How Does A Phishing Attack Actually Work?

How Does A Phishing Attack Actually Work?

In one of my previous blogs we talked about phishing attacks; what they were and how you can protect yourself against them.

In this blog, we’re going to delve a little bit deeper and talk about how hackers use phishing attacks to steal your money.

Phishing is easy

Cyber criminals love to hack into email? Why? Because they can cleverly steal your money.

How does this happen? They send phishing emails trying to entice you to click on a link.

You might be sitting at your desk and you get one of these emails. The email is from Office 365 telling you that your mailbox is full and you need to click on the link. You click on the link and enter your Office 365 username and password.

But the Office 365 page where you have just entered your username and password isn’t genuine. It’s a site created by the hacker to get your password. 

You’ve just given the hackers your username and password. The real work can now start


Intercepting your emails

The hackers can then log into Office 365 with your username and password. They’ll then look for any emails about paying invoices or receiving payments. 

These clever hackers then change the bank details on those invoices. The invoice is the same, apart from the bank account details. 

So to you, it looks genuine. This is all happening without you knowing. 

Most people then pay these invoices as normal. Why wouldn’t they? They look real. But they have just transferred a lot of money into the bank account of a hacker.

A real example:

We recently spoke to a business in Yorkshire who had this exact same thing happen to them. 

They received an invoice from a supplier for around £8000.

It was the first time they’d ever dealt with this supplier and so it was the first invoice they’d received.But they had no reason to query it. They were expecting the invoice and it was for the right amount of money. 

Little did they know that the bank details had been changed.

They promptly paid the invoice. 

At this point in time, nobody knew that there was a problem. Five weeks later the supplier called and asked where the money was.

It starts with process

Protecting your email is one of the most important things you can do for your cyber security.

  • But first, you need a process in your business that if you receive an invoice from a supplier for the first time, you always call them and check the bank details before you make payment.
  • Secondly, if your supplier informs you that they’ve recently changed bank details then you should call them and verify that this is genuine.

Don’t trust anything that is unexpected. 

Email Protection

Once you have these processes within your business, the next step is to look at protecting your email system. 

Remember, products like Office 365 and Gmail are available to access over the web for ease of use. This means anyone in the world can access the login page. So if they’ve intercepted your username and password, they can try and steal your money really easily. 

Strong passwords

You can protect your email by using a strong password. 

Don’t use the same password you would use for social media sites or other online apps.

Make sure the password isn’t easy to guess.

If you’re struggling to decide on a complex password, use an online password generator like https://passwordsgenerator.net/ that will generate you a random complex password. 

Two-Factor Authentication

And finally, you should add additional protection to your email by using two-factor authentication (2FA).

With 2FA, if someone does manage to get hold of your password, they still can’t login without the PIN on your phone. It’s just that extra bit of protection that is completely free.