What is Phishing and how can your businesses protect itself from it?
Phishing is a process in which a cyber-criminal can gain a whole load of current email addresses and send out an email to all of them, to see if any of the recipients reply.
That’s what we call the first Phishing hook; the term originates from fishing, although it is spelt differently.
This first hook, in turn, leads to Spear Phishing, which is a direct attack, targeted an individual in a way to make them respond as if they were replying to someone who works in that company. For example, a senior manager could be advised to update their password and click on a link which takes them to a duplicate page, edited by the cyber-criminals, to look like a corporate website.
If the senior manager clicks on that link, they are taken to the false page and may surrender valuable data to the criminal by accident, namely their USERNAME and PASSWORD.
These are two valuable pieces of personal information which are like gold dust to a cyber-criminal.
The average person has between 35 to 60 online accounts, when you tot up shops, banks, social media platforms, media channels and work ones.
But how many of those have different passwords?
And how many of these accounts will a cyber-criminal try out and get into?
Once they have your USERNAME and PASSWORD, they can try their luck on PayPal, Ebay or Facebook accounts for example.
A way to protect yourself from this onslaught is to double check the URLs and to use a strong but completely separate password for each one of your accounts.
All too often, by the time a business realises that they have criminals routing around in their system, it is already too late to stop them because the criminals are likely to have been on that system for quite some time, weeks or months, and to have accumulated a lot of data in that time.
Typically, unless a company has some sort of intrusion-detection system, a lot of the time, criminals will be just lurking within a system, picking up data and escalating their privileges, taking more and more advantage of their main access point.
When you work in an office, you know where things are kept and you can keep them under lock and key and under surveillance too. But it is harder to do that if information is in one system because a lot of cyber-criminals are just acting blindly, using code, trying to find information out about who works for you in directories, contact lists and financial lists.
For them, when they get details of people connected with a company, such as Easy Jet which last summer fell victim to a "highly sophisticated cyber-attack" that affected around nine million customers, they can also find a way into their customers’ bank accounts.
They can also pretend to actually be you, contacting your work colleagues, friends or family, claiming to be in a hospital bed and needing money for something urgent.
If you get a message saying you have forgotten your password, it could be because somebody else has already changed it via your email address by saying it is a forgotten password and getting a message from your email provider sent direct to them.
The fear and panic you will be feeling as taking the tim e to get your own password back is indescribable, especially if you think not just your email but the emails of your whole company could have been put in jeopardy.
But a way of keeping your accounts secure is to look at two-factor authentication. This means that if something happens to your email and there is something suspicious going on in your account, you must have a message sent to your phone or an authenticator via your phone, for you to say, “Yes this is me,” or “No this isn’t me,” before any actions are taken on your behalf.
Detective Constable Gareth Jordan has been a police officer for 13 years and prior to that, was employed in the IT and Pre-Press and Print sector.
Gareth is now based at Police HQ in Carmarthen and has been involved in investigating all forms of crime that have a cyber-element to them.
He has a wealth of knowledge regarding Cyber Security and continues to expand this by being involved in the day-to-day investigation of cyber-based crimes.
Gareth knows about the latest cyber scams and can explain how they are carried out – and more importantly – how you can avoid falling foul of them.