When was the last time you saw an email from a Nigerian prince, asking you for help in getting access to his fortune? All he needs is your bank account details and/or a small payment from you to cover the costs (taxes, perhaps), and he’ll transfer a share of his fortune to your bank account…
It was probably a while ago.
The storylines used by the scammers have moved on from Nigerian fortunes, or unexpected inheritances from people you’ve never heard of, and are becoming increasingly sophisticated.
While once the hallmark of a scam email was bad spelling and grammar (designed to filter out the smarter cookies who would see through the scam), now you can expect phishing emails to look and feel like very genuine emails from your own bank, from one of your customers or from a colleague.
So, it’s important that your phishing awareness training is up to date, and references scams that your audience are likely to see in their inbox today or tomorrow.
It’s likely that such phishing emails will cover socially relevant topics, such as:
- Ukraine – would you like to make a donation? Click here.
- WhatsApp – you’ve received a voicemail. Click here to listen.
- Cost of living crisis – your local council is offering payments to help people through the current crisis. Enter your details to see if you qualify.
- Easter eggs – want to win some Easter chocolate? Click here to win.
- Coffee shops / retail outlets – you’ve earned a reward for your loyalty! Click for the voucher.
- Delivery service – we need to reschedule your delivery, please log in.
- Online account – a device we don’t recognise logged in. Was this you? Click to verify.
These topics are about current news items, future events, or modern account management. Except they aren’t…
If you’re at work, a phishing email could pretend to come from your IT department, from your boss, from a supplier or … well, from almost anyone.
- ‘local council’: you may be due a rebate. Click to calculate rebate.
- ‘the boss’: please send this payment urgently.
- ‘a supplier’: please pay this invoice on receipt.
- ‘IT support’: your email box is full. Please click here to delete some emails.
- ‘a client’: I’ve shared this file with you. Click to download.
- ‘HR’: congratulations! You’ve earned a bonus. Click to accept it.
Does your current phishing awareness training cover this kind of up-to-date phishing attack? If not—or if you don’t have phishing training in place at the moment—you could send out a regular email updating your staff on the latest scams.
Or, even better, offer a small prize to the employee who spots the most convincing (or most entertaining) phishing email of the month.
If you’d like some help with security awareness training, contact the Click and Protect team on 0113 733 6230.
For more tips and information about information security, sign up to our newsletter here.