Cyber Security Awareness Week 1: Phishing Awareness & Training

To defend your organisation from phishing attacks, user education is critical.

With ‍phishing attacks reported to have made up over 90% of all data breaches last year, and with reports that 91% of UK businesses were compromised, phishing remains the biggest threat to organisations and individuals, but despite how much we think we know about these scams, threat actors are constantly evolving their tactics and adapting their approaches in line with current news and trends.

Generating awareness and training users on how to recognise and report phishing attempts, has become one of the most significant ways to help prevent these scams and mitigate their possible consequences, with research showing that training your staff reduces your risk by up to 80%.

What is Phishing?

Phishing is a form of social engineering attack, which is often done in an attempt to obtain personal and financial information, including login credentials, and bank details. Such attacks are attempted via the tools we use in our daily activities, such as email (phishing), text messaging (smishing) and phone calls (vishing). Many of these phishing attacks claim to be from a reputable company, to gain the victim’s trust, with a view to gaining personal details and information from them, that they can sell on the dark web or use for other malicious activities.

Cybercriminals play on users’ fears, curiosity, and insecurities, getting them to think they are clicking on trusted links.

A recent and topical example can be seen here, where fraudsters are attempting to exploit the cost-of-living crisis with phishing emails that claim to be from the energy regulator Ofgem, offering the recipients a rebate payment. With the escalating gas and electricity costs affecting everyone, it is likely that recipients will be quick to respond, handing over their bank details and personal information to be exploited.

How to Recognise Phishing

The domain name is misspelt

If the email received claims to be from an official company, e.g. Amazon, but the email is being sent from another domain like @hotmail.co.uk, there is a high chance it could be a scam. Watch out for any spelling mistakes in the domain, scammers tend to make subtle changes to domains to make it harder to pick up on, for example Amazonn.com

Emails requesting login credentials, payment info or sensitive data

Any emails that are from an unrecognised address that requests ANY sensitive data, should be treated with caution. In phishing attacks, Cybercriminals are attempting to exploit human error, rather than a technology vulnerability. Sending emails where they impersonate a familiar person or reputable organisation, encouraging the user to click on a fraudulent link, in an attempt to trick users into sharing personal information, payment information, or login information, by directing them to a malicious website.

The email is poorly written

You can often tell if an email is a phishing attempt if it contains poor spelling and grammatical mistakes. Genuine, professional organisations usually have a spellcheck to avoid making spelling mistakes in their emails. If an email has poor spelling or grammatical mistakes, it could potentially be a scam, due to translation from a foreign language, or on purpose to avoid spam filters.

It includes suspicious attachments or links

Any email that contains suspicious links and attachments should be open with caution if you aren’t confident that the email is from a legitimate sender. The majority of work-related files are usually shared via collaboration tools such as Dropbox or SharePoint etc, so it any internal links/attachments should be treated as suspicious, especially if they have an extension that is commonly associated with malware, .zip,.scr,.exe, etc. Links you’re urged to click may contain all or part of a real company’s name, the link will probably take you to a phony site.

The message creates a sense of urgency

By creating a sense of urgency, attackers often use this approach to make the recipient act in the heat of the moment without having time to notice things don’t seem right. Phrases to look out for include: “Verify Your Account”, “If you don’t respond, your account will be closed”, “Dear Valued Customer”, and “Urgent Action Required”. Messages conveying a sense of urgency to get you to respond should not be trusted.

How to Report Phishing

Threat actors are continuously looking for new methods to make their phishing scams more sophisticated to trick their victims into giving away their personal details. To prevent falling victim to such attacks, it is essential for you to stay updated on the latest security news and trends, and always report any suspicious emails.

• If you’ve received an email that you’re not quite sure about, forward it to report@phishing.gov.uk. There’s no limit to how many emails you can send to this address, even if you’re not certain they’re a scam, NCSC can check. Sometimes an email being forwarded to the NSCS may not get picked up as it’s already been highlighted as spam by the spam detection services, so sending a screenshot of the email and sending it to the above address will help.
• If you are using Microsoft Outlook, you can also report it to Microsoft, in the top email ribbon you should have a junk drop-down selection, or a report message icon, choose report as Phishing and the email will automatically be sent to Microsoft to improve the Microsoft spam filters going forward.
• If you got a phishing text message, report it. The information you give helps fight against scammers. You should forward it to SPAM (7726).

How to Prevent Phishing

Such attacks on organisations can be prevented to avoid these devastating consequences.

The main factor that needs addressing is that businesses need to start analysing their human vulnerabilities; organisations will have implemented firewalls, threat prevention, anti-virus, zero-day tools etc, which are all a normal part of an IT security strategy, but the often-forgotten vulnerability, is the human element. We, as humans, are unfortunately a weak link in any security strategy, we are prone to make mistakes. A simple mistake, however, through lack of education, or concentration, can cause a major data breach.

Much like you would embark on regular network monitoring or network testing, to ensure that your business and your users are protected, organisations need to run regular human security testing, testing the vulnerabilities that you have in your employees. By regularly evaluating and then educating end-users, you can create an additional security layer – in essence, “the human firewall”.

Having a regular and controlled phishing assessment, as part of your business’ security strategy, enables organisations to measure the internal risk, delivering valuable insights into where any human security weakness resides, with the ability to deliver immediate remedial training if a nefarious link is clicked or a phishing email is opened. By regularly testing, and then educating users immediately when they have clicked or opened something they shouldn’t have, you can strengthen your security measures significantly from within.

Krome’s Phishing Assessment & Phishing Training Service

As part of our Security as a Service offering, Krome can deliver a fully managed phishing assessment service, which offers critical management reporting on the overall level of vulnerabilities found across the users of your business.

• Using our phishing simulation platform, we link securely with your Active Directory
• A series of phishing content is created, tailored to your company
• Fake phishing emails are sent out to specific users/groups
• We analyse and report back on the success/failure of emails and users
• We identify weaknesses and deliver user awareness training
• Re-test users following training by sending out revised emails
• Re-direct users immediately to an e-learning system on failure
• Benchmark and report on trends and revise testing based on findings

The service is flexible and can be tailored to your specific requirements, based on the findings of your assessment.

For further information on the Phishing Assessment Service, or our other security services please follow the links below or use the contact form to request further information:

• Phishing Assessment
• Vulnerability Assessment
• Cyber Essentials Plus Assessment