Story image

4 tips to keep safe when phishing for treats this Halloween

31 Oct 2018

Article by Barracuda MSP EMEA director Jason Howells

Trick or treat. Those words are spoken by millions of children around the world every Halloween, though we always expect the sugary treat and not the scary alternative.

Unfortunately, tricks are all too real. Have you ever knocked on a door waiting for a handful of sweets only to be scared stiff by someone who looks like they’ve just finished playing an extra in a Tarantino film? Maybe you’ve been made to put your hands in pumpkin mush at a halloween party? What about the one where a stranger gains access to all your business, financial and personal data in the blink of an eye? No?

You have clearly never been victim to a phishing attack - yet. A phishing attack, or scam, is the result of a criminal disguising themselves, albeit via an email or website instead of a skeleton costume, and pretending to be someone or something they’re not. The aim is to trick you, the recipient, into divulging sensitive information that could see you or your business out of pocket.

On paper these may sound like the types of scams you’d spot a mile off, but every day more and more people like yourself are failing to identify increasingly elaborate phishing scams. Since last Halloween alone phishing attempts have grown by a frightening 65%, with 76% of businesses reporting to have been victims of phishing attacks. With 1.5 million new websites used for phishing being created each month it’s clear that this is just the beginning. These attacks are only going to get smarter.

So smart, in fact, that they infiltrated the world’s biggest social media platform. Just last month, Facebook reported a breach in which criminals stole information on over 50 million user profiles, including users’ religious beliefs, their state and place of work, family and social relationships and lots of other information these unknowing victims chose to share. Perfect ammunition for an extremely tailored phishing attack, if you ask me.

Scary stuff, right? Nobody likes being tricked, least of all in lieu of putting your feet up and falling into a sugar induced coma. That’s why we’re deadly serious about keeping you safe this Halloween, sharing our top four tips to protect your business and help you identify a phishing scam from a mile away.

Creep it real

The first port of call when deciding whether what you’re looking at is real or not is right under your nose. Always check and study an URL before clicking through, especially if it has found its way to you rather than you searching for it. Fake links loosely imitate other websites, often by adding unnecessary words and domains. A telling sign is an URL that doesn’t quite fit the hyperlink you’re used to from that source, contains extra words in the domain, or ends with a string of random characters. For boo-nus (sorry) points, always make sure to hover over and inspect any hyperlinked text before clicking through. 

Don’t believe your eyes?

This one’s easy. Suddenly get told you’ve won the lottery, you’ve received a free holiday to the Maldives, or that there’s £3 million with your name on it if you could just send some cash over to a rich king in a foreign land? Call me pessimistic, but if something sounds too good to be true then it usually is. Especially if it’s coming from an unidentified source. If your luck suddenly changes, you might want to inspect the email a little further before packing your suitcase and handing in your notice.

Exorcise vigilance

Have a hunch you're being spooked? If you think the person you’re speaking to isn’t who they say they are, take it up with ‘them’ via another channel. The beauty of the 21st century is the plethora of ways we can communicate, be it via the phone, web, email, text, or social media. That’ll soon sniff out the imposters.

Over-sharing

Does the email or URL ask you to convey sensitive or personal information? It’s a rule of thumb that banks will never ask for personal information over email, instead directing you to your app or online banking portal. No matter how convincing an email may seem, never share sensitive information, especially if you didn’t instigate the conversation in question. 

Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.