you hover your mouse over the link for around a second, it will reveal the much longer full link. If that isn’t possible, you could try right clicking and selecting the option “copy link“, then if you open any text editor, (even Word will do but preferably Notepad on Windows or Notes on Mac), then paste in the link. In a more sophisticated text editor such as Word, there is a bigger chance the link will be interpreted as a link and one of the following two situations might happen.
The first link will be displayed as text that was masking the link. For example, you would see “click here” instead of www.hsbc.co.uk/…. or the second you click on the text it might try to open it with your default browser and this is precisely what we are trying to avoid.
Therefore, a basic text editor like Notepad is preferable.
In a basic text editor, the link will be exposed as a long string. There you can clearly check if the link is real or a phishing attack.
Most of the time the link you will see will be very long, regardless of who sent it, whether it’s a financial institution or threat actor (an industry term for a type of cyber-criminal). The length of the link on its own does not tell us if it is a dangerous link or not. Both sides (thread actors and legitimate businesses) have their reasons for such long links although the reasons are different.
A real company will send you long links as they want to point you to specific content on their website, such as a single product rather than a group of products. A good example is if you use google.co.uk, or any other site, and search for something. Look at the address bar you will get something like this:
https://www.google.co.uk/search?q=find+me+a+gift&source=hp&ei=H4f_Y8eOKZCHhbIP1uucgAs&iflsig=AK50M_UAAAAAY_-VLzu6sbqZGLn00v268Upgj7ElRlOT&oq=find+me+a+&gs_lcp=Cgdnd3Mtd2l6EAMYADIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQ6EQguEIMBEMcBELEDENEDEIAEOgsILhCABBCxAxCDAToLCAAQgAQQsQMQgwE6CAgAEIAEELEDOggIABCxAxCDAToICC4QgAQQ1AI6EQguEIAEELEDEIMBEMcBENEDOg4ILhCABBCxAxDHARDRAzoFCC4QgAQ6CAguEIMBELEDOggILhCABBCxAzoLCC4QgAQQsQMQ1AI6CAguELEDEIAEUABYtQ5glxtoAHAAeACAAV2IAbMFkgECMTCYAQCgAQE&sclient=gws-wiz
As long as this link is, it is actually legitimate and shows a list of results for the query I typed “find me a gift”.
On the other hand, threat actors will use a similar-looking string that will lead you to malicious websites, so it’s important to be aware of what to look out for.
Warning signs: How to spot those?
First, read the suspected dangerous link slowly from the start and look for patterns.
If the link is referring to a website, it will start either with HTTP:// or HTTPS://. The only difference between those is that the one ending with the letter S is encrypted. S stands for Secure.
After this, you will most likely have “www” followed by the company name or company name without www. The acronym www stands for world wide web, and nowadays is frequently omitted.
Examples of legitimate websites:
https://www.Operum.Tech or https://Operum.Tech
https://www.Microsoft.com or https://Microsoft.com
After the extension in our examples above, we have used. Tech and .com We need to have “/” in the address. And this is a critical step. If the next character after the extension is any other than “/” it means you are looking at a Phishing website. Let me demonstrate this for you.
https://www.Microsoft.com_=hp&ei=H4f_Y8eOKZCHhbIP1uucgAs&iflsig=AK50M_UAAAAAY_-
The above link is NOT pointing to Microsoft’s website as the next character in the .com extension is “_” not “/”
Why does this matter?
“/” has a special meaning in the addresses, it means stop processing the address at this point because this is a full address.
In our real-life example in part one, we talked about postal addresses. This “/” would be the equivalent of the full postal addresses including house number and postcode. In other words, everything the postal worker needs to arrive at our doorstep. The postal worker doesn’t need any further information (such as deliver the letter to the kitchen and place it in the top drawer etc) because their job ends at the door just as a web address has “/” to signify the end of the address.
The long thread of additional characters after that point (such as in my Google search above) are not part of the address, but rather instructions and internal requests. In my case, for google.co.uk to recall search results for the term “find me a gift”?
