IT Governance – The Basics

Our expertise, your piece of mind

Security Edition
How and why to protect your organisation

A free e-book containing our most popular content covering

cyber security, information security, data protection and
staff awareness.

www.itgovernance.co.uk
 Contents Introduction 3

fter years on the periphery,

3 Introduction
information security is at the
forefront of business operations.
This is in part thanks to laws such as the GDPR
(General Data Protection Regulation) and the CCPA
(California Consumer Privacy Act), which have forced
businesses to address security risks or face heavy financial

4 Cyber Security penalties – but it’s also a result of the inescapable news
coverage that has demonstrated the destruction that
- The 5 most common cyber attacks in 2020 data breaches can cause.

Stories of organisations leaking databases or being

crippled by ransomware are everyday occurrences, and
7 Information Security you’re equally likely to run into figures such as those from
Ponemon Institute, which estimate that businesses spend
- 5 ways to improve your information security in 2021 $3.86 million (about £2.7 million) recovering from security
incidents.

With organisations seeing the effects of a data breach

11 Data Protection directly – and not just the possibility of regulatory
action – it’s no surprise that they have taken notice. But
- List of mandatory documents required by the GDPR what exactly must they do to protect their systems and
sensitive data? We answer that question in this book,
which contains a collection of our most popular articles,
guides and infographics.
16 Staff Awareness
It provides a comprehensive introduction to the security
- 5 ways to detect a phishing email – with examples threats you face and the ways you can protect yourself.
You’ll discover the most common types of cyber attack,
the risks of working from home, the data protection
policies and processes you must implement, the way
scammers target your employees, and much more.

Founder and Executive Chairman

IT Governance Ltd
Cyber security

The key to effective cyber security is understanding the threats you face. What is phishing?
Every organisation is unique, and although there are universal risks – such
as phishing attacks or malicious insiders – the way they manifest will Phishing is a form of social engineering where a criminal hacker tries to trick the user
differ depending on several factors. into clicking a malicious link or downloading an infected attachment or divulging
sensitive or confidential information.
In this section, we look at some of the ways you can identify issues that
are specific to your organisation. This includes an explanation of the Proofpoint’s 2019 State of the Phish Report found that 83% of respondents experienced
most common and damaging incidents, including malware and DDoS a phishing attack in 2018 (up from 76% in 2017), and Verizon’s 2019 Data Breach
(distributed denial-of-service) attacks, as well as the circumstances that Investigations Report revealed that 32% of data breaches involved phishing.
can leave you vulnerable.
Types of phishing
There are many types of phishing, including:

Vishing:
The 5 most Voice phishing or ‘vishing’ is a type of phishing conducted by phone.
Most vishing attempts try to get the victim to reveal information like
common cyber PINs, payment card details and passwords. Criminals then use those
attacks in 2020 details to access online accounts to steal information or money.

With more than 2,000 publicly Smishing:

disclosed data breaches in
SMS phishing or ‘smishing’ is becoming a more popular form of
the first half of 2020, cyber
phishing, partly because we increasingly rely on smartphones
attacks pose a massive threat to
in both our work and personal lives.
organisations of all sizes.

But how do these attacks manifest

themselves, and what are the Spear phishing:
most common cyber threats
Spear phishing is a targeted form of phishing attack – usually
to organisations today?
conducted to seek financial gain or obtain insider information – where
cyber criminals adapt their methods to reach a specific victim.
In this post, we explore
Spear phishing attacks are rarely random – instead, they are most often
five of the most common
conducted by perpetrators seeking financial gain or insider information.
cyber attack methods and
discuss what you can do to
protect your organisation.
Staff awareness training can help reduce the likelihood of a user falling for a phishing attack.
2) Ransomware
What is ransomware?

Ransomware is a type of malicious

software designed to deny access to files
until, or threaten to publish the victim’s 3) DDoS Attacks
data unless, a ransom is paid (although
there is no guarantee that access will be What is a DDoS attack? 4) Computer viruses
restored, or that the criminal hacker will
destroy the data). A DDoS (distributed denial-of-service) What is a computer virus?
attack attempts to disrupt regular
The threat is growing. The 2019 Official web traffic and take a site offline by A computer virus is a type of
Annual Cybercrime Report predicts that a overwhelming a system, server or malicious code or program written to
business will fall victim to a ransomware network with more access requests alter the way a computer operates.
attack every 14 seconds in 2019, and than it can handle. Much like a flu virus, it is designed to
every 11 seconds by 2021. spread from one computer to another
DDoS attacks typically serve one of (but without the user’s knowledge)
two purposes: by:

1 An act of revenge against an

organisation.
Opening an infected email
attachment;

2
Clicking an infected executable
A distraction that allows cyber file;
criminals to break into the Visiting an infected website;
organisation while it focuses on Viewing an infected website
restoring its website. advertisement; or
Plugging in infected removable
How to prevent DDoS attacks storage devices (e.g. USBs).

