Phishing

Phishing

  • Phishing attempts are getting more dangerous

    A teacher at a school we support, forwarded to us a suspicious email from a student’s parent. It was a phishing email with a link to a website that looked identical to the school’s. But it was fake and requested the teacher’s username and password.

    Ultimately the hackers would be trying to get control of the school’s servers, get fake invoices paid, divert salary payments, install ransomware etc.

    We advised the teacher to delete the email, to advise the parent that their email had been hacked and to warn the other teachers.

    This was a school, but it could just as easily be a business, a charity etc.

    We offer security awareness training coupled with regular testing to improve your staff’s skills at recognising phishing attempts, and protecting your organisation from damage.

    Contact us to protect your business from phishing.

  • Spear phishing - how to protect your organization

    “Phishing” emails are fraudulent emails which attempt to get you to open a malicious website, program or document. They are sent to thousands of people at once, so are usually something common and generic. They are playing a numbers game and only need <0.1% of recipients to fall for it to make it profitable. “Spear phishing” however is targeted at a specific individual, the attacker will have invested significant time identifying, researching and tailoring their approach to their target.

    A recent example one of our customers faced worked like this - the attacker was following the business on linkedin, waiting for when a new employee joined. They then emailed the new employee from a free gmail account they had created with a similar name to the CEO. The first email was a simple welcome to the business. Then a couple of innocuous follow ups before the real attack - “Please could you quickly purchase £500 in amazon vouchers and send them to me? I need to send them to Joe Bloggs as a reward for referring a new client and I don’t have my card on me...”

    It is crucial that cyber security awareness training is part of your new starter onboarding process. If you don’t have the budget for something more comprehensive the UK government’s national cyber security centre has some free training available here

    Even if they are not involved in financial transactions, include your process for how a legitimate request like the one in the attack above would be made, such as “The CEO would email the request to the accounts team, and the accounts team would verify the request by calling the CEO back on the number they have on file.” Make sure they know that no one would ever be punished for insisting these procedures are followed.

    Share this post to spread the word and prevent attacks like this from succeeding.

We use cookies to provide you with the best possible experience in your interactions on our website

You agree to our use of cookies on your device by continuing to use our website

I understand