- Phishing (pronounced fishing) is one of the most longstanding and dangerous methods of cyber-crime
- Criminals are opportunistically exploiting the coronavirus pandemic
- An unprecedented number of people working from home has brought increased risks.
In this factsheet, you will learn:
- What phishing is
- Why the Coronavirus pandemic has proved an effective lure
- How increased numbers of people working from home have shifted the risk profile
- How you can protect yourself and your business
- Lessons that will also apply once the pandemic passes
- Where you can go for reliable support, information and intelligence.
What is phishing?
- Phishing - A fraudulent attempt, usually made through email, to steal your personal information
- Spear phishing - The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information
- Whaling - Spear phishing attacks directed specifically at senior executives and other high-profile targets.
Phishing typically has a simple approach – send an email, email sends victim to a site, site steals information. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money. Despite the ‘simplicity’ they can be hard to spot. Phishing can be conducted via email, text message, social media, or by phone.
Fraudsters have honed in on coronavirus
“Experts at NCSC have revealed phishing attacks exploiting worries over COVID-19" - National Cyber Security Centre
“Coronavirus-related fraud reports increase by 400% in March” - Action Fraud
“Coronavirus-related email lures now represent the greatest collection of attack types united by a single theme. We’ve observed credential phishing, malicious attachments, malicious links, business email compromise (BEC), fake landing pages, downloaders, spam, and malware, among others, all leveraging coronavirus lures.” Proofpoint
Why is the coronavirus pandemic proving such an effective ‘lure’?
- It’s common for scammers to take advantage of emergencies
- The most effective phishing attacks play on emotions and concerns, and that coupled with the thirst for urgent information around coronavirus makes these messages hard to resist
- As every organisation is letting you know their coronavirus plans, email phishers are pushing billions of look-alike emails into the mix
- Employees are expecting information from their companies, governments, associations, so phishing attacks that impersonate these groups may have an easier path to a click
- “One of the reasons that some of this activity has proved effective has been the large amount of legitimate email related to coronavirus that also included attachments” - Cisco Talos.
How has working from home impacted phishing attempts?
- Social distancing means many more staff are working from home and some are not used to it
- IT resources have been severely stretched by this rapid movement to home working
- Isolated staff may not know how to report problems
- Unfamiliarity with remote working technology increases deception risk
- Users are vulnerable to email phishing attacks asking to check or renew passwords and login credentials
- Finally, they will be carrying the ‘stress burden’ of the impact of the Coronavirus pandemic.
Home working doesn’t substantially change the way that businesses need to respond. However, proper phishing protection is best achieved within an effective overall cybersecurity umbrella.
How should your business respond?
- For SMEs: read the NCSC Small Business Guide which contains advice on preventing and managing phishing attacks
- The NCSC also has multi-layered strategy guidance on phishing.
The NCSC proposes four layers of defences:
Layer 1: Make it difficult for attackers to reach your users
- Make it harder for email from your domains to be spoofed by employing the anti-spoofing controls: DMARC, SPF and DKIM, and encourage your contacts to do the same”
- Reduce the information available to attackers
- Filter or block incoming phishing emails.
Layer 2: Help users identify, and report, suspected phishing emails
- Carefully consider your approach to phishing training
- Make it easier for your users to recognise fraudulent requests
- Create an environment that encourages users to report phishing attempts.
Layer 3: Protect your organisation from the effects of undetected phishing emails
- Protect your devices from malware
- Protect your users from malicious websites
- Protect your accounts with effective authentication and authorisation.
Layer 4: Respond quickly to incidents
- Detect incidents quickly
- Have an incident response plan.
What should the Board do?
- The NCSC has a Board toolkit, including five questions every Board should ask
- It’s personal since, as a Board member, you will be targeted by phishing attacks
- Responsibility should not be allocated solely to one board member - It’s good to have an expert, but everyone is affected in an attack.
Empower staff to spot threats
- The NCSC has tips for helping employees spot suspicious messages. Phishing exploits emotions - urgency, concern, greed, curiosity and trust
- Do train – BUT – remember that no training package (of any type) can teach users to spot every phish. Spotting phishing emails is hard. Spotting spear phishing emails is even harder
- Some organisations believe that if users are blamed or punished for clicking phishing emails, they will somehow be able to spot them next time around. Quite simply, this does not work
- Teach users to be sceptical of all attachments regardless of source.
Frequently asked questions
What do you do if you realise you have clicked?
- If you're using a work device, contact your IT department.
- Open your antivirus (AV) software if installed, and run a full scan.
- Change your passwords on all your other accounts if it’s been tricked out of you.
- If your firm has lost money, report it as a crime to Action Fraud.
What are common phishing tactics?
- Bills or invoices
- Account lockout
- Use of authority figures / executive staff
- Order or delivery information/confirmation
- Recruiting and job search
- “Trusted party” lures - appear to come from a friend or co-worker
- Bank account notification.
What are the phishing stages?
- Target selection. Finding suitable victims, notably, their email addresses and background information to find a psychological hot button that will lure them
- Social engineering. Baiting the hook with a suitable lure that would entice a victim to bite into the technical hook set to steal their credentials or plant malware. In the case of spear-phishing, this lure is customized to the intended victim
- Technical engineering. Devising the method to hack the victim, which can include building fake websites, crafting malware, and evading security scans.
- What behaviour changes are you seeking to encourage amongst users?
- Think before you click
- Knowing the influence techniques
Further reading and resources
The National Cyber Security Centre (NCSC) – leads the UK’s cyber security mission and is a part of GCHQ. Some of their guidance for business includes:
- Phishing attacks: defending your organisation
- Multi-layer phishing defence infographic
- Homeworking: preparing your organisation and staff
- NCSC's Bring Your Own Device (BYOD) guidance
- 10 steps to cyber security
- No training package (of any type) can teach users to spot every phish.
- Guide to spotting suspicious emails
- Board toolkit
Business resources from other organisations include:
- Financial Conduct Authority (FCA) – Scamsmart
- Centre for the Protection of National Infrastructure (CPNI) – Don't take the bait
- HMRC Phishing and scams
- Information Commissioners office (ICO) – Think, Check, Share
- Ofcom - All operators use 7726 as the short code to report spam texts
- Tech UK – Strengthening cyber security when working from home
- CBI - Why your board must be involved in cyber defence
- European cybersecurity agency (ENISA)
- Action Fraud