Phishing

What is phishing?

Phishing is a type of cybercrime where an attacker pretends to be a trustworthy source in order to retrieve sensitive information from a victim, such as passwords, data or credit card numbers.

There are several ways a hacker can try to phish someone. Some examples include: via email , by phone (vishing = voice), or by text message (smishing = sms).

This data is used for identity theft, spam, fraud or corporate espionage.

What kinds of phishing are there?

Phishing includes every attempt a hacker makes to steal sensitive data while impersonating a trustworthy source.

When we talk about phishing, we use it as an umbrella term and to refer to phishing by email specifically.

When we use the term smishing, it refers to smishing by text message. It derives from the abbreviation for sms phishing.

Vishing is used to referred to phishing by phone. It is derived from voice phishing.

Spear phishing is targeted towards a specific person or group, as compared to mass phishing campaigns. For example: when someone tries to lure employees from a specific company into a trap using an email that impersonates a colleague.

Whaling is spear phishing targeted at a company’s decision makers, the ‘big fish’.

CEO fraud is phishing disguised as a message coming from your manager. Because of the sender’s apparent authority, people are more likely to walk into the trap.

There are other types as well, which are included and explained in the Phished Academy.

Why is phishing dangerous?

Phishing is one of the most dangerous forms of cybercrime because it cannot be detected by regular antivirus software. Phishing scammers do not need to infect your computer system with a virus to obtain sensitive information. All they need is a trusting employee who reveals the data unsuspectingly.

If your organisation experiences a phishing-incident and that information reaches the media, the company’s brand image is immediately affected. Customers are concerned about the security of their personal data processed by the company and lose confidence in the brand.

How do I recognise phishing?

It’s not as easy to recognise phishing as it used to be. Some general pointers:

Check the sender’s address: are there typo’s or irregularities there? Only trust addresses that are 100% correct. Otherwise, it’s probably a typosquatting attempt.

Check any hyperlinks by hovering over them: do they point to the website you would expect? If not, don’t click it.

Does the content or request fall outside the boundaries of what you might expect from this sender? Don’t engage with it, but alert IT.

Unsure? Always contact your IT department.

What do I do when I was phished?

General steps

Try to remain calm and inform your internal IT-department about the attack. If the attack was a phishing email, you should report it as spam and send it to [email protected]. Have your computer, tablet or smartphone checked by your internal (or external) IT service.

For data

This step is applicable if you entered data during the attack: scan your system, change your password for the accounts involved and stay alert for possible misuse of the data involved.

For downloads

This step is applicable if you downloaded a file during the attack: don’t open the installed file and delete it immediately, disconnect your computer from any network (disconnect your WIFI or unplug your ethernet cable) and scan your entire system.