- Created: Monday, 18 January 2021
- Written by Paul Grigg
“Phishing” emails are fraudulent emails which attempt to get you to open a malicious website, program or document. They are sent to thousands of people at once, so are usually something common and generic. They are playing a numbers game and only need <0.1% of recipients to fall for it to make it profitable. “Spear phishing” however is targeted at a specific individual, the attacker will have invested significant time identifying, researching and tailoring their approach to their target.
A recent example one of our customers faced worked like this - the attacker was following the business on linkedin, waiting for when a new employee joined. They then emailed the new employee from a free gmail account they had created with a similar name to the CEO. The first email was a simple welcome to the business. Then a couple of innocuous follow ups before the real attack - “Please could you quickly purchase £500 in amazon vouchers and send them to me? I need to send them to Joe Bloggs as a reward for referring a new client and I don’t have my card on me...”
It is crucial that cyber security awareness training is part of your new starter onboarding process. If you don’t have the budget for something more comprehensive the UK government’s national cyber security centre has some free training available here
Even if they are not involved in financial transactions, include your process for how a legitimate request like the one in the attack above would be made, such as “The CEO would email the request to the accounts team, and the accounts team would verify the request by calling the CEO back on the number they have on file.” Make sure they know that no one would ever be punished for insisting these procedures are followed.
Share this post to spread the word and prevent attacks like this from succeeding.