4 steps – a study of a common phishing campaign

Have you ever wondered how a phishing campaign works? What’s behind the scam emails you receive almost every day?

Thanks to Verizon’s latest report, we can now understand that the fraudulent email is just the tip of the iceberg, there is much more hidden beneath.

Study the prey

First things first: attackers do a bit of background analysis about the business they want to target (your company, for instance). They look for information like your corporate email domain and layout, email addresses of board directors, suppliers, the bank your company relies on and more, with the final aim to maximise the likelihood that their attack will succeed.

Craft the perfect email

Secondly, they create a replica of your corporate email or of any other entity you might expect to receive email from (like the bank, a supplier, HMRC, etc.). It looks genuine so as not to raise any alarm or suspicion, and it usually contains a malicious link or a malware-infected attachment. According to Verizon’s report, one in three recipients opens the phishing email within an average 1 minute and 40 seconds of receiving it.

Alter your behaviour

The email uses social engineering techniques to persuade you to act. This might be to get you to click on the link provided or open the attachment, and may also encourage you to forward the email to colleagues, which multiplies the chances that the link or attachment will be opened. The report states that 12% of targets swallow the bait, on average after 3 minutes and 45 seconds. Cyber criminals 1 – Company 0.

Easy route for criminals

Without you knowing, the malware has been successfully installed and it begins stealing credentials and information that will be used later to access secured accounts, wire money, control machines and systems, etc. The result? Data breach.

Defend your company, recognise phishing scams

Your company can build barriers to stop phishing emails from reaching you and your colleagues’ inboxes, but the ultimate guard defending the corporate system is you. If you know how to recognise a scam and inform your IT department about the threat, you can save your company from data breaches that could lead to financial losses, monetary penalties, loss of reputation – or even closure of the business.

The Phishing Staff Awareness Course has been specially developed for you to raise awareness of phishing attacks. Delivered online, and packed with real-life examples, non-technical explanations of what phishing attacks are and best practices to recognise them, you will get invaluable information to safeguard your company’s security.

Spot the bait with the Phishing Staff Awareness Course >>

Why not improve your awareness in other areas, such as information security, ISO27001, the PCI DSS and the DPA? Have a look at our portfolio of e-learning courses >>