Skip to content

Phishing attacks are one of the most common methods threat actors use to gain access to your network and devices. If you have an email account or phone number or use any online messaging platform, chances are you have been the recipient of a phishing attack.

Phishing is a type of attack used by hackers that relies on social engineering and deception to get the victim to reveal personal information. This information typically includes login or banking details. Phishing attacks often aim to get malware onto the victim’s device, giving the threat actor behind the attack access to the data on your computer.

Phishing attacks can be sent across almost any online platform that allows messaging. Some of the most common ways a phishing attack can find its way to you include email, text messages and phone calls. However, the rise of social media means that threat actors have started to include popular online platforms in their attacks and have been sending out malicious messages through Facebook, Instagram, Twitter, and LinkedIn, to name a few.

An example of Phishing text messages.

The word ‘phishing’ derives from the idea that the hacker is trying to lure people in with bait – typically structuring their messages around a subject that will grab someone’s attention and make them want to respond quickly. Depending on the platform the attack uses, the bait will come in various forms, but it will all have the same themes that hint that the message is fraudulent. Knowing what to look out for can help prevent you from becoming the next victim of a phishing attack:

  1. The message sender has an unusual and odd email domain, name or phone number. Domains used for phishing attacks get taken down regularly, hackers must quickly cycle through email addresses and phone numbers to get their messages sent out to enough people. With email, this often looks like a misspelling of the company name or individual they are trying to impersonate
  2. There are grammatical and spelling errors in the message. You may notice random capital letters, exclamation marks, and spelling mistakes.
  3. The message pushes you to click on a link or open an attachment. The message may encourage you to open a PDF, Word, or Excel document. Even if it looks innocent, documents included in phishing attacks often have hidden malware which executes once the recipient opens the document.
  4. The topic appears urgent or too good to be true. Phishing attacks use urgency in hopes you’ll miss the other obvious signs that the message is fraudulent. This can include mentioning that your account has been closed, your parcel cannot be delivered, or it may involve using a trending news topic to catch your attention.

Spear Phishing

Organisations are often targeted with a more specific phishing attack known as spear phishing. Unlike the generic topics of typical phishing attacks, spear phishing attacks use information gathered by the hacker to make the message more tailored to the target. This may include using your job position and line of work as a subject line or sending out emails that look as though they are from clients or colleagues. If a hacker has access to someone else’s work account, they will send out emails from the compromised login using the victim’s name and position in the company to make the message seem more legitimate.

The content of spear phishing attacks can differ slightly from generic phishing attacks. They don’t always have an urgent tagline or obvious grammatical errors. Instead, they may pretend to be a typical work-related email, such as asking you to complete a financial transaction, sign a document, or watch a training video. If you receive an email that seems suspicious and are unsure of whether to respond to it or not, the best thing to do is to ask the sender in person or over the phone to confirm that the email is legitimate verbally. If that is not possible, ask a colleague or whoever looks after your IT for advice – they may have received similar emails in the past or could spot signs that the email is fraudulent.

An example of a spear phishing email.

Whale Phishing or Whaling

Like spear phishing, whale phishing involves a crafted, specific message. However, whaling attacks are explicitly targeted at senior executives of an organisation, such as chief executives or business owners. As senior leaders are often present on their organisation’s website and social media accounts, hackers can gather a large amount of information about their target’s work and personal life, allowing them to craft a highly tailored message. Because the message is highly targeted, whaling attacks may not only be sent through email but can also be conducted through phone calls and letters – methods of communication not typically seen in standard phishing attacks. A successful whaling attack can have enormous consequences on an organisation, not only in monetary value but also in reputational damage. Senior-level positions often have a large digital reach in an organisation, and a compromised account could give a hacker access to much of a business’s data and systems.

An example of a whale phishing email.

How to Protect Yourself and Your Organisation Against Phishing Attacks

  1. Educate employees on how to spot a phishing attack. Giving all staff awareness training on spotting the common signs of a phishing attack is one of the best ways to ensure you don’t fall victim. Additionally, let staff know what to do if they have a phishing message sent to them – this could include reporting the email to the IT team and informing colleagues they have received a phishing email.
  2. Turn on spam filters. Most large email handlers have settings that can help detect and filter out malicious emails. There are guides on how to do this for most email platforms, including OutlookGmailiCloud Mail.
  3. Tag mail from external senders. Phishing attacks often use domains that look very similar to the real domain they are trying to impersonate. In spear phishing attacks, this can include using your organisation’s name in their email address, just slightly misspelt. Tagging all external mail means that a recipient can easily see that an email is not from within your organisation and should be treated with caution. Most email platforms allow you to turn this setting on, including Outlook and Gmail.
  4. Block known malicious domains and IP addresses. If you receive a phishing email, blocking the domain or IP address of the sender can help stop them from targeting your organisation again.