0121 222 5630

Email Aristi Ltd Follow Aristi Ltd on Facebook Follow Aristi Ltd on Twitter Follow Aristi Ltd on LinkedIn

Insights and Updates.
Made for you.

You are here:
Posted on Friday, 02 March 2018

Are Phishing Emails still a problem?.

Written by

There is so much technology and software available these days, preventing malware and malicious emails from getting into our systems that you have to ask are phishing emails still a problem?

One of the most used communication technologies is still email due to its versatility and ease of use. However, because of this we now seem to receive a swarm of emails every day from people and companies that we have never met and sometimes it’s hard to distinguish which are real and which are fake. This all gets a bit much at times, so we implement email filtering to try get rid of all the ‘junk’ emails which are just trying to catch you out. Some email products even try and do this automatically by detecting what it thinks are useless (spam/junk) emails and storing them in a separate folder. Emails can also be a source of malicious code that could infect our data or even encrypt it and ask for a ransom in return for a decryption key.

According to the Cyber Security Breaches Survey 2017 Fraudulent emails still carry the highest breach or attack percentage.

Here are some of the main phishing techniques used:

Mass phishing – This is the most common type of attack whereby an email is sent out to an indiscriminate list of people including companies, employees and consumers. These attacks generally have generic hooks that try to get you to login to or pay for something using PayPal or your bank. They sometimes contain links which download malicious code adding your device to botnet, exploiting a browser vulnerability to steal your data or making it a zombie for future purposes.

Spearphishing – This is a much more targeted attack aimed at individuals in a specific organisation. These aim to exploit peoples trusting and helpful nature by pretending it is an email from someone in the organisation like the CEOs personal email, or having a domain that’s almost the same as the organisation and asking someone to review of document which has malicious code embedded within it. These attacks generally aim to either steal large amounts of personal data and sell it on or hold it to ransom.

Whaling – This is the most sophisticated, tailored and targeted form of phishing. Whaling is aimed at senior level executives or other high-profile individuals with aim of compromising their machine. Open source information will be gained on the target using a variety of sources such as social media to gain an understanding of the targets hobbies and interests. This information will then be used to craft the targeted email with aim of triggering an emotion causing the target to click the link.

So why are phishing emails still the biggest reason for a Cyber breach to companies and our personal lives? Well the answer is simple, people. People are still and probably will always be the biggest vulnerability to any company. Sadly, it’s not really the user’s fault either, hackers prey upon human emotions by appealing to anxiety, curiosity, greed and trust.

Some may say why don’t we put more restrictions on email traffic and limiting the user’s interaction with emails. However, there is a point at which security can impact usability and you must draw the line somewhere.

Which leaves one option really, and it’s not more expensive technology and software, its going back to the basics and giving regular training. But how do you provide effective training against phishing attacks? You need to start by gaining a baseline of your staff awareness of phishing emails. This is mainly so that you can see if people are improving. Some may be thinking how they can get this baseline, but the answer is staring straight at them. Phish your own company. By running a phishing campaign against your own company, you are not only testing them, you are giving them practice with safe emails. Once you have this baseline a company can then run training sessions teaching them what to look out for, then run another campaign a few months later to see if there has been an improvement.

The training doesn’t need to be hugely extensive either, it just needs to cover the basics of how to identify phishing emails and who they need to report any phishing emails to. Here are some top tips for spotting phishing emails:

