Cybercriminals are always looking for ways to steal data and get access to organisations and valuable information such as personal and banking data, with the intention to misuse and possibly monetise them. One of the most common ways they do so is by phishing an organisation’s collaborators. In this article, you will find some tips and tricks to help assess the legitimacy of an email and make sure you do not give valuable information to the wrong person.
Cybercriminals use fake emails or phone calls in order to collect company information, personal data, or login credentials to be used for gaining unauthorized access to computers or applications. Once they are in, they try to obtain confidential information, sell the login credentials and/or sensitive information, or gain profit – for example via ransomware.
To extract information or to convince the victim to do something in their favour, cybercriminals will play on something the victim believes into or impersonate a trusted person by playing on authority, a sense of urgency, or by leveraging on human instinct to help each other out.
Always respect your organisation’s password policy, acceptable use policy and data classification policy to ensure a sufficient and consistent level of cybersecurity.
A set of reference documents templates is available to ensure a quick and smooth implementation of cybersecurity policies within your organisation.
The classic type of phishing is through email. Cybercriminals send an email which appears legitimate asking the victim to open an attached file or to click on a link. The attachment usually downloads a malware and installs it on the victim’s computer or mobile phone. The link redirects to a website, which at first time seems unharmful but in reality is trying to steal sensitive information, like credentials and password in order to gain access to an organisation’s accounts or its collaborators’, social, personal and/or banking accounts. Clicking on a link could also trigger an automatic download of a malicious software (a malware) into the device.
Another type of phishing also used nowadays is the phishing through phone. Either by sending an SMS (which is called smishing) or through a phone call, the ultimate goal remains the same: cybercriminals will try to get access to an organisation’s information and/or to its collaborators’ personal accounts and misuse them. Through text, they can send a link and lure the victim into clicking on it to enter credentials and password. Through call, they can try to manipulate the victim in order to get personal information and use them later to access their professional, social media and bank accounts or other personal information.
Several techniques are used by cybercriminals to make sure their victim opens the wrong attachment or click on the wrong link. A few tips are gathered in this article to help avoid getting scammed by a phishing attempt. The main questions collaborators should ask themselves are the following:
You received a message for no reason: you did not buy anything, have not had contact with them for a long time, etc. Investigate further.
Stay calm: did you really get a first reminder to pay? Do you know that 'friend in need'?
Check the e-mail address, and also check for spelling errors. However, beware: a legitimate e-mail address is no guarantee.
An official body will never ask you for your password, bank details or personal details via e-mail, SMS or over the telephone.
Hover over the link with your mouse. Is the domain name, the word before “.be”, “.com”, “.eu”, “.org”, etc. and before the very first slash "/", really the organization’s name?
An example:
If a QR code is shown, check carefully which website it refers to. When you scan the code, you will see the url. Check the domain as described above.
Be wary of messages using general and vague titles, or your e-mail address to address you.
Although seasoned cybercriminals tend to use language correctly, language errors or a foreign language can indicate a suspicious message.
If so, be extra careful. You can also mark suspicious messages as Spam or Junk to warn others.
Everyone would be curious about messages with a link reading "Look what I read about you ..." or "Are you in this picture?", but do not be tricked.
If you are asked to make a payment that you are not expecting, always be careful. Is the account number the same number you usually use to pay that organisation or person? If not, do not make the payment. Often phishing emails use foreign account numbers or ask to make payments through a crypto wallet. This is suspicious.
If you are in doubt about a payment, check with your bank first, or with the organisation claiming the payment. Do not do this through the contact details in the mail, but go directly to the website of the organisation itself.
On a computer, hover with your mouse over the provided link without clicking on it: the full URL will appear. If it looks suspicious, do not click on it. And if you need to visit that website, go to the official website typing its address yourself or looking for it with a trusted search engine.
Always report any incident that might have happened to you, that you witnessed, or that you are aware of to your IT responsible. The sooner the right people can act on it, the smaller the consequences of the incident.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.
