When it comes to cyber security, there are a lot of different terms to get your head around. You’re constantly being told to be on the lookout for this new phishing scam, or update this programme to prevent email hacking, and after a while, it can get a bit confusing. To make matters worse, a lot of people use these three words, ‘phishing’, ‘spoofing’ and ‘email hacking’ interchangeably, even though they aren’t the same thing, and you can’t protect against them all in the same way. As a business owner, it’s important that you know the difference, and what’s at stake if you or an employee falls victim to one of these scams.
Phishing is where scammers will send you emails that try to get sensitive information out of you. Usually, they will try to mimic a genuine site, company, governing body or even an employee, to make you think that they are the real deal and that it’s safe to hand over your information. A lot of these emails will tell you that you need to reconfirm, re-enter or input your bank details (or something similar), in order to get a refund, pay postage on something you ordered (but never anything specific) or to unlock your account. In the past we have seen scams for tax refunds claiming to be from HMRC, failed payments on Amazon orders that need you to input your card details (particularly popular around Christmas) and ‘overlooked’ invoices with threats of legal action if not paid immediately.
Some of these emails can be really convincing, so it’s important that you stay on alert. Remember that no genuine company or authority will ask you to put in bank information through an email. If you’re not sure, hover your mouse over the link in the email (but don’t click it). If the link takes you anywhere other than to the genuine site for that company, it’s most likely a phishing email. Other tell-tale signs include unfamiliar and unofficial looking sender email addresses, spelling and grammatical mistakes and lots of links directing you to take action. And if you’re ever in any doubt, go to the website of the genuine company and report it.
Spoofing is when someone makes an email appear as if it was sent from somewhere it wasn’t – like your own email address. Spoofing is often used to trick someone into downloading a virus or revealing confidential information by tricking them into thinking it’s a trusted source. Some hackers who are engaging in blackmail scams may also try to use this as proof that they have stolen what they claim to have stolen – after all, if they hadn’t hacked in, would they be able to send you an email from your own email address? Well, yes. Spoofing doesn’t require access to your email account at all. The scammers just need to run a really simple bit of software that makes your email address show up in the sender field. So if you’re email has been spoofed, your account is still safe. But for businesses, it can be a lot worse.
Say, for example, you’re in charge of payroll for the business. A scammer could spoof an employees email address, and then email you asking for a copy of a financial document – like their payslip or P45. If you thought the email was from an employee, you might go ahead and send that document, giving the scammer all the information they need to commit identity theft. Spoofing is a particularly dangerous issue in this scenario and is more common than you think. If you believe an email request is a bit odd, make sure you contact the person it came from (ideally not over email) to confirm if it was genuine or not. No one will be upset at you doing this, but they might get upset if you reveal their information!
Being hacked is the worst of the three because it means that a hacker has actually gained full access to your email account. They could have done this by infecting your computer with malware, by guessing your password, or through a data breach. Once the hacker has gained access to your email account, they could use it to harvest your information (and anyone else’s in your account), send emails from your account to help them target more accounts, or even use the email to access other online accounts. To avoid hacking, you need to make sure you have a good security infrastructure in place, your software is all up to date (patches save data), and that you are using complex passwords. If you think your account has been hacked, the first thing to do is change your password right away, to something very strong. If you used that same password for another account, make sure you change that too.
So there you have it – the differences between phishing, spoofing and hacking. All of these scams are different, but all of them are very serious, and need to be protected against. That means you need to put a good, strong cyber defence in place around your business, and maintain it with effective cybersecurity. At ACT Systems, we support SME’s with their cybersecurity needs, helping fill in the gaps and keep your business data safe. To find out more, just get in touch with the team today and book your free consultation.