Do you and your staff know how to a recognise possible Phishing attacks?
Be careful – there are lots of dodgy characters out there!
If you are old enough, some of you may remember the early 1980’s when businesses in the UK were bombarded with telexes from Nigerian princes claiming they had fled oppression but needed to access a western bank to free up their wealth which they had hidden away; the so-called 419 scam after the section in the Nigerian criminal code. All you had to do was reply, giving them some personal or corporate information, they would get back to you with a very fair contract and then you gave them the details of your personal or business bank account for them to move their wealth through; in return you would earn a healthy commission based on the amounts passing through your account….Simple, and an easy way to earn money – except that as soon as you divulged any account details to these people, they emptied your account and spirited your money to an untraceable offshore account and you or your business were left penniless.
These scams were well publicized at the time so it was amazing that thousands of gullible people and businesses (perhaps those desperate for a cash injection) fell for exactly the same scam again in the late 80’s and early 90’s except this time it was based around the hot new technology of the fax machine.
So that’s twice we have put our hand up and asked to be robbed – surely it couldn’t happen again? Well yes, it could and this time there isn’t even the prospect of a big reward for the victims.
Now your gran and mum are online – can they spot a false friend’s so-called distress email?
I expect all of you will have received an email at some time from an organisation claiming to be one you know well, asking you to confirm information to them about you or your business. If you have, you have likely been on the end of a hoax, spoof or phishing attack from one of the many unscrupulous groups prowling the web.
Sadly, thousands of internet and email users have fallen for the same trick in its third technological incarnation. Nearly 30 years on from the first Nigerian Prince attacks, the thieves are now employing a bewildering array of different electronic messages designed to do one thing….strip you or your business of your wealth.
It seems crazy – if a stranger approached us in the street and asked us for personal, financial or other details, nearly all of us would refuse point blank. The problem with email fraud is the small percentage of people who are drawn in by the thieves’ well practised and convincing messages. Before offering some advice on how to avoid being stung by these schemes, we’d like to offer you the chance to test whether you can spot a scam when it comes your way. Take a look at the following link, click on each example email, submit answers and see how many you get wrong. It isn’t as easy as you think. https://survey.mailfrontier.com/survey/phishing_uk.html
So what might you expect to receive in your inbox? It might purport to come from your bank, building society, insurer or now even HMRC, and it is likely to ask you to confirm bank account details, passwords dates of birth or to review a problem transaction etc. The email may well encourage you to click a link or open an attachment. The fraudster may well pressurize you by warning you that failure to comply could result in financial penalties or a suspension of your account. As can be seen from the examples you have just looked at, the situation is made all the more complex in that these fraudulent emails have apparently legitimate corporate identities and logos and what appear to be genuine web addresses.
Online Security and Protection – My advice is:
- DO NOT RESPOND to the sender. Instead, cut and paste the address from which the message has been sent and paste it into a search box. In all likelihood you will immediately find evidence there that it is a scam, hoax, spoof or phishing site. Remember, unlike Spam email which is often trying to sell you something, phishers have only one thing in mind, to steal something from you.
- THINK ABOUT IT – any organisation of which you are a member or are dealing with should never ask you to divulge sensitive data to them online (unless you initiate the transaction yourself in the normal course of business). If they need to update or check anything with you, they can write to you personally as they always have done and let you contact them at the usual address.
- ALWAYS BE SUSPICIOUS of any email asking you for a response or private/corporate info which does not begin with a personalized greeting Dear Mr/Mrs etc. If they are who they say they are, they already know your name and they should use it when they write to you. If they don’t, they are likely to be thieves!
- IF YOU ARE IN ANY DOUBT about a communication, call your local contact/ representative/branch on the usual number (not one that may be given in the email) and speak to a named individual and ask them about the authenticity of the message. For the sake of a local phone call you could save you or your business a small fortune. Or you could call us FREE on 01225 745732 and we can help and advise you on all e.security matters.
The problem is getting worse, not better, so be vigilant. An even more sophisticated version of this financial and identity theft has been growing in the past few years and has become known as spear phishing. This is where the fraudsters send emails only to employees of a targeted company or group. They send these to well researched work email addresses and the messages may look like they have come straight from Corporate management, the finance or IT department and they ask for confirmation of your system password or user name etc.
Whilst it might look genuine, if just one worker responds, they run the risk of allowing the thieves into the heart of their business, putting finances, customer records and personnel data at risk. Ultimately one hasty reply could put everyone’s livelihood at risk.
Don’t think it is only the ordinary rank and file that gets caught out. Chief Executives and Chairmen are just as vulnerable. Take a look at the article from Information Week to see what we mean.
We will be tackling the subject of better theft prevention very soon in a separate blog, but for now our advice is clear and simple. NEVER respond with any sensitive information to someone or some entity that contacts you and doesn’t know your name and ALWAYS check the authenticity of the organization.
Perhaps if we can all spread the word by passing on this advice we can begin to eradicate a form of theft which has developed over hundreds of years from slight of hand on a street corner to a highly sophisticated electronic sting today.
If you would like to share any thoughts or experiences or ask for help in this area, do please contact us at firstname.lastname@example.org and take a look at the security section of this web page.