The reputational and financial

damage as the result of the service
unavailability inflicted by a successful
DDoS attack can be severe. Therefore,
preventing or at least quickly
countering DDoS attacks can be
critical for your organisation’s survival.

Regularly testing your

IT infrastructure is paramount to
keeping your systems secure, and is
something any organisation should
consider as part of its cyber security
strategy.
5) Attack vectors
Attack vectors are used to gain access to a computer or network in order to infect it with
malware or harvest data. There are four main types of attack vector:

Drive-by SQL injection

A drive-by cyber attack targets a user through their Internet browser, A SQL (Structured Query Language) injection occurs when an attacker inserts
installing malware on their computer as soon as they visit an infected website. malicious code into a server that uses SQL (a domain-specific language).

It can also happen when a user visits a legitimate website that has been SQL injections are only successful when a security vulnerability exists in an
compromised by criminal hackers, either by infecting them directly or application’s software. Successful SQL attacks force a server to provide access
redirecting them to a malicious site. to or modify data.

MITM (man in the middle) Protecting your organisation

A MITM attack is where an attacker alters the communication between two Cyber attacks can cause significant disruption and damage to even the most
users, impersonating both victims to manipulate them and gain access to their resilient organisation. For those that fall victim, the reputational and financial
data. The users are not aware that they are communicating with an attacker repercussions can be devastating.
rather than each other.
But did you know that your employees are your weakest link? Human error is to
blame for 88% of data breaches in the UK according to research by Kroll.

Zero-day attack Free resources:

Outdated (unpatched) software often contains vulnerabilities that Free green paper: Cyber security, data privacy risks and remote working
criminal hackers can use to bring entire systems down. Where they exploit
a vulnerability made public before a patch or solution has been rolled Free infographic: What are the major types of cyber attack?
out by the developer, this is referred to as a zero-day attack.
Free infographic: Working from home top tips
Patch management is one of the five basic cyber security controls
contained in the UK government’s Cyber Essentials scheme. Free infographic: Top 5 remote working cyber security tips
 7 5 ways to improve 1) Support
cyber security staff
2) Conduct annual staff
awareness training
your information
The first thing you must do is ensure that Two of the biggest threats organisations
security in 2021 your cyber security staff have the support face are phishing and ransomware, both of
Information security they need. which exploit human error.
Protecting your organisation against Security teams often feel that they’re not If employees receive phishing emails and
You may have seen the terms ‘information cyber attacks can sometimes feel given a sufficient budget or that senior are unable to spot that they are scams, the
security’ and ‘cyber security’ used like a never-ending game of security staff don’t listen to their requests. whole organisation is at risk.
interchangeably, but there are differences whack-a-mole. As soon as you’ve
between them, and it’s essential that you secured one weakness, another one These problems stem from the fact that Similarly, internal error, privilege
understand what they are if you are to appears. senior leadership generally lack technical misuse and data loss are all the result
tackle the threats you face effectively. know-how of cyber security, which would of employees not understanding their
This can demoralise any otherwise help them understand why the information security obligations.
‘Information security’ is a general term organisation and make them believe team is making their requests.
for the way organisations and individuals that good information security These are issues that you can’t fix with
protect their valuable assets, whether practices are impossible. As a result, board members tend to view technological solutions alone.
those are business records, personal data, cyber security as an operational cost and Organisations must instead support their
intellectual property, etc. This data can be However, there is a solution – but it overlook the benefits of investing in it. IT department by conducting regular
stored in many ways: they can be physical requires a different way of thinking. staff awareness training.
files, on servers and hard drives, in the That is to say, an organisation with an
Cloud or on personal devices. Organisations must stop looking at effective security program will not only
each individual threat as it arises have fewer data breaches but will also run A study from Privatise Business VPN
Cyber security is a specific type of and instead build defences that are more smoothly, with employees following suggests that staff aren’t getting the
information security that refers to the ways equipped to handle whatever cyber best practices and avoiding mistakes. training they need, with 53% of IT
organisations protect digital information, criminals throw at you. managers saying that employees need a
such as networks, programs, devices, Indeed, it’s worth emphasising that greater understanding of cyber threats.
servers and other digital assets. Doing that is simpler than it although cyber security is generally
sounds. That’s because, as much considered the IT team, its influence
Although it is only one aspect of as cyber criminals’ tactics evolve, Cyber security training not only prevents
reaches the entire organisation.
information security (alongside physical they tend to follow the same basic data breaches but also comes with a range
security), it is often used as a catch-all term methodology. of other benefits.
Your security measures affect every
in place of information security because department and every location – whether
cyber threats are far more common than If your security measures account for We have discussed some of those reasons
that’s the organisation’s offices, its
physical ones. Focusing only on cyber the ways in which you are targeted, before, but in general, it boils down to
servers or its remote employees.
threats, however, can result in key risks rather than specific forms of attack, making your business more efficient
being overlooked, placing the organisation you will defend yourself effectively – in your day-to-day operations and
You therefore won’t be able to make any
at risk. from a range of attacks. your relationship with data protection
significant progress until your board
regulators.
acknowledges the value of cyber security
In this section, we look at the risks In this post, we outline five things and provides an appropriate budget.
associated with information security and you can do to improve the way you Training courses should be given to
the ways organisations can tackle them. approach information security. employees during their induction and
then repeated annually.
3) Prioritise risk assessments 4) Regularly review policies 5) Assess and improve How to achieve
and procedures information security
A risk assessment is one of the first tasks The steps outlined here are only the
an organisation should complete when Policies and procedures are the starting point. Cyber security is an success
preparing its cyber security programme. documents that establish an ever-evolving field, and your organisation
organisation’s rules for handling data. must regularly review its practices to make
It’s the only way to make sure that the sure they are up to scratch.
controls you choose are appropriate to Policies provide a broad outline of We’ve mentioned ISO 27001 a couple of
the risks your organisation faces. the organisation’s principles, whereas By following our guidance, you’ve created times in this post, and for good reason.
procedures detail how, what and when a framework that enables you to make
It does this by creating a system that helps things should be done. changes efficiently and without having to The Standard contains comprehensive
you answer the following questions: substantially alter the way you operate. guidance on risk management, and is
This is another area in which ISO 27001 designed to help organisations manage
Under what scenarios is your can help. The Standard contains a For example, tackling a new threat might their security practices in a simple,
organisation under threat? comprehensive list of controls that be as simple as creating a new policy or centralised system.
How damaging would each of these organisations may choose to adopt if adjusting an existing one.
scenarios be? they decide that they must address an You can find out more about the
How likely is it that these scenarios identified threat. Likewise, it might be the case that your Standard, and how you can adopt its
will occur? IT team needs to implement a new requirements, by downloading our free
We have previously discussed some technology to tackle an emerging threat. green paper: Implementing an ISMS –
Without a risk assessment, your policies that organisations should The nine-step approach.
organisation is liable to ignore threats that implement, which include those related You already have a communication
could otherwise have devastating effects. to remote access, password creation pipeline between IT and the board to Our experts provide essential tips to
and management, and rules on discuss this, and the team should have an help you get started with ISO 27001,
Likewise, you might waste time and effort acceptable use. agreed budget to apply whatever changes explaining our tried-and-tested
addressing events that are unlikely to are necessary. approach to get your organisation
occur or won’t cause significant damage. By writing policies and procedures, certification-ready.
organisations can ensure that
There is, after all, little point implementing employees understand their security
measures to defend against events that obligations and cement the lessons
are unlikely to occur or won’t have much taught during staff awareness training.
material impact on your organisation.
The more technical-minded policies
The best way to conduct a risk assessment also provide essential assistance for Free resources:
is by following the guidelines outlined in the security solutions offered by IT.
the international standard for information Free green paper: Information
security management, ISO 27001. For example, you can security test a Security and ISO 27001 – An
piece of third-party software, but if introduction (itgovernance.co.uk)
Its best-practice approach is built around employees make basic errors – such
the risk assessment process, helping as misconfiguring a database – it will Free infographic: What is an ISMS?
organisations understand threats undermine their efforts. (itgovernance.co.uk)
and solutions associated with people,
processes and technology.
 List of mandatory Privacy Notice (Articles 12, 13,
11 documents required
and 14)

