How to spot phishing scams

Technology has made plenty of things easier for SMEs – but it has also opened up new opportunities for . Now more than ever, it’s important for businesses to use technology in a safe and responsible way.

This post will run through what to look out for when it comes to scam communications, otherwise known as phishing attacks. We’ll also run through some tips on preventing and reporting them.

What is phishing?

Phishing is a form of social engineering where scammers attempt to gain access to sensitive information by deceptive means. The goal is to get people to divulge password information or download software that can spy or gain access to files. This could be done through an email that links to a fake website, a text with a link to download malware, or an impersonated phone call.

For SMEs, employees may be targeted as a route for scammers to get access to corporate data. Nearly one-third of all data breaches in 2018 involved phishing activity – and almost all businesses can expect to be targeted at some point. Thankfully, there are plenty of things that can be done to keep businesses safe.

How to spot SMS, email, social media, and phone phishing attempts

Some scams are easy to spot. They have poor spelling, bizarre layouts, or the logos and designs are clearly ‘off’. It’s tempting for each of us to think that we would never fall for a scam, but modern phishing techniques can be highly advanced. There are fake emails and websites which are near-indistinguishable from the real thing. With the amount of digital interactions we have every day, even observant and tech-savvy people can be caught out.

There are still some tell-tale signs of a scam to look out for. Phishing attempts tend to contain a veiled threat to act quickly, using urgent language or setting a 24-hour time limit. This is designed to make people panic and act rashly. Here are some of the top things to keep in mind for different types of scam.

Email phishing:

• Scam emails will usually pretend to be from authoritative sources such as a bank or government source. They can look surprisingly real with official logos and phone numbers
• The goal is to get you to share private information or download malicious software onto your PC or mobile
• A common method used to target SMEs is by emailing links offering SaaS software at a very low price
• Never click on a link or open an attachment in an email you weren’t expecting or when you don’t know where it came from
  
  

SMS phishing:

• ‘Smishing’ is where an urgent text asks you to reply or call a number and give away details that can be used to defraud you
• Remember that scammers may already have some parts of your account information in order to appear genuine
• Don’t click on any links in unfamiliar texts and check telephone numbers against official websites
  
  

Phone phishing:

• Similar to SMS scams, if fraudsters have got your number, they may also have other details about you to help them appear legitimate
• To make the call appear genuine, fraudsters can also use a tactic called ‘number spoofing’, which enables them to change the phone number displayed on your Called ID to match the person/company they are impersonating
• The goal is to get you to divulge the remaining bits of info that they need to access your private accounts
• If you’re at all suspicious of a call, simply hang up and find the organisation’s official number on their website. You can then call them directly and see if the request was genuine. If possible, wait 5 minutes and use a different phone to ensure that the line has cleared and you are not still speaking to the fraudster
  
  

Social media phishing:

• Be sceptical of ads that pop up and look too good to be true. They may have a fake endorsement from a well-known person
• If an ad redirects you to an external website, check the URL address and site carefully to make sure it matches the official brand
• A common social media scam involves luring people in with the promise of easy profits. You can check if a firm is legitimate by using the Financial Conduct Authority (FCA) Financial Services Register here

A real-life example of phishing

Take a look at the below example of a phishing email. Note that the sender is shown as ‘valdaenergy’ but, when you hover over the actual email address, you can see it is clearly not an official Valda Energy asset.

The message states that there is a voicemail from Royal Mail that can be accessed via a weblink. This is where you should ask yourself: why would Royal Mail be sending me a voicemail over email? The link takes you through to an Office 365 login page to access the voicemail, in an attempt to get you to share your password. This part looks believable, which makes it even more vital that you spot the other warning signs. For example, expanding the address in the browser shows that the page you’re on is actually an Amazon Web service page.

How to prevent phishing

There are protections SMEs can put in place to prevent phishing. Giving staff the lowest user privilege that they need to do their jobs means compromised accounts can’t do as much damage. Putting two-factor authentication in place reduces the risk of a compromised password, as a hacker will also need a physical factor such as an RSA key. Passwords need to be strong. They should be composed of random words and interspersed with number – never pet names, birthdays, or favourite sports teams. A password manager such as LastPass can store encrypted passwords for all of your employees.

Email filters can keep some scams at bay. However, 30% of phishing emails bypass default security measures. This means filters also need to be fine-tuned to your organisation’s needs. Overly aggressive filters may keep out legitimate emails, while lax filters risk threats slipping through. For suspicious senders, your email provider may allow you to right clicking and "block sender". This will send the email to the junk folder and prevent that address from contacting you again.

Regular backups of data are good business practice regardless, but they can also help in the event of being targeted by ransomware. These attacks demand payment to release access to files and data and make up 24% of incidents with malware. Staff can also be trained to spot unusual requests and encouraged to report phishing attacks before deleting them. They could be reminded to be vigilant on mobile devices too, as these are even harder to spot phishing threats on.

What to do if your business is targeted

If staff report a phishing attack, it’s important for IT teams to react quickly. This tends to involve changing passwords and scanning for malware. However, it’s equally important not to punish or blame individuals as this can discourage people from coming forward. It may also make people overcautious and scrutinise every detail of all comms they receive, which is an overcorrection.

Phishing attacks can be reported through the Action Fraud website – the UK’s national fraud and cybercrime reporting centre. You can also report suspected scams to the internet service provider (ISP) that was used. Yahoo!, Gmail, and Hotmail all have ‘report spam’ or ‘report phishing’ options. They can then investigate and close the account sending spam emails. It is also worth reporting phishing incidents to the company being imitated. The company may be able to assist your business and send warnings to other customers about the scam.

If you’re a smaller business owner who does not have access to an IT team, the best thing you can do is change your passwords immediately if you’re unsure about a threat. This is the best method to stop a scammer in their tracks. New passwords should be totally different from the old one, with never just one letter or number swapped. You can also reach out to the National Cyber Security Centre, which offers free advice and resources to businesses of all sizes.