Facebook
ISPA Winner 2018

How to recognise and combat phishing

Following on from the recent phishing attack that was attempted against Krystal and some of our customers, we felt it was a good time to provide some free information on phishing and how to avoid it.

What is phishing?

Phishing is a form of social engineering that criminals use to extract sensitive information. One of the most common methods of phishing is via email, and usually involves either impersonation of a legitimate organisation or infection of a business or individual’s network with malware to compromise its security and gain access. According to Hiscox, cyber breaches cost the average UK small business £25,700 in basic ‘clear up’ costs every year. Around half of these cyberattacks involve phishing.

Cybercriminals trick email recipients into providing sensitive personal information through copycat web forms and sites or opening an attachment that loads harmful malware or ransomware onto their system.

Malware-based phishing attacks against business networks can be very effective. Once one computer gets infected, if that computer is connected to the wider business network, the malware can spread throughout the entire system. These breaches can cause serious implications for a business should the malware spread to computers that contain particularly sensitive data.

How to spot a phishing email

Despite phishing emails having come a long way since the early attempts of the 1990s, there are still a number of telltale signs that may alert you to their malicious nature. Disclaimer: just because an email looks right on the surface, it doesn't necessarily mean it is. If you’re in any doubt, speak to either your IT department, the business in question using confirmed legitimate contact details, or get in touch with us at phishing@krystal.uk.

It’s unsolicited and asks for sensitive information

The vast majority of legitimate companies are unlikely to send you an unexpected email asking for your credit card, bank information, passwords or other sensitive information. If you receive an email you weren’t expecting requesting this information, and in particular containing a link to log in and submit or confirm these details, there’s a good chance it’s a phishing email. If the email has come from a company you already do business with, contact the firm to double check using contact details that you know are legitimate.

Krystal will never send you unsolicited emails asking for sensitive information. If in doubt, please get in touch with us at phishing@krystal.uk.

The sender’s email address doesn’t look right

Phishing scammers often try to send their emails from an address that mimics a trusted contact or business. Double check the sender’s details and look at their email address in detail. Does it perfectly match the usual format for the company?

A legitimate email should have the sender’s company in the domain part of the address, following the @ symbol (for example, Charles@krystal.uk, rather than krystal@hosting-domain-12234.org or Charles_krystal@gmail.com). Unfortunately, simply having the brand’s name somewhere in the email address can fool people into believing the email is legitimate.

Be extra vigilant when checking this detail, as more sophisticated scammers can buy domains that make the sender’s address look almost identical, with added numbers or substituted letters, for example Charles@krystal1.uk or Charles@kryslal.uk. (a common trick is to substitute ‘rn’ for ‘m’). If unsure, check the sender’s address against previous, confirmed legitimate emails you’ve received.

All billing related Krystal emails will come from @krystal.uk, however, server notifications will come from either krystal.uk (co.uk), cloudhosting.uk (co.uk) and uksrv.uk (co.uk) depending on the server type.

Legitimate cPanel notification emails from Krystal will be in the format ‘root@serverhostname.krystal.uk’ (e.g. if your site is hosted on Athena, the sender’s address would be cpanel@athena.krystal.uk or root@athena.krystal.uk depending on the notification). If in doubt, please get in touch with us at phishing@krystal.uk.

The branding isn’t quite right

Phishing emails attempt to mimic legitimate emails in order to trick you into revealing or submitting sensitive information. The quality of this mimicry varies, with some branding attempts appearing more authentic than others – yet there are usually telltale signs. Check any logos or other branding details carefully against the official company website and correspondence – is it identical, or an approximation? Are the proportions of the logo and graphics the same? Does the header and colour scheme match previous emails? Legitimate companies often spend a lot of money and time perfecting their branding so it should be consistent across all communications.

Some phishing scams are more sophisticated than others, so correct-looking branding on its own is not a sign of authenticity. If in doubt, please get in touch with us at phishing@krystal.uk.

The sender doesn’t know your name / customer ID

Another giveaway is a generic salutation. Companies that legitimately do business with you should know your name and customer reference. Salutations such as ‘Dear Sir/Madam’ or ‘Dear valued customer’ should be warning signs that the email is part of a phishing attempt. Be sure to check these details in any emails you receive.