by the GDPR A privacy notice is a public statement

Data protection of how your organisation applies (and
complies with) the GDPR’s data processing
principles.
The documentation of processing
Like ‘cyber security’, ‘data protection’ In this section, we look at the ways
activities is a new legal requirement An essential part of compliance, it serves
is a term that’s often used to broadly organisations can use the GDPR to bolster
under the EU GDPR (General Data two purposes: to promotes transparency,
refer to the prevention of data breaches, their data protection practices.
Protection Regulation). and to provide individuals with more
alongside data integrity and availability.
But again, you must understand exactly control over the way their data is used.
Documenting your processing
what data protection is and how it fits
activities can also support good Our customisable template can help you
into your business if you are to mitigate
data governance, and help you to produce a privacy notice in just a few
risks to the data you hold.
demonstrate your compliance with minutes.
other aspects of the GDPR.
In its most basic form, data protection
encompasses the legal aspects related to For more information, see: How to write a
In this post we have listed all of GDPR data privacy notice – with template
the processing of sensitive information.
the documentation, policies and example
This includes things such as data
procedures you must have if you
minimisation (processing information
want to be fully GDPR compliant.
only if it is necessary to complete a Employee Privacy Notice
specific task), lawful processing (ensuring (Articles 12, 13 and 14)
that there is a legal basis for processing Personal Data Protection
information) and transparency (ensuring Policy (Article 24)
that data subjects are aware of the ways Under the GDPR, you must be more
organisations use their information). A data protection policy is a transparent and open than ever before
statement that sets out how your about the employee-related data you
You’ll be familiar with these requirements organisation protects personal data. process.
if your organisation is subject to the
GDPR, but data protection isn’t just It explains the GDPR’s requirements It is also a core GDPR principle for
about regulatory compliance. The GDPR to your employees, and employers to process HR related data in a
is intended to protect data subjects first demonstrates your organisation’s fair and transparent way.
and foremost, because as great as the commitment to compliance.
damage is to an organisation following a An employee privacy notice is a key step
security incident, the consequences can If you are unsure what your data towards compliance, and explains to an
be just as bad for those whose data has protection policy should include, individual how a data controller (in this
been compromised. this template, created by our expert case, your organisation) processes an
GDPR practitioners, can help you employee’s personal data.
As such, organisations that demonstrate create one in minutes.
that they take data protection seriously
benefit not only from increased security For more information, see: How to
but also from increased customer write a GDPR data protection policy
trust and loyalty – both key drivers of a – with template examples
successful business.
Data Retention Policy (Articles Supplier Data Processing Agreement (Articles 28, 32,
5, 13, 17, and 30) and 82)
A data retention (or records retention) If you use another organisation (i.e. a sub-processor) to assist
policy outlines your organisation’s Data Subject Consent Form (Articles 6, with your processing of personal data, you need to have a written
protocol for retaining information. 7, and 9) contract in place with that sub-processor.

It is important that your organisation only Consent is one lawful basis for processing personal This is known as a supplier data processing agreement.
retains data for as long as it’s needed. data, and explicit consent can also legitimise the use
of special category data.
This is because holding on to data
DPIA Register (Article 35)
for longer than necessary can take If your organisation is processing personal data for a
The DPIA Register is used to document your organisation’s Data
up valuable storage space and incur specific purpose, you must obtain permission from
Protection Impact Analysis (DPIA).
unnecessary costs. the data subjects in question with a consent form.
To learn more about how to conduct a DPIA, see our information
When writing your data retention policy, Consent under the GDPR is often misunderstood and
page: Data Protection Impact Assessments under the GDPR.
you should consider two key factors: mismanaged.

1 How you are going to organise

information so it can be accessed at a
Below, we have outlined best-practice guidance for
writing a GDPR consent form.

later date; and

2 How you will dispose of information

that is no longer needed.

For more information, see: Top tips for

data retention under the GDPR

Data Retention Schedule

(Article 30)
A data retention (or records retention)
schedule is a policy that defines how long
data items must be kept.

It also provides disposal guidelines for

how data items should be discarded.

You can create a GDPR-compliant

retention and disposal schedule in
minutes with our easy-to-use and
customisable templates, developed by
our expert GDPR practitioners.
Data Breach Response and Notification Procedure (Articles 4, 33, Data Breach Notification Form Inventory of Processing
and 34) to Data Subjects (Article 34) Activities (Article 30)
You must create a procedure that applies in the event of a personal data breach under You will need to complete a Data Breach This document is mandatory if:
Article 33 – “Notification of a personal data breach to the supervisory authority” – and Notification Form to Data Subjects if you
Article 34 of the GDPR – “Communication of a personal data breach to the data subject”. have experienced a personal data breach (a) Your organisation has more than 250
that is likely to result in a “high risk to the employees; or
Below is an example of what a data breach notification might look like, available from rights and freedoms” of an individual.
the market-leading EU GDPR Documentation Toolkit: (b) The processing the you carry out is
Some GDPR documents are only applicable likely to result in a risk to the rights and
under certain conditions, including: freedoms of data subjects; or

