Phishing: how it works and how to prevent it

Author: Sonia Older  |   Date published: April 20, 2021, UK  |   Read est: 5 min read

You have to admire some of the scammers out there for their inventiveness and audacity to trick people. Admire is probably a little bit of a strong word. More like impressed as in how impressed I am that cockroaches have been around for over 300 million years and can survive for a week without a head.

But rest assured that scammers are only after money. Any way that they can trick you into parting with your hard-earned cash or giving them information that will lead to your hard-earned cash is all they are after. There are a lot of spam emails doing the rounds offering you software to install on your computer to protect you from the coronavirus to fake emails from Tesco offering a chance to shop for free this COVID-19 season.

Phishing emails

We sit in our ivory castles and wonder how people fall for these phishing emails. But the numbers favour the scammers. Depending where you look the estimates are that 14.5 billion spam emails are sent every day. The majority of those are advertising emails and only about 2 per cent of all spam emails are fraudulent or scamming emails. That means 290 million potentially dodgy emails are sent every day.

And now for the biggie. Of those 290 million emails 75 per cent are phishing emails. Emails that are trying to steal your email address and/or password. That means every single day 211,700,000 phishing emails are distributed. Therefore, phishing emails work. Out of 211 million emails in a day someone somewhere will be distracted or expecting an email from Tesco and fall for the phishing attack.

Chummies look to exploit human nature to trick us into giving them the information they want. There are seven areas that they look to exploit and when two or three of these areas are combined, the possibility of a phishing campaign working is greatly increased.

These areas are: money, greed, curiosity, urgency, self-interest, fear and helpfulness.

Also, any email offering free pizza to an IT person is also guaranteed to work. I am sure we have all received an email saying that we are entitled to a refund from someone, but only if we click on the link within the next 48 hours. This email combines money and urgency. The latter is a common theme on phishing emails. We should all be suspicious of any email that has a sense of urgency or threatens us with dire consequences if we do not act upon the content of the email.

Laptop with fishing hook holding an email

The power of Microsoft Office 365

But what else can you do to prevent you becoming paranoid of every email you receive? If you are using Office 365 there are enhancements that can be made. Microsoft Office 365 can be strengthened. There are rules to block auto forwarding of emails, blocking key words (nearly 50 per cent of spam emails will contain the word ‘free’) or blocking emails from countries you know will never be emailing you. Obviously, you cannot block emails containing the word ‘free’, but you can block emails with the words “Hacker, bitcoins, porn, beetroot” and so on.

O365 can be made stronger and, in most cases, it is enough. However, bear with me here, imagine you own a cricket team and you have the best allrounder available. Now, your allrounder will score you runs; they can bowl and get you wickets and they can field. That is what an allrounder does in a cricket team. It can do all the jobs you need from a cricket player. But at times is that enough?

At times you need an opening batsman who will knock the ball all over the field, score loads and loads of runs but bowl worse than a three-legged donkey. Or you need a bowler that can bowl a ball at the speed of light, make it swing in or out and claim wickets in the hundreds. But put a bat in his hands and the odds are the bat will travel further than any ball they may hit. The same applies to email security.

O365 is an all-rounder. But there comes a time when you need a specific email security tool. This is your super-duper bowler, your opening batsman or the fielder that can catch any ball that is in the air.

Block it to stop it!

Products like Mimecast offer that expertise. Their sole purpose is to block bad emails. These products will be block over 90 per cent of emails that an ‘out of the box’ O365 set up would let through. They are so good at what they do that they continue to test emails from people you may have added to your safe sender list. For example, I may tell Mimecast that Fred.flo@plasma.co.uk is a friend and to be trusted. Their name is on the exclusive access list, but their email account could be compromised.

Mimecast will still scan all their emails and if it finds something it does not like, it will block it. Companies need this extra help when it comes to email security because companies are no longer the targets: people are.

Scammers are targeting people specifically via spear phishing emails, but we are the targets and as companies spend their hard-earnt cash bolstering their defences, where are the weakest links? Companies install smart firewalls, create white and blacklists, create great ACLs, spend a fortune on network monitoring tools and SIEM products and get exploited because Steve in engineering clicked on a link in an email.

Staff phishing awareness training

Staff phishing awareness training is paramount. Ensuring staff know what the seven areas of a phishing email will look like, knowing to hover over links or to ask the questions:

  • Who sent the email as it is not someone I ordinarily communicate with?
  • Who are all these other people CC’ed into the email?
  • They have spelt focusgroup.co.uk as focusgruop.co.uk
  • Blimey, Sue was working late. She sent that email at 03:15 this morning.
  • This sender is asking me to click on a link to avoid a negative consequence or to gain something of value with a short period of time.

These are questions that we should all be asking when we open any email. But how good are your staff at spotting phishing emails? How do you know where the weak areas are in your education of your staff? Even the ICO web site now states that phishing tests should be carried out internally.

You may start with over half of your staff failing but with a regular phishing schedule from, say InfoSecurity Cloud, you can reduce this to around 1 per cent of failures. Phishing tests are becoming as mandatory as firewalls these days. I run quarterly phishing tests and when I started, we had around about a 25 per cent failure rate. However, the last test in January this year was less than 1 per cent. They keep staff on their toes.

Related content

> How secure is my password? Learn how to be a better password manager

> What is the Dark Web, how do I access it, and what is found on Dark Web websites?

> Steer clear of new scams!

Cyber security & IT support for retail businesses

Customers put their faith in retail businesses to protect their data and use it positively to improve the overall customer experience and engagement process – this builds customer loyalty. Retailers need to have reliable and robust cyber security strategies that empower business, drive innovation and build customer trust.

The cyber specialists at Focus Group are here to help you build your security shield. As well as cyber security solutions to match your budget, we also have extensive sector-specific experience in retail store IT support to make sure your retail IT systems are always functioning as they should be. From cloud support to backup and disaster recovery – we’re on it.

Sonia Older

Sonia Older
Brand & Campaign Manager

Sonia Older is the Campaign Manager at Focus Group and a highly experienced copywriter. She boasts over 20 years of experience in content marketing and PR across multiple industries, and is the key driver of content and PR for Focus Group across all UK offices. Away from work, Sonia usually swaps keyboard strokes for ski slopes in the Alps with her family.

Sign up here for the latest news, exclusive offers and top tips on tech

Let's connect