IT3000: Stay Safe Online – Phishing, Vishing & Smishing

Phishing, Vishing and Smishing IT3000

What are phishing, vishing and smishing scams and how can you recognise them?

The scams can be delivered via emails, websites or even phone calls and are ultimately designed to steal money. The scammers can achieve this by installing malicious software on your computer or by using social engineering to convince you to hand over personal information or even the money itself.

Phishing – scams delivered via email

Vishing – scams delivered by phone

Smishing – scams delivered by SMS text messaging

In recent weeks we have seen an increase in the number of phishing attacks delivered via email.

How can you recognise a phishing email?

Microsoft have provided the following example of what a phishing email could look like.

phishing email example Microsoft IT3000
 
https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx

Things to look out for:

Sender address: If you are unsure as to the legitimacy of an email always check the sender address. The below example is from a phishing email that impersonated Microsoft. At first glance the email appears genuine but as you look closely at the email address you can see that is coming from @microsftonline.softcom.com which is not a legitimate Microsoft email suffix.


If you are unsure of the correct email suffix for a company visit their website (although not from a link in an email!) and see what their web address is, or their contact email address, if this is included on the site.

Typically a company’s email suffix will be their web address, as you can see from our example below.

Spelling and bad grammar: Cybercriminals are not generally known for the correct use of spelling and grammar! If you notice any mistakes, especially obvious ones, within an email then this could be a sign that the email is a fake.

Links: Beware of links within emails! If you think a link may be suspicious DO NOT click on it. One method of checking a link is to rest (but not click) your mouse over the link to see if the address matches the one typed in the email. In the Microsoft example below you can see that the link revealed in the yellow box looks nothing like the company’s web address. It is also worth remembering that links can lead to installer files that can lead to any kind of application or malware being installed on to your machine.

Threats: Cybercriminals often use threats in order to scare people into clicking on links or handing over their details. Beware any email that threatens to suspend your account if you do not carry out their instructions. If ever in doubt always phone the company in question, and make sure you get the number from their website rather than from the email you are querying!

Images and graphics: Lots of phishing emails will appear as if they come from a legitimate company. Cybercriminals invest a lot of time in designing emails and even websites to trick people into thinking they are the real deal. If you suspect an email may be a fake you can compare it with a legitimate email from the company in question to see if there are any differences, but be warned they may be subtle!

Attachments: If you are not expecting an email with an attachment then do not open it! Always check the sender address and the body of an email before you open any attachments. Cybercriminals can use attachments to install malicious software on your computer. Phishing emails often use attachments titled ‘invoice’ – if you are not expecting an invoice or have not heard of the company listed in the email then do not open the attachment. If you recognise the company name but are suspicious about the email, contact the company to check if the attachment is legitimate. Once the attachment has been opened it can affect your machine and anything else connected to the network.

What to do if you think you have received a phishing email?

Below are our handy tips and tricks for if you think you have received a phishing email

  • Do not open any attachments
  • Do not click on any links
  • Check the company’s website (by searching for them in your browser, not by clicking a link in the email) and see if they state what they will and will not ask you for via email
  • Contact the company the email is impersonating – they can confirm whether they have contacted you and if it is a phishing email they can notify their other customers
  • Inform your colleagues as others may receive the same email
  • Inform your IT department if you have one
  • Delete the email from your inbox and then delete it from the deleted items folder

If you are an IT3000 support customer and you receive a suspicious email call us on 01455 247 830 – but please remember to not open any attachments or click on any links before you call us!

If you are an IT3000 support customer and you DO click on a link or open an attachment but after doing so you suspect that it may not be legitimate, then you must call us immediately on 01455 247 830.

How can you recognise a phishing phone call? (otherwise known as Vishing)

Phishing phone calls can be hard to spot; the caller will seem friendly, they will know your name and they may claim to work for a company you trust.

If you get a call from someone trying to sell you something you had not planned to buy, or someone claiming to know that you have been in an accident or that your computer has a virus say ‘no thanks’ and hang up.

If, after the call, you are unsure as to whether it was a scam or a legitimate call then you can phone the company that they are claiming to have called from. Always get the number from their website or from any marketing material that you know is legitimate. It is not difficult for scammers to mail out fake literature or to produce a fake website.

Things to look out for:

Language: Telemarketing scammers often use language intended to make you trust them – beware any callers that use the following:

  • You’ve been specially selected (for this offer).
  • You’ll get a free bonus if you buy our product.
  • You’ve won one of five valuable prizes.
  • You’ve won big money in a foreign lottery.
  • This investment is low risk and provides a higher return than you can get anywhere else.
  • You have to make up your mind right away.
  • You trust me, right?
  • You don’t need to check our company with anyone.
  • We’ll just put the shipping and handling charges on your credit card.

https://www.consumer.ftc.gov/articles/0076-phone-scams

Requesting personal information: Scammers will often pretend to be from a bank or building society and will ask for information such as internet banking details, card details and account details. This information should never be requested over the phone.

What can you do if your company is used in a phishing scam?

You may find that your company has been used in a phishing scam and that your customers have received emails that appear that come from your company or even a specific member of staff. Unfortunately, as these emails are being sent from outside your company, there is nothing that can be done to stop this.

To minimise the risk to your customers if your company was ever to be mimicked by a phishing scam we recommend that:

  • you brief all staff on phishing scams and what they need to do if a customer calls querying an email/ phone call that they have received
  • you regularly remind your customers to be vigilant when checking emails
  • you let customers know what you will and will not request from them via email or phone call

If you are made aware that your company is being used in a phishing scam then we would advise that you contact all customers immediately, by both email and phone if possible, to warn them of the scam and to suggest that they contact you if they receive an email that they suspect may not be legitimate.

How can IT3000 help?

Our team of skilled engineers are on hand to help identify any phishing emails that you may receive and, in the worst-case scenario, will work to minimise any damage caused if malicious software is installed on your machine.

We can also help to protect you from, and minimise the impact of, other forms of cyber-attack such as ransomware, virus’ and trojans.

To talk to a member of our team to see how we can support and protect your business call us today on 01455 247 830.

Useful Links (all genuine we promise!)

Find out more on phishing and the types of scams in operation

http://www.actionfraud.police.uk/fraud-az-vishing

Large trusted companies are often impersonated and most of these will have information online on how to avoid phishing scams

Microsofthttps://www.microsoft.com/en-us/safety/online-privacy/msname.aspx
Applehttps://www.apple.com/uk/legal/more-resources/phishing/
Googlehttps://support.google.com/websearch/answer/106318?hl=en
HMRChttps://www.gov.uk/report-suspicious-emails-websites-phishing

All major banks and building societies provide information on what they will and will not request from you via phone, email or text message.

HSBChttps://www.hsbc.co.uk/1/2/contact-and-support/security-centre/fraudguide
Lloyds Bankhttp://www.lloydsbank.com/help-guidance/security/suspicious-phone-calls.asp
Nationwidehttp://www.nationwide.co.uk/support/security-centre/fraud-awareness/online-fraud#xtab:phishing
Natwesthttp://personal.natwest.com/personal/security-centre.html
Royal Bank of Scotlandhttp://personal.rbs.co.uk/personal/security-centre.html
Santanderhttp://www.santander.co.uk/uk/help-support/security-centre
TSBhttp://www.tsb.co.uk/security/phishing/

To check to see if a link in a browser it what it claims to be, simply hover over the link and check the bottom left hand of your browser, if the text matches then you know the link is genuine!