The Evolving Threat of Phishing
Phishing is a form of cybercrime where attackers attempt to trick individuals into divulging sensitive information such as usernames, passwords, and credit card details by impersonating a trustworthy entity. Once seen as easy to spot due to poor grammar
and generic greetings, phishing attacks have grown dangerously sophisticated. With the aid of AI, attackers now craft highly convincing and personalized messages, free of the tell-tale errors of the past. These fraudulent communications are no longer confined to email; they now arrive via SMS (smishing), social media messages, and even QR codes (quishing). The scale is staggering, with billions of phishing emails sent daily, making it a primary vector for data breaches and financial loss. Phishing is involved in 36% of all data breaches and costs individuals and businesses billions annually.
First Line of Defence: Scrutinise the Sender
Your first and most crucial step is to question the source of any unsolicited communication. Attackers are adept at making a sender’s display name look legitimate, such as “HR Department” or “Amazon Support.” However, the real story is in the email address itself. Hover your mouse over the sender's name to reveal the full email address. Look for subtle misspellings, like using 'rn' instead of 'm', or suspicious domains. A legitimate email from a major corporation will not come from a generic public domain like @gmail.com or a randomly generated address. Any inconsistency between the display name and the actual sending address is a major red flag.
The 'Safe Channel' Verification Strategy
If an email or message raises even the slightest suspicion, do not reply, click any links, or open attachments. Instead, employ the 'safe channel' strategy. A safe channel is a separate and trusted method of communication that you initiate to verify the request's legitimacy. For example, if you receive a suspicious email claiming to be from your bank, do not call the number or click the link provided in the email. Instead, find the bank’s official phone number from their website or the back of your debit card and call them directly. If a colleague sends an unusual request for funds or sensitive data, call them on their known phone number or walk over to their desk to confirm. This out-of-band verification creates a critical break in the attacker's chain of deception.
How to Verify on Different Platforms
Applying the safe channel strategy is simple. For an email from a service provider like Netflix or a utility company, log into your account through your browser by typing the official web address directly—never by clicking an email link. From there, you can check for any genuine notifications or issues with your account. For a text message (smishing) with a link, ignore it. If you are curious about a potential delivery or alert, go to the official app or website of the company it claims to be from. For requests that seem to come from internal company sources, like your CEO or IT department, use a trusted internal directory or a platform like Slack or Microsoft Teams to send a direct message to the person to confirm the unusual request.
Red Flags That Demand a Double-Check
Beyond a suspicious sender address, several other red flags should trigger immediate verification on a safe channel. Be wary of any message that creates a sense of urgency or panic, threatening account suspension or legal action if you don't act immediately. Unexpected requests for sensitive information, such as passwords or financial details, are another classic sign of a scam. Legitimate organizations will rarely ask for this information via email. Also, be suspicious of unexpected attachments or links, even if they appear to come from someone you know. Grammatical errors and impersonal greetings like "Dear Valued Customer" are less common now but can still indicate a mass-produced phishing attempt.