However, cyber criminals and thread actors use this technique to impersonate the websites of reputable companies by praying on those who aren’t aware of what to look for in a legitimate address and who may not notice the absence of the “/” symbol. This is one of the classic phishing techniques where thread actors make the beginning of the address look exactly like its legitimate counterpart with its truth origins concealed in the latter section. The start of the address might look like HSBC’s website, for example, but once you see the whole link you will uncover something like this:
www.hsbc.co.uksdkasdkal.kdlaskdapoiop.poiopiopioasdwdajk.some.random.website.jp
At the start, you can see a part that contains the name of the bank www.hsbc.co.uk but because we are missing “/” this is NOT the end of the address, and the remaining random strings are NOT internal requests for the HSBC website to direct the user to a specific section on the website. In reality, they are a continuation of the address and will lead to a fake website. The above address contains several subdomains. Can you guess how many?
The answer is seven! Only after the extension .jp and “/” we could see the additional instructions. So, it is clear that this domain is one of the phishing sites. The next step if you decide to open the link is that you will be asked to enter your bank details and/or your social security alongside your email addresses. Be careful on mobile devices as their smaller screens make it much easier for criminals to hide vital details.
If you come across such a fake website, you should report the email to the organisation it is pretending to be from and delete the message from your inbox. If you’re worried that you might have disclosed your credentials, you should also change your password for that account and monitor your accounts for any unusual activity.
Let’s continue with a way to protect yourself from phishing
Turn On Multi-Factor Authentication or Two-Factor Authentication
Multi-factor authentication adds an extra layer of protection to your accounts by requiring a second form of identification, such as a code sent to your phone or a FaceID scan. This can make it much harder for attackers to gain access to your accounts. It means that even if they obtain your password and try to access your email, they will require an additional code which is only generated by the app on request or when you scan your biometric sensor.
Mandate Strong Passwords, With Regular Updates
Strong passwords are critical to protecting your accounts from phishing attacks. You should use complex passwords that include letters, numbers, and symbols, and avoid using the same password for multiple accounts. But to make it manageable, we recommend a password manager as it is not easy trying to remember 20 character-long passwords that look like part of the random string. A password manager makes it a lot easier although there is more to say about this subject, and I will expand on this in a future blog post.
Security Awareness Training
Security awareness training can help you and your employees recognize and avoid phishing attacks. This training can include information about how to identify phishing emails, how to verify the authenticity of a message and best practices for password security. By educating yourself and your employees on these topics, you can significantly reduce the risk of a successful phishing attack.
In addition to these steps, you should also:
- Be cautious of unsolicited messages, particularly if they ask for sensitive information, your personal details, and especially financial transfers.
- Verify any requests for transfers or sensitive information with the individual or organisation directly, using a separate means of communication.
- Check the URL of login pages to ensure they are the correct address for the website or service you are trying to access as I described above.
- Check and verify links in emails before you click on them. Simply hover your mouse over the link and try to see the full address.
- Use anti-virus software and keep it up to date to help detect and block phishing attacks.
- Enable Multi-factor authentication (MFA) on all your accounts and online services.
- Use a hardware key to further increase your security.
- Install Security Patches when they become available as security patches can mitigate many attacks.
- Report phishing websites if you come across one and inform the company that is being impersonated.
- Don’t fill out login forms without ensuring you are on a legitimate website as you could be on one of phishing websites.
Conclusion
In summary, phishing attacks are a serious threat to both individuals and businesses. By being aware of the distinct types of phishing scams and taking steps to protect yourself, you can significantly reduce the risk of falling victim to one of these attacks. Remember to always be cautious of unsolicited emails or messages, use multi-factor authentication and strong passwords, and regularly monitor your accounts for unusual activity. By following these best practices, you can stay safe and secure online. For more security advice, contact one of our friendly team today- click here! or subscribe to our newsletter for the latest news and updates directly to your inbox.
FAQs
Q: Who are the hackers?
A: Hackers, or as the industry calls them, Threat Actors, are criminals, usually located abroad. Currently, the hotspot of such activities is India.
Q: Why don’t spam filters stop spam?
A: Because spam is a very vague definition. If you don’t find interest in a subject that is covered by the email, then you could classify it as spam. This could cover a substantial number of emails, but it doesn’t mean they are phishing attempts. As such, even computer programs sometimes find it hard to determine what might be of interest to you.
Sign up below to join the Operum newsletter