Chris Underhill - CTO, Equiniti Cyber Security - comments:
"It is 25 years since the first email was sent and in that time it has become ubiquitous across business as the communication method of choice. More recently we have seen the majority of household and personal bills shifting to email. While the convenience of email benefits the customer, it also plays into the hands of would-be criminals who have become very good at mimicking official correspondences.”
According to Chris, unsure recipients should follow these six tips:
- Are you expecting the communication? If you didn’t ask for it, then immediately treat it as suspicious until you can prove otherwise. Remember, if it causes you any doubt then do nothing. Urgent legitimate unsolicited communication can always be resent to you.
- Look at the ‘From’ address of the email, to see whether it looks suspicious? If the email asks you to respond via email, click reply and look at the displayed ‘To’ field. The email might tell you it’s from your CEO but your reply is being sent elsewhere, e.g. ‘firstname.lastname@example.org’
- Do not click or open attachments unless you specifically requested them. Criminals will try to get you to open an attachment that may compromise your computer.
- Beware calls to action. Phishing requires you to act in order for the attack to be successful. Any communication that requires you to immediately do something should cause you to stop and consider what the communication is actually asking you to do. The use of fear and alarm are common tactics to lure potential victims to engage. This could be an email from your CEO, your bank or even an email from a trusted friend.
- Check links carefully. Spammers will often try to trick you using sub-domains that don’t match the origin sender for example: http://paypal.paypal-payments.com.digi1-pay.net does not belong to Paypal. Phishing sites are hosted on websites that are not related to who they say they are, so check a link carefully before you decide to click it. You can do this by hovering over the link with your mouse.
- Trust nothing. Communications must prove themselves to be legitimate. If it gives you any cause for concern, delete it.
Chris Underhill concludes:
"The most important thing is to understand what phishing (whereby someone steals your personal information by way of impersonation) actually is.
Be aware that criminals will constantly try to motivate you to handover your information through trickery and fear.
These attacks will come into your work life and your personal life so make sure you understand that it is entirely possible for someone to impersonate someone within your organisation, to try and force you to hand over private details.”