What is phishing? Help to minimise risks to your business

What is phishing?

If you’ve searched ‘phishing meaning’ online recently, you’re not alone. There’s been a big rise in phishing attacks lately, leading many business owners on a quest to learn more about phishing and to consider the potential impact of cyber security breaches.

Basically, phishing is the name given to scam emails, calls, or messages that attempt to persuade you to provide personal or sensitive information, such as passwords, addresses, or financial information, or to run attachments containing malware like viruses. The content of those calls and messages is sometimes referred to as ‘lures’ or ‘pretext’.

What is a phishing attack?

A phishing attack is when a cybercriminal sends a deceptive message pretending to be someone else you trust, such as a large organisation or individual. These deceptive messages can be sent via email or SMS and even on social media platforms. Often, a phishing message links to a fake website that asks you to enter confidential information.

Who is the target of phishing attacks?

Cybercriminals often cast a wide net, aiming to exploit any opportunity to access sensitive information. This means phishing scams have the potential to impact everyone, from individuals using personal mobiles to businesses of all sizes and industries.

This emphasizes the importance of educating yourself and your staff to identify and respond appropriately to phishing attempts. By investing in training to develop a cybersecure mindset, you can help reduce your vulnerability.

To help minimise the risk of hackers defrauding your business, it’s worth considering how to defend yourself against phishing attacks.

What types of phishing should businesses be aware of?

Cybercriminals use different types of phishing methods when targeting individuals and businesses.

These methods change over time with new labels continually introduced, so to avoid confusion keep in mind that all forms of phishing fundamentally work the same; all phishing is designed to trick someone into giving up something of value.

The means in which the messages are delivered, such as an app or phone call, and the contents of the messages vary over time.

The value of the information or access criminals seek also varies such that something that seems of little value to you today may be valuable to criminals tomorrow.

Some of the specific phishing variations you may see discussed today include:

• Smishing - text messages (SMS) purporting to be from reputable companies to induce individuals to reveal personal information.
• Spear phishing - personalised messages from seemingly trustworthy senders, such as banks, that are usually targeted at employees in an organisation.
• Whaling - targeted spear phishing, where a senior person in an organisation is ‘lured’ by a cybercriminal posing as someone trusted, like a colleague.
• Pop-up phishing - deceptive pop-up advertisements that contain malware.
• Clone phishing - messages that closely resemble legitimate ones. For example, hackers may pose as trusted brands to send promotional messages to the brand’s customers.
• Voice phishing - also known as ‘vishing’, involves cybercriminals using phone calls to steal information, usually posing as someone trusted by the target of the ‘vishing’ attack. 

How do you identify a phishing attack?

Just like phishing can take many forms that all share fundamental characteristics, so too does effective defence.

You can look out for classic hallmarks of phishing, like typos and dodgy links, which vary between given phishing messages. Some have typos, others not. Some have suspicious links, others appear ordinary. Legitimate emails often have links that point to different domains for the purposes of tracking click rates. Some of these emails have typos.

Your best bet therefore is to be weary of any unexpected communication regardless of how it arrives or who claims to be behind it.

If you did not expect the call or request, allow yourself to be suspicious. Report or delete it, or if you are curious call or email the would-be sender on a known, trusted, official contact and not those contained in the suspicious message.

Still, traditional red flags can be useful as many phishing messages do indeed have typos and other errors.

Watch out for grammatical errors, misspelt names, pressure to act soon, and incorrect facts. Here are some other tips to help you stay vigilant:

• Is the message unexpected? Is the sender contacting you about something you haven’t discussed before or in a way they haven’t communicated with you previously?
• Are you being asked to share any kind of information that could be sensitive? This might be personal or business information.
• Are you being rushed to act in some way? Scammers rely on pressure tactics to get people to act quickly without having time to think about potential implications of their actions.

Things to remember when watching out for phishing attacks

Trusted organisations don’t usually ask customers to share sensitive information via unsolicited correspondence. They should never ask for your multifactor authentication code, often a series of numbers sent over text that you use to log into your account after entering your password.  So, never share personal details unless you’re sure you know who you’re talking to. Likewise, be wary of clicking on links within, or downloading attachments from, messages that seem suspicious.

Examples of phishing scenarios

Phishing scams can use a range of scenarios to try to trick recipients into revealing sensitive information. Some common scenarios include:

Account Security Alert

The message claims that your account has been compromised or unusual activity has been detected, urging you to click a link to secure your account.

Urgent Request from a Colleague

Scammers will impersonate a coworker, asking for sensitive information or payment transfers, often framing it as urgent.

Shipping or Delivery Notice

The message notifies you of a package delivery issue and asks you to click a link or provide details to resolve the problem.

Fake Invoice or Payment Request

Cybercriminals will send a fraudulent invoice or payment request, often impersonating a legitimate service, prompting you to provide payment details.

It’s important to remember that this list is not exhaustive. Phishing scams can come in many forms, so staying diligent is your best defence against these types of cyber attacks.

How can you protect your business from phishing?

When it comes to the question of how to avoid phishing, there are steps you can take today to help protect your business tomorrow.

To help prevent phishing scams impacting your business, it’s important to educate yourself and any employees such that they:

• Stop and slow down to assess the situation if you receive a message that doesn’t seem right.
• Educate you and your team about being mindful of any unexpected communication.
• Consider if you have other legitimate ways to contact the sender to validate if they are indeed the person or business who sent the message.

According to ACSC, the best ways to help protect your business from phishing attempts are to keep across current threats, be cautious online, and take steps to block malicious or unwanted messages from reaching you in the first place. There are multiple ways to help stop security breaches, including investing in mobile device email and application security solutions.

Business email compromise

Business email compromise is a type of phishing attack that’s specifically targeted at businesses. It can take various forms and target anyone in an organisation that could give scammers a way in.

Spend some time to understand how criminals might target your business in this way and how to help prevent business email compromise in your business operations. 

How to recover from a phishing attack

If you think your business has been targeted by a phishing attack, it’s important to act fast. Firstly, understand the compromised message and what information or access was handed over. This dictates your next steps,

Steps to consider:

• Call your bank and tell them what happened. Do not delay. Every hour matters.
• Changing compromised passwords along with those reused across other accounts.
• Turning on multifactor authentication.
• Review login session information which will show, for example, if your laptop and phone are accessing your email account. Close all sessions and log back in with your devices.
• Report scams to the ACCC via the Scamwatch report a scam page.
• Contact IDCare on 1800 595 160 or via www.idcare.org for support if you believe your personal information has been put at risk.

You may also choose to lodge a formal report with the Australian Cyber Security Centre's ReportCyber page. There, you can report a cybercrime, incident or vulnerability and check the status of an existing cybercrime report.

How to help protect your business

Every business is different and not all security technologies are a universal fit.

But there are some critical things that every business should implement.

1. Unique passwords: Never reuse a password. If any staff have, change them. Their personal non-work accounts should be protected with unique passwords too to avoid compromise of any work data they have stored in services like email.
2. Use a password manager to create and save unique complex passwords. You can use a notebook if that book is always stored in a safe place.
3. Turn on multifactor authentication for email and other work services like accounting platforms, social media, and website login portals.
4. Back up critical data regularly. Any data not backed up could be lost in a security breach so be sure to back up as regularly as you are prepared to lose data. Ensure restoring that backed up data works ahead of time.
5. Turn off unused remote services and remove unnecessary and non-work applications from computers.
6. Ensure all hardware and software is still receiving software updates (these close emerging security holes) and are set where possible to automatically update.

Top tips from ACSC on how to help protect yourself from phishing attempts include using spam filters and conducting yourself securely online.

As an extra precaution, you may also choose to invest in cyber security software designed to help block cybercriminals from causing your business financial harm.

No matter what your current risk management strategy, it pays to stay informed on the latest threats. To do so, you can find information on the latest scams impacting individuals and businesses on the Australian Government’s Scamwatch website.

Last published May 2023, updated October 2024.