✈️ Download our latest Travel Playbook here. Unravelling the complexities of the travel industry in a globalised world. 🗺️

What is phishing? Seven tips to avoid phishing attacks

( 5 min. read )

  • Go back to blog home
  • All posts
    All posts|Currency Updates
    All posts|Currency Updates|International Trade
    All posts|International Trade
    Blog
    Central Bank Meetings
    Charities & NGOs
    Currency Updates
    Currency Updates|In The News
    Ecommerce
    Fraud
    FX 101
    In The News
    International Trade
    Podcast
    Press Release
    Product Update
    Security & Fraud
    Special FX Reports
    Special Report
    Weekly Market Update
  • Latest

10 July 2023

Written by
Monika Ravey

Fraud Manager

The goal of phishing attacks is to get you to provide sensitive information accidentally, give access to a network, or download malware.

S
tarting out, phishing attacks were quite basic and used an email with an embedded link for the unsuspecting individual to click on. However, phishing attacks today can be far more sophisticated – they may even include HTTPS websites. As an example, HTTPS can prevent stealing of data and man-in-the-middle attacks. But it can also allow malicious traffic to be hidden behind encryption. Since the secure gateway cannot inspect the encrypted data, it lets everything through – including malicious code. FBI reporting of HTTPS attacks dates back to 2019.

An example of a modern day, sophisticated phishing attack is the use of typo-squatted domain names. While this sounds very technical, it’s actually quite simple. The criminals set up a website pretending to be Adobe, but their web address uses the Latin character “ḅ” instead of the normal “b”, so you got “adoḅe.com” – note the dot under the b.

From there, the attacker can make “adoḅe.com” an HTTPS site and create numerous other sub-sites. Such a site like “get.adoḅe.com” could be created and emailed out to target accounts as a link. And of course, hyperlinks have an underlining which masks the false character, meaning the link looked 100% legitimate. As per the example below, the dot below the “b” cannot be seen because the hyperlink underline has covered it over:

This is just one example, and there are many ways phishing attacks can happen. However, there are practical steps to combat phishing attacks and mitigate the risk:

  1. Train your employees on how they can identify malicious emails, and know what to do with them. Run simulated phishing campaigns and anti-phishing penetration tests.
  2. Ensure employees use strong, unique passwords for their work accounts, and communicate that passwords for company accounts should be different from their personal email accounts.
  3. Use Multi-Factor Authentication (MFA) to reduce the risk of unauthorised account takeovers.
  4. Educate staff about the risks of social engineering. Encourage them not to post work-related information on public social media platforms that could be used to identify their employer, their position and responsibilities etc, and so be used for a targeted phishing attack.
  5. Install a secure email gateway with anti-spam, anti-malware, and policy-based filtering. This could also include SPF (Sender Policy Framework), DMARC (Domain-Based Message Authentication, Reporting & Conformance), and DKIM (Domain Keys Identified Mail), as well as anomaly detection for inbound and outbound emails.
  6. If you have any doubts about an email or have suspects about the links, report it to your Security Team immediately. They can check the email, and get any suspicious links or sites opened in a sandbox environment. They will then tell you if the email is genuine.
  7. Review mitigation measures and ensure system updates take place periodically.

Phishing can be conducted via email, text message, social media, or by phone. With phishing attacks becoming increasingly sophisticated and challenging to detect, it is crucial to stay vigilant and informed to prevent them. The Ebury team is here to help our customers embrace best practices to protect their sensitive information.

📩 If you need any advice on any fraud-related issues, contact us at [email protected].

SHARE