  1. Does email contain links
    If the email contain links, they may say they are taking you to one website but take you to a malicious website. So before clicking any links hover your mouse cursor over the link and it will either show you the website its taking you to above the link or at the bottom of your screen.
    You test this below where I have made the link look like it is taking you to the NCSC website but actually takes you to the Aristi website.
  2. Check the email/URLs domain name (domainname.com)
    Attackers will try to rely on people not knowing how DNS naming structure works. So, they will try to use trusted names at the start of their domain names like Microsoft, Apple, or anything. So, make sure you are looking out for anything that looks even slight malicious like Microsoft.evildomain.com or john.smith@microsoft.evildomain.com.
  3. Spelling and Grammar
    Important emails from other companies generally get reviewed for spelling and grammar so the likelihood of mistakes is low. So, if you receive an email with spelling mistakes or poor grammar maybe check for any other hints that may suggest it is malicious.
  4. The message is asking for personal information
    If the email is asking for personal information, no matter who it is from you should regard it has a phishing email because you don’t know who has access to that email or if they have been hacked. If you are uncertain or it is from someone you know and trust, contact them directly with a phone call to confirm it was them and why they need it.
  5. The offer seems too good to be true
    There is an old saying that if something is too good to be true, it probably is. That is especially true for emails.
  6. You didn’t initiate the action
    If the email is saying you’ve won a contest or that you didn’t enter, you can bet that it is a scam. Don’t get caught like a deer in the headlights of winning the lottery they entered.
  7. You are asked to send money
    Eventually the attacker will try asking for money at this point you know you are being phished and should stop all interaction and report it. Unless you are expecting an invoice, or any other such payment requests don’t open it or send money. If you are unsure then call them or see if someone else in the office is expecting it.
  8. The message makes unrealistic threats
    Occasionally the attackers will try to scare you into making impulse reactions by threatening that something bad is going to happen if you don’t do something straight away. For example, is a Bank emailed you saying something is wrong and your account is going to be frozen and all your assets seized if you don’t respond with ID etc…
  9. The message appears to be from a government agency
    Quite often attackers will pretend to be government agencies requesting information or getting you to visit a website etc… and because we are all law-abiding citizens we do as it says. Always be slightly more cautious of emails received from government agencies that aren’t purely informational
  10. Something just doesn’t look right
    Instincts are truly amazing and quite often correct so if you follow the JDLR (Just doesn’t look right) principle you are likely to pick up most phishing emails.

If you would like some help with your phishing campaign or training your staff, contact us or call us on 0121 2225630.

Thomas Dold CCP SIRA is a Cyber Security Consultant at Aristi. Tom has over 4 years’ experience in information assurance and risk management. Having worked in for a range of clients from private sector to defence, he is experienced in protecting sensitive information through formal Risk Assessment and providing Information Assurance advice.


Please contact Aristi to discuss your requirements. Filling in the form below is the quickest way to get in touch with the relevant person at Aristi.


Keep up-to-date with insights and info on all areas of Information Assurance, Information Security, Penetration Testing & Data Sharing from the award-winning consultants Aristi.

Latest Tweets

Good discussion and knowledge sharing at the Aristi Cyber Resilience event this morning. #cyberresilience… https://t.co/DkT0iBlejj
Aristi CEO Harj Singh interview on BBC television. https://t.co/8rWzAKMkYk https://t.co/ilRGiUuYsp
All set up for the Digital Sales Marketing and Technology Expo 2019 #headzupbusiness https://t.co/VYjr8vGXNa

Subscribe to our Newsletter

Latest Blog Posts

  • Would your business survive a cyber attack?

    Share the post “Would your business survive a cyber attack?” FacebookLinkedInTwitter A cyber-attack can have a huge impact on your organisation in terms of cost, productivity and reputational damage. Being prepared to detect and quickly respond to incidents will help to reduce the business impact and prevent the attacker from inflicting further damage. If the […]

    Written on Monday, 16 September 2019
  • Cyber Resilience for Charities

    Share the post “Cyber Resilience for Charities” FacebookLinkedInTwitter A Round Table Event for Charities Charities are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity. The recent government Charity Sector Threat Assessment indicates that losing access to this technology, having funds stolen or suffering a data breach through […]

    Written on Thursday, 07 March 2019
  • 10 years of Aristi by its founder, Harj Singh

    What’s in a name? The word Aristi has three meanings – security, excellence and calm. Find out where we started and where we believe cyber security to be headed.

    Written on Thursday, 24 January 2019