Blog Phishing – How to Recognize and Avoid Scams

What is phishing?

According to our friend Wikipedia (yes, I have made a donation) the concept of phishing dates back to the 1980s, with the term coming into common use during the 1990s, although the exact meaning of the “ph” remains open to debate.

In essence phishing involves sending a message to an unsuspecting person to try to trick them into taking an action that will give the attacker some form of advantage, whether that’s finding out their password, downloading some malware or stealing their money. The delivery method used to be exclusively email, but new forms of communication have opened up lots of opportunities for the attacker and now you could receive phishing messages via text, messaging apps, social media or phone.

Types of phishing

A classic phishing message is sent to a very wide and fairly random audience in the hope that even if a tiny percentage of the targets fall for it, it will give the attacker what they want. This may be likened to a real fisherman casting a large net into the sea.

If an attacker is more focussed in their targets, they may do what is termed “spear fishing”. This often involves sending messages to people within a particular organization, perhaps if that organization is considered a good potential ransomware target.

When it has to be a specific person that can give them what they want, an attacker will conduct “whaling”, where messages are only sent to that individual, often the CEO or perhaps a member of the finance team.

What’s in a phishing message?

The degree of care and attention that goes into crafting a phishing message will vary according to the type of phishing involved; so a spear phishing message will be more carefully designed than one which is sent to all and sundry.

But a phishing message will usually have the following characteristics:

• A sense of urgency – there will be a reason why you need to act soon (ideally without thinking); it could be that something is about to happen, or you’ll be missing out
• An action you need to take – this could be clicking a link, opening an attachment or phoning a number
• A lack of specifics – the attacker won’t usually have access to your personal information, so the message may be vague and not quote account numbers, addresses etc.

An example of a phishing scam  

The example below is a genuine phishing email taken from our mailbox in the last few days. It gives no personal information, it needs me to act fast or I will lose my five million dollars, and I need to reply with my details, presumably so that I can be contacted to be given further instructions.

Obviously, if it seems too good to be true, that’s because it is.

Tips to avoid being scammed

Examples such as the above are relatively easy to spot. The problem comes when a phishing email or message arrives just when you were expecting a genuine one. For example, if you’ve just ordered something from Amazon and an email arrives about package delivery (and you’re in a hurry) you’re much more likely to click the link than you would be normally.

Let’s not sugar coat the issue, spotting phishing messages can be hard, especially if the attacker has put some effort into making the message look relevant and genuine. Contacting the (supposed) sender using information not from the email is often the only sure-fire way to confirm a message’s authenticity.

So it comes down to being careful and aware and suspicious of every message you receive. Many organizations provide compulsory training courses in user awareness which aim to reduce the likelihood of users falling victim to phishing. These are a good idea, but they are really only one line of defence. Latest guidance from agencies such as the UK National Cyber Security Centre encourages a multi-layered approach to phishing.

Let’s go multi-layer

The first layer is to try to head off the phishing messages before they reach the user. Increasingly, standards such as DMARC (Domain-based Message Authentication, Reporting and Conformance – catchy title eh?) are becoming more widespread to confirm who sent the email, and reject it if that’s not possible, or the address is fake. Combine this with a good email anti-spam service and we have a good chance of taking down most phishing messages early and not having to ask the user to make difficult judgement calls.

If the phishing email gets through our defences, we’re then at layer two, relying on the user to spot it for what it is. Training and clear business processes will help with this.

Layer three tries to protect the organization if the user is duped and takes the action requested by the phishing email. This consists of blocking access to malicious websites, using effective anti-malware software on computers, patching devices regularly and using multifactor authentication (MFA) rather than passwords on their own.

At layer four we are monitoring for intrusions and breaches, reporting incidents internally and to external bodies, and managing incidents according to a well-defined and thought-through plan.

Final thoughts

Phishing is here to stay, and a total reliance on the user spotting fake messages is going to fail at some point. That’s not to say that training shouldn’t happen, but an organization needs to think through its defences, including designing business processes so that adequate checks are made at key points. As the number of communication tools increases, the opportunities for bad actors to gain an advantage multiply. Even the fledgling “Metaverse” has had its share of issues already, and these are likely to grow. Remember – don’t blame the user; help them.

More ISO27001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources