Tackling phishing scams by cultivating awareness

Did you see the scam video of MoneySaving Expert Martin Lewis on social media recently? The deepfake footage showed ‘Martin’ sitting in his office and discussing an investment in something called ‘Quantum AI’ which was supposedly associated with Elon Musk.  

Although the video was quickly denounced as a computer-generated fake, it is a frightening example of the way that criminals are becoming increasingly sophisticated in the ways they target potential victims. Leisyen Cox, Associate Partner in our Risk & Assurance team looks at some of the most recent tactics being used to fraudulently part you from your money. 

Smishing, vishing, pharming, phishing.  You would be forgiven for thinking this is the title of a children’s nonsense book but the meaning behind these words is far more sinister. 

As technology continues to advance, so too do the tactics employed by malicious actors seeking to exploit the vulnerabilities of both individuals and organisations. These scams have evolved into an elaborate web of deception, tailored to deceive even the most cautious among us. 

Derived from the notion of ‘fishing’ for personal information, phishing has become an umbrella term encompassing several techniques that we will explore in this article. Each technique carries its own nuances, casting a wide net to extract sensitive information from individuals such as passwords, financial details, or personal data.  Whilst the names given to these scams may seem amusing, we should maintain an awareness of the concepts behind them to help ensure we do not inadvertently allow ourselves to be exploited.  

So, what do these terms mean and what can we do to protect ourselves against them? 

• Smishing: Short for ‘SMS phishing’, smishing is a type of fraud that uses mobile phone text messages to lure victims into visiting fraudulent websites, downloading malicious content onto their devices or calling back a premium rate number. Smishing messages often appear to come from a trusted source such as a bank or online service provider and may contain urgent requests for personal or financial information.  They may also come across as threatening, warning of negative consequences if the recipient does not take immediate action.
• Vishing: Vishing, also known as ‘voice phishing’ involves the use of telephone calls or voice messages pretending to be from legitimate businesses or authorities to trick individuals into revealing personal, financial, or security information. The scammer might use caller ID spoofing techniques to make the call appear to come from a trusted number. Like other types of phishing, vishing preys on people’s trust and fear to deceive them into giving up sensitive information. Examples we have seen of this happening recently are perpetrators claiming to be from HMRC and demanding  
• Pharming: Pharming is a cyber-attack intended to redirect a website’s traffic to a fake site. In this scam, cyber criminals install malicious code on a user’s computer or server, which automatically directs the user to a fraudulent website, even if the correct URL is entered. The objective is typically to collect personal data, login credentials, or credit card As the website often looks identical to the original, users may not realise the deception until it’s too late.
• Phishing: Phishing is a method of attempting to gather personal information using deceptive emails and websites. It involves a cyber criminal sending out emails that appear to be from reputable sources, with the aim of convincing individuals into revealing sensitive data such as usernames, passwords, or credit card details. These emails often encourage the recipient to visit a fraudulent website, where they’re prompted to input their personal data or to click on a link that installs malware on their computer.
• Spear Phishing: Spear phishing is a more targeted version of phishing, which is tailored to and directed at specific individuals or companies. Spear phishers will often spend time researching their targets to create highly personalised and convincing messages. The goal remains the same: to trick the recipient into revealing sensitive information, or to install malware on the target’s network. Due to their targeted nature, spear phishing attacks are often more difficult to detect and therefore potentially more dangerous. Examples of this type of attack can include members of an organisation’s finance team being asked to send money on behalf of the owner of the business, and that it needed to be done quickly, without following up with a telephone call.  
• Whaling: Whaling is a type of phishing attack that specifically targets high-profile employees, such as CEOs or CFOs, to steal sensitive information from a company. These attacks are typically well-crafted and personalised to the target, making them harder to detect.
• Clone Phishing: Clone phishing involves creating an almost identical replica of a legitimate message to trick the recipient into thinking it’s the real thing. This could involve replacing the legitimate attachments or links with malicious ones.

 How can you avoid the cyber criminals?

The best way we can avoid falling foul of these scams is to ensure we are aware of the risks,  educate ourselves on what signs to look out for and to be vigilant in both our personal and professional lives.

Some top tips are: 

• Do not open attachments or click on links within emails from sources that you do not recognise.
• Similarly, even if you do recognise the source, be wary.  If you are not expecting to receive an email from them, do not open attachments or click on links.
• If you receive an email, inspect it carefully and look at the following:
• Hovering over any links in the email to see if the link is pointing to the location stated.
• Communications from official organisations generally will not request personal information, such as passwords or bank details, via email. If this kind of information is being requested, it may be a scam.
• The sender’s email address may be slightly different to the email address format of the organisation, such as a letter being changed or a number being added.
• Consider the wording of the email and whether it contains spelling and/or grammatical errors.  Emails from official organisations will rarely contain such mistakes.
• Compare the sender’s email address to the name in the signature.  If they do not match, it may be a scam.
• Check that the email is addressed to you.  Legitimate organisations will generally tailor emails to the recipient so your name will be If the email simply states ‘Hello’ or ‘Dear customer’, it may be a scam. 
• If you receive a text message requesting you to call a number or click on a link, look at the sender. If it is an unrecognised number, or from a source you are not expecting to hear from, it may be a scam.
• Never give out your password via any medium.  Official organisations such as banks and government agencies, will never ask you to give out your password, either via text message, email or phone call.

 In conclusion, staying informed and vigilant is crucial to combating the evolving threat of phishing scams. By understanding the different tactics used by cybercriminals and being cautious of suspicious emails, texts, and calls asking for sensitive information, we can protect our data. 

An internal audit process takes a close look at everything that helps your business to function – both financially and organisationally. They will look at your processes, risks, controls, safeguards and asset management to ensure you’re operating to your full potential, which may also uncover cyber risks that your business may be exposed to, and training that may be needed to ensure you and your staff are aware of these threats.

Get in touch at hello@scruttonbland.co.uk or phone 0330 058 6559 to find out more about how an internal audit can help your organisation operate safely and effectively.