Phishing and its risks
26 October 2020
What is phishing?
Phishing is when cybercriminals attempt to trick you into giving away information. This usually occurs via email but can also be received on a text message, by phone, letter, or through social media.
The information they ask for might let them gain access to bank accounts, install malware, or steal data.
Typically the communication is ‘spoofed’ so as to appear it comes from a genuine email address, and may be branded to look like it has come from a particular organisation.
What are the risks?
Phishing can often be the gateway to different types of cyber fraud, like ransomware or harvesting passwords. The communication may ask you to enter your credentials, click on a link, or install something.
According to Verizon’s latest Data Breach Investigation Report, 22% of data breaches involved phishing. In fact, phishing is the number one cause of data breaches.
Recently the Information Commissioner’s Office (ICO) fined British Airways £20 million for a breach which put in jeopardy the personal and financial information of 400,000+ customers.
The ICO’s investigation found that poor security arrangements in some of their systems (e.g. card payments and login) allowed the cybercriminals to create a fraudulent site that customers were directed to. This is a form of phishing – the credentials they put into this site were then harvested by fraudsters.
How is this different from whaling?
Phishing and whaling are quite similar, but the warning signs can differ.
Whaling is where the cybercriminal impersonates a senior member of staff and sends a communication under their guise. This is usually via a work email, but could come via text or even over the phone.
- Look closely at email addresses to check if anything looks unusual – are you sure you know who you’re talking to? Has it come from .co.uk instead of .gov.uk?
- If concerned about a phone call, ask the caller to give you a main switchboard number for you to be routed back to, or hang up and call them back using established contact details
- Look out for spelling and grammar mistakes, or any communications that look odd
- Never assume that something is safe because a colleague trusts the source
For more information on cybersecurity, visit the National Cyber Security Centre