Life Hacks:

Phishing is the term used for all types of scams that bypass cyber defences by tricking people into handing over information. Bad actors use it to steal money, install ransomware or steal private data. Often they are looking for passwords.

 

Forms of phishing have been around for almost 30 years and have grown more and more advanced. CERT NZ, the government’s Computer Emergency Response Team, lists ‘phishing’ as New Zealand’s most common cyber-attack.

Phishing works by impersonating messages from someone you trust. That could be a company, an organisation or a person. Banks and firms like PayPal are favourites, and so are government agencies.

Messages range from convincing-looking emails resembling the real thing to half-baked attempts with obvious mistakes. The best ones use an organisation’s logos or designs and mirror its language.

 

Phishing trends

A recent trend in phishing is to start communication with an email or text message and then move to a voice call. Last year a campaign told targets they had automatically renewed an antivirus subscription and needed to call a number to cancel.

 

Spear phishing

Spear phishing is a more sophisticated version of the scam that targets individuals. Everyday phishing campaigns contact people in bulk. Even if only a tiny fraction takes the bait, the phishers get a payday. Spear phishing instead focuses energy on a single person. Scammers will research their target through company websites and social media sites like LinkedIn and use that information to appear more plausible. They may send messages that look like they come from someone in your organisation or an outside organisation you have a relationship with.

 

Tips for repelling phishing attacks

 

1. Make everyone phishing aware

Your defence against phishing is only as good as the weakest link. Everyone who deals with incoming messages should be aware of the threat.

2. Put phishing-safe policies in place

Decide in advance what administrative staff should do if, say, an unexpected invoice arrives. Make a policy of never handing out private information.

3. Does it ‘smell’ phishy?

Your instincts and common sense can be good here. If you get an official-looking email with poor spelling, poor grammar, or the kind of language you don’t expect from that organisation, there’s a good chance it is a scam. Warning signs are emails with lots of capital letters or indiscriminate use of exclamation marks and emojis. Just remember that

scammers won’t always be sloppy. With access to tools like AI tools ChatGPT, scammers will be able to construct scams with the correct grammar and tone, even in languages they aren’t fluent in.

4. Check the email address, then check it again

If you have had a previous email from, say, a bank, then get one from a different email address, treat it with suspicion. Some phishers use obviously questionable addresses. Others might use ones that have some relationship with the original but with differences: it can be as minor as a single character. If it looks strange, it could be a scam. You may notice the incoming email address differs from the address when you hit the reply button. This may indicate a scam, especially if the email address has no relationship to the organisation the email pretends to come from. Likewise, unless you are on regular first-name terms with the sender, be wary of email addresses from organisations that use a single first name. Your insurance company will never send a message from an address like daisy@ami.co.nz, for instance.

5. View links before you click

Often you can hover over a weblink in an email to see the target address before you click to connect. The written link might look fine, but if the link preview shows a strange address, then it could be dangerous. Don’t click. Take extra care if you get an email out of the blue with a form to fill out or one that points to a link where you need to fill in any private information.

6. Be wary of phone numbers

If a suspicious email asks you to phone a number, check with the company’s online site that it is correct. Legitimate company emails are unlikely to ask you to call a private mobile number or an overseas number.

7. Do they know who you are?

Organisations you deal with know your name and they tend to use it. Phishers often use impersonal forms of address, sometimes bizarre attempts at friendliness or chattiness. Unfortunately, spear phishers often do know their targets, so there is no hard and fast rule here.

8. Watch for tight deadlines

There may be times when a legitimate correspondent needs urgent action. However, in general, urgency of the “act today or we will close your account” is a sign of a scammer. Apart from anything else, they want to collect their money before the authorities catch up with their scam.

9. Never give out passwords

Responsible companies and organisations will never ask you for a password in an email or text. You should view a request for password information as a red flag.

10. Stay alert

Phishing attacks are designed knowing there will be times when you are busy or distracted and at risk of making a mistake. Make being precautious of phishing a general work habit.