Anyone who uses email, text messaging, and other forms of communication is a potential victim of phishing and scam messages.

These attacks involve a cybercriminal sending a misleading message aimed at tricking the user into sharing sensitive information, such as credit card numbers, installing malware on their system, or making purchases on behalf of the attacker. When executed skilfully, they can be highly effective.

There are many types of phishing messages, which include:

  • Email phishing: The most common type of phishing attack, where a legitimate-looking email is sent to trick the recipient into entering information
  • Spear phishing: A malicious email sent to a specific person or group, such as a company’s system administrator
  • Whaling: A phishing attack that targets high-level executives, such as CEOs and CFOs
  • Vishing: A voice call is used to obtain sensitive information
  • Smishing: A text message or short message service (SMS) is used to execute the attack
  • Angler phishing: Fake social media accounts belonging to well-known organisations are used to lure users to fake URLs

A common phishing scheme to watch out for is CEO Fraud. In this attack, the perpetrator pretends to be your CEO to manipulate employees into taking harmful actions. The attacker usually seeks to deceive individuals into transferring funds to their own account, disclosing sensitive HR information, or revealing other confidential data. Always verify such requests through trusted communication methods before responding.

Protect yourself from becoming a phishing victim

Things to look out for:

  • Treat with suspicion any email that you didn’t expect to receive.
  • Legitimate subject lines are usually detailed and specific.
  • Look for unprofessional spelling and grammatical errors.
  • Unnecessary urgency is suspect.
  • If it seems too good to be true, it probably is.

To help mitigate potential threats, the following protocols should be followed:
Do not:

  • Share personal or financial information without proper security protocols.
  • Open attachments unless you are certain they are legitimate.
  • Respond to unsolicited messages seeking personal information.
  • Respond to messages asking you to purchase or pay for anything on behalf of the sender.
  • Respond to messages seeking company financial information.
  • Click hyper-links unless you are certain of the source.

Do:

  • Call the sender directly to verify if the message you received is legitimate.
  • Check that the website you are visiting is secure. Look for a lock icon or an address that begins with “https:” indicating that the site is secure.
  • Report any suspicious messages to the nominated person.
  • If in any doubt, check.

FIS Associate Member Citation has produced some guidance which is available at: https://www.citation.co.uk/cyber-security-and-attacks/managing-phishing/