To mark this year's Safer Internet Day, we found it useful to provide you with some tips to identify phishing e-mails and protect yourself against relentless hackers.
How often do you open your mailbox to see that your bank (or another organization) e-mailed you, asking to update your payment information as soon as possible. All you have to do is click on a link. Seems pretty harmless, right? Is it though?
Do you simply click on the link with your eyes closed thinking that the email comes from a trusted source? Do you ask someone for advice? Or do you immediately delete the e-mail because you've spotted a phishing scam? We have found that most people aren't aware of security risks such as phishing and still click on risky links.
People interact with e-mails very differently. There are in fact no less than 9 different types of "clickers". Which one are you?
What is phishing?
Phishing is the fraudulent practice of sending emails disguised to be from a reputable source to persuade individuals to reveal personal information, such as passwords, pincodes. Hackers are becoming more professional by the day and the emails they create can be very convincing. That's why it becomes more and more challenging for many people to spot if an email is a phishing attempt or not. Also, we receive lots of mails on a daily basis, and we want to process them as quickly as possible. This increases the the risk of falling for a phish. Should you have any doubt, just relax, and think twice before clicking on a link
The different types of phishing
There are many types of phishing. They vary according to the target and the means used. In the end, the objective of the malicious persons will always be the same: to steal your data.
Spear phishing
Spear phishing involves targeting a specific individual in an organization. For instance the IT administrator, to try to steal their login credentials or compromize their device with a malware. In this case, the attackers methodologically go after a single individual. They will in the first instance gather information about their victime, such as their name, position, and contact details. Spear phishing requires more preparation and time to achieve success beacause they want to make sure their emails look as legitimate as possible to increase the chances of fooling their targets. The highly personalized nature of spear-phishing attacks makes it more difficult to identity them.
Whaling
Whaling is an even more targeted type of phishing. These attacks usually target CEOs, CFOs or other managers who have access to financial or payroll information in a particular industry or company. In the case of a whaling attack, the attacker is looking to establish trust with it's target by pretending to be an associate from the same company, for instance. Once the trust is established, the attacker can compel the victim to communicate sensitive information or ask him/her to click on a link that will instal a malware on the victim's device.
Smishing
Smishing uses text messages to carry out the attack. A text message is sent to a mobile phone containing a clickable link or a phone number to call back. For instance, a text message from your bank telling you that your account has been compromised and that you should react immediately by verifing and ultimately giving sensitive information. As a rule of thumb, if a text tries to get you to reveal credentials, download something, or send someone money, you are likely being smished. There are many types of phishing: HTTPS phishing, Evil twin phishing, etc. They all have their own caracteristics, targets, middles, etc. Therefore, it's important to get to know the different types of threat to avoid being trapped in the future? Want to know more about the different types of phishing? Take a look at this website
7 ways to recognize a phishing e-mail?
It's not enough anymore to rely on dubious looking e-mail with spelling mistakes. Hackers now take the time to make something really convincing, even to a trained eye. Don't worry, in case of doubt, inspect the following elements in your e-mail and you'll be safe.
The sender
Do you expect an e-mail from this person? Check the sender's address carefully. A mail from John.doe@google.accountverification.com is probably not from Google.
Sense of urgency
A classic phishing-technique is to tell you that you urgently need to do something: Confirm your account today, make an urgent payment before the end of the week. Don't be fooled. Did you really receive a first demand to pay? Do you really know this so-called 'friend in trouble'?
Strange request
Official bodies are very sensitive to security issues. They will never ask you to send your password, bank details or personal data by e-mail, SMS or telephone.
Suspicious link
If you are invited to click on a link, first hover over it with your mouse and see where it takes you. Does the domain name, i.e. the word before .be, .com, .eu, .org and the first slash "/", really correspond to the organisation's name? For instance, in the link, www.easi.net/en/solutions/adfinity, the domain is "easi". In the link www.easi.itsolutions.be/blog, the domain is "itsolutions"; this link takes you to a different website. Also, if you receive strange e-mails, do not just click on "Unsubscribe". Check the link to see where it will take you. It's a classic trick to fool you.
Is it personnaly adressed to you?
If an e-mail starts with "Dear Mister" or "To the CEO of this company", beware! Phishers send thousands of e-mails hoping that just someone will click on a link in the e-mail. If they don't know your name, it is probably something malicious or fraudulent.
How can I protect my company against phishing?
Approximately 3,7 million suspect messages were reported to the Center for Cybersecurity Belgium (CCB) in 2021. That's around 12,000 a day. Can you imagine? It's not only private individuals, companies are also targeted. Although many of them may feel they have achieved a sufficient level of security to prevent threats. For example, by having a security audit performed by an expert, by implementing firewalls or by protecting their endpoints. However, as useful as these measures may be, the true level of security in a company is only measured by its weakest link: the end users. Training your employees properly and making them aware of security is crucial to prevent any security risk (hacking, data theft, phishing)