Krystal will ALWAYS include your name in any email correspondence. Some automated notification emails sent from our fleet servers may alternatively reference your cPanel username – see this guide if you’re not sure what this is.

Grammar and punctuation errors

Legitimate emails are also often proofread by multiple people before being sent, particularly if they’re template emails sent to many customers. This makes written errors a relatively rare occurrence. Phishing emails, on the other hand, are often written by people with a poor grasp of English and are automated for the widest possible reach. Quality standards are usually low.

Check the grammar and punctuation. Phishing emails are often put through a spellchecker or translation tool, so the spelling of individual words may be correct, but their overall grammatical incoherence can be a giveaway.

Check for the types of grammar and syntax errors that a non-native speaker may make:

  • Words used in the wrong context, e.g. ‘report immediately to 085012345 or substitute you can visit the website’.
  • Missing words in sentences, e.g. ‘a malicious user might trying to access your network’.
  • Odd tone of voice, e.g. ‘We need password confirmation click immediately’.

Everyone makes typos from time to time, but they’re usually picked up before a legitimate email is sent, and are often common human errors such as hitting an adjacent button when typing. If a supposedly official email contains the types of errors listed above, it’s very likely to be a phishing scam. In fact, scammers have been known to use emails containing poor grammar to help them identify recipients who may be more susceptible to further tactics.

All Krystal emails have a recognisable ‘Krystal’ tone of voice and are proofread by multiple people to ensure correct grammar and spelling.

It contains unusual or unsolicited attachments

Phishing emails often contain malicious attachments designed to spread malware into your network. Be extra careful if the email contains attachments that you either don’t recognise or are not expecting. Be on the lookout in particular for ‘high-risk’ attachment file types including .exe, .zip, .docm and .scr.

Krystal will never send you emails that contain unusual or unsolicited attachments.

It threatens consequences for inaction

Does the email tell you to act urgently or does it contain a veiled or explicit threat? Examples include ‘Send your details within 24 hours or your account will be cancelled’, or ‘Your account has been compromised – click this link immediately’. According to a phishing study by KnowBe4, the most-clicked email subject line globally in Q1 2021 was ‘Password Check Required Immediately’. A legitimate company would not force you to act immediately.

Krystal will never send emails demanding instant action or containing threats of consequences for failing to act immediately. If in doubt, please get in touch with us at phishing@krystal.uk.

Phishing emails normally ask you to confirm information or go to an external site by clicking on an embedded link, again with consequences for failing to act. Hyperlinks will tell you that they link to a legitimate website, but the actual link will send you somewhere completely different, or even download malware directly onto your computer. To check embedded links, you can (carefully!) hover your mouse over them without clicking and see if the actual URL displayed matches where the text is telling you it will send you to. If it doesn’t match the link in the text, or the displayed link begins with something other than https:// then it’s highly likely to be a phishing scam.

Krystal will never send you emails with external links that ask you to provide details to a third party. If in doubt, please get in touch with us at phishing@krystal.uk.

Common phishing email tactics

As well as the above telltale signs, there are several common phishing email tactics that criminals employ in order to compel you to open and click:

  • The Expired Domain Renewal: These emails inform you that your domain will expire or has recently expired and that you need to reconfirm your payment details or make a payment in order to renew it. This tactic formed part of a recent attempted phishing attack on Krystal.
  • The Official Government Threat: Using government branding and language, these usually accuse you of having done something wrong and threaten a course of action unless you provide certain information. E.g. “Because you illegally downloaded files, your internet access will be revoked until you enter the requested information in the form below.”
  • The Hacked Friend in Trouble: These can come from the email address of someone known to you who has already had their account hacked. These types of emails usually ask you to wire money or provide bank details to urgently help a friend. They can be particularly persuasive as they come from the sender’s real email address.
  • The Credit Card or Account Problem: With so many of us purchasing online, this is a popular scam. The email explains there was a problem with your account or purchase payment details, so you need to reconfirm – by either inputting them into a bogus online form or replying directly.
  • The Virus Infection: This one warns you that your computer or network is already infected, and offers a swift and effective remedy...if you click the link provided.
  • The Lucky Winner: “Congratulations, you’ve come first place in an imaginary contest that you never took part in. Click here to claim this incredible prize.”
  • The False Bank Notification: Masquerading as a friendly reminder from your bank, this sends you a false notification that there has been a withdrawal from your account that exceeds your limit. All you need to do is follow a link to a web form and input your bank account details for “verification purposes”.
  • The Tax Refund: Another common tactic is the email informing you of your eligibility to receive a tax refund, or of an irregularity with your tax.
  • The Routine Account Verification: This innocuous-sounding tactic can sometimes be the most successful, due to its relatively benign approach. However, if it asks you to input sensitive information, then take extra care. Contact the company in question, and check it against the phishing signs listed above.
  • The ‘Unusual Activity’ Notice: This type of email takes advantage of the fact that online companies are improving their security game. It warns the recipient that there has been ‘suspicious’ or ‘unusual’ activity on their account and that they need to fill in an online form or download a file for it to be investigated and corrected.

What to do if you’ve received a phishing email

If you’ve received an email which you’re not quite sure about or which raises your suspicions, there are some steps you can take:

  • Don’t click on the links, open any attachments, or expand any pictures within the email.
  • Don’t attempt to reply directly to the email.
  • Inform your company’s IT team.
  • Report the scam to the National Cyber Security Centre's Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk.
  • If the email purports to be from us, please forward it to phishing@krystal.uk
  • Delete the email from your computer.
  • If you do legitimate business with the company who supposedly sent the phishing email, it may be worth contacting them to see if they would like you to forward the email to them, so they may take further action.

What to do if you’ve already clicked

If you’ve already clicked on the email or opened the attachment, you can follow these steps to try to minimise any potential threat:

  • Inform those in your business responsible for IT security immediately and follow their instructions.
  • Open your antivirus software and run a complete scan.
  • If you've been tricked into revealing your password, change all your passwords on your other online accounts.
  • If you’ve been tricked out of money, you need to report it to the police via Action Fraud, as it's a crime.

How to protect your business from phishing

There are a number of measures you can take to protect yourself and your business from cybercriminals attempting to gain access to sensitive data:

  • Have robust security policies: Comprehensive policies that focus on tools, access points and communication channels can help you to monitor and limit the entrance points for malicious software into your network.
  • Use comprehensive anti-virus / anti-phishing software: Whether cloud-based or on-premises, there are plenty of solutions available to help you detect, isolate and remediate phishing threats.
  • Use strong and unique passwords: Unique credentials make it a lot harder for hackers to gain access. For maximum security you should use a different password for each account.
  • Use Multi-Factor Authentication (MFA) wherever possible: MFA requires additional information or credentials from the user, often via a secondary device. A phishing attack may manage to get hold of a user’s credentials, but it won’t provide the attacker with the additional verification information, such as a randomly generated code, fingerprint or the answer to a personal security question. MFA therefore has the potential to stop the phishing attack in its tracks.
  • Create regular backups of your site and data: If your system is compromised, you can restore to a recent endpoint before infection and minimise data loss. All Krystal accounts come with free backups as standard.
  • Keep all browsers fully up to date: Out-of-date software can contain security weak points that allow criminals to gain access.
  • Conduct regular security training for employees: Run regular training sessions on how to avoid and combat phishing and schedule regular email reminders to your teams to keep those methods clear and present in their minds.
  • Keep your personal information safe: Criminals often seek to use additional personal information to make their attempts seem more legitimate. Check what publicly available information there is about you online, review your privacy settings and be mindful of what you and your friends and family post about you.

Phishing presents a serious threat to the data security of businesses. However, through a combination of robust cybersecurity policies, training and ongoing vigilance, these threats can be mitigated.

If you receive an email purporting to be from Krystal and it displays any of the signs listed in this blog, please do feel free to get in touch with us directly to confirm its legitimacy. You can also forward suspected phishing emails to phishing@krystal.uk to help us take action against cybercriminals who are targeting us or our customers.

About the author