Cyber insurance for phishing attacks

What is phishing?

Phishing is a type of email scam where someone sends you an email or text message pretending to be a legitimate company or government agency with the intention of obtaining sensitive information by installing malware, or compromising your network. According to Netsafe NZ, phishing is one of the most common online scams.

The aim of a phishing attack is to trick individuals into disclosing bank information, sensitive data, or other personal details, such as passwords or credit card numbers. You may be asked to click on a phishing link to log into your bank account, allowing the attacker to gain access to your confidential information, which can result in financial loss.

While these messages appear to be personal to you, they are typically sent to thousands of people simultaneously.

Simple steps to deal with phishing scams in the workplace

Implement employee training to help recognise phishing emails by covering the following points:

• Is the email from someone you know, or have you received an email from before?
• Is it something you were expecting?
• Does it look strange (e.g. unusual spelling or other errors in the email address or domain name)?
• Has it passed the anti-virus test?

If you suspect an email may be fraudulent, forward it to your IT team or manager for review.

Do not respond to it.

Signs that it may be a phishing email include:

• Emails signed with a generic signature block, such as “Customer Service” rather than an individual’s name, title and other details.
• The email address or domain name does not match the “from” name; for example, the email purports to be from “John Smith” or “The Smith Company,” but the email address bears no relationship, such as phishingagogo @ theftonline.com,
• Emails purporting to be from a business or a government agency but sent from generic mail services such as Gmail or with an unrelated email address
• Emails from organisations with which you have had no prior relationship
• Emails conveying a sense of urgency – attackers often use the ‘urgency strategy’ to put pressure on the receiver to take action immediately
• Emails with offers that are “too good to be true”
• Emails asking for information, e.g. passwords or logins.

Think before you click

Employees should not open suspicious links in emails, tweets, social media posts, online ads, messages or attachments, even if they think they know the source.

Before clicking any links, users should hover their mouse over the link to verify that it will lead to the correct destination. The website address underneath the link should appear.

Some links may appear genuine but lead to a different, possibly fake or scam, destination, or result in the downloading of a virus or malware onto the computer and into the workplace network.

Beware of attachments

Banks will never send an email with a link or an attachment to their Internet banking site. You should always manually type a bank’s website address into the address bar rather than following a link.

Verify the email

If you are unsure about whether you have received a phishing email or communications from a legitimate company or government department, try calling the organisation that appears to have sent the email. Get the contact details from a previous account statement or invoice, or look it up online. Do not use any of the details or links provided in the suspicious email until you have verified that the email is genuine.

Whaling

Whaling is a kind of phishing where hackers target the “big phish” – specifically, managers and senior executives. These high-profile targets typically have access to more information, and consequently, the potential financial loss or data breach may be bigger.

Whaling can be used to fast-track executive sign-off on a payment.

How to identify and navigate whaling email scams:

• If, for example, an employee receives an email claiming to be from a manager asking for a payment to be made or to send personal information, they should not complete the request until it is confirmed as a genuine request.
• Never bypass standard payment approval processes within your organisation in response to an unexpected email or phone call.
• Employees should also be careful about how much information they provide over the phone to contacts they have not dealt with before. This information could be used to carry out phishing or whaling scams.