Data Protection Officer Job (c) The processing is not occasional; or

Description (Articles 37, 38, and
(d) The processing includes special
39)
categories of data; or
You’ll need to appoint a DPO if:
(e) The processing includes personal
(a) You are a public authority or body, data relating to criminal convictions and
except for courts acting in their judicial offences.
capacity; or
Standard Contractual Clauses
(b) Your core activities consist of
processing operations that require regular for the Transfer of Personal
and systematic monitoring of data subjects Data to Controllers (Article 46)
on a large scale; or
For help writing your data breach notification procedure, see: How to write a GDPR data This document is mandatory if you are
breach notification procedure – with template example. (c) Your core activities process on a transferring personal data to a controller
large scale special categories of data outside the European Economic Area
Data Breach Register (Article 33) and personal data relating to criminal (EEA) and you are relying on model
convictions and offences. clauses as your lawful grounds for cross-
You must maintain an internal record of all personal data breaches in a Data Breach border data transfers.
Register.
Standard Contractual Clauses
The data breach register should contain details of the facts surrounding the breach, the
Free resources: for the Transfer of Personal
effects of the breach, and any remedial action taken.
Data to Controllers (Article
Free green paper: EU GDPR – A 46)
Data Breach Notification Form to the Supervisory Authority compliance guide
(Article 33) This document is mandatory if you are
Free green paper: The Data Breach transferring personal data to a controller
If you have experienced a personal data breach that needs to be reported to the ICO, you Survival Guide – Preparing for the outside the European Economic Area
will need to fill in the applicable data breach notification form. inevitable (EEA) and you are relying on model
clauses as your lawful grounds for cross-
For more information on data breach reporting, visit the ICO’s website. border data transfers.
 16 5 ways to improve 1) The message is sent from a
public email domain
Top tip: Look at the email address,
not just the sender
your information Many of us don’t ever look at the email
No legitimate organisation will send emails address that a message has come from.
security in 2021 from an address that ends ‘@gmail.com’.
Staff awareness Your inbox displays a name, like ‘IT
Not even Google. Governance’, and the subject line. When
Protecting your organisation against
you open the email, you already know (or
Did you know that human error is the cyber attacks can sometimes feel Most organisations, except some small think you know) who the message is from
leading cause of data breaches? A joint like a never-ending game of security operations, will have their own email and jump straight into the content.
study from Stanford University Professor whack-a-mole. As soon as you’ve domain and company accounts. For
Jeff Hancock and the security firm Tessian secured one weakness, another one example, legitimate emails from Google
found that 88% of all data breaches
involved an employee making a mistake
5 ways to detect
appears. will read ‘@google.com’.
When crooks create their bogus email
addresses, they often have the choice to
– a misconfigured database, a sensitive a phishing email –
This can demoralise any If the domain name (the bit after the @
select the display name, which doesn’t
have to relate to the email address at all.
email sent to the wrong person, a phishing organisation and make them believe
scam, or something else that jeopardised with examples
that good information security
symbol) matches the apparent sender
of the email, the message is probably They can, therefore, use a bogus email
their organisation’s security. practices are impossible. legitimate. address that will turn up in your inbox with
Phishing there
is oneisofathe most –common the display name Google.
But despite how prevalent these risks However, solution but it The best way to check an organisation’s
are, few organisations dedicate the methodsa of
requires cyber crime,
different way ofbut despite
thinking. domain name is to type the company’s
how much we think we know about But criminals rarely depend on their
same attention to – and investment in name into a search engine.
scam emails, must people stilllooking
frequently victim’s ignorance alone. Their bogus
– staff awareness training as they do to Organisations stop at
fall victim. email addresses will use the spoofed
technological solutions. each individual threat as it arises This makes detecting phishing seem easy, organisation’s name in the local part of the
and instead build defences that are but cyber criminals have plenty of tricks up address.
That’s why we’ve dedicated the final Action Fraud
equipped receives
to handle more than
whatever cyber their sleeves to deceive you.
section of this book to the dangers posed 400,000 reports
criminals throw atofyou.
phishing emails
by your employees and the ways you can each year, and according to the
mitigate that threat. Mimecast’s
Doing that is State
simplerof Email
than itSecurity
2020, 58%
sounds. of organisations
That’s because, as much saw Take this example
asphishing attacks increase
cyber criminals’ in the past
tactics evolve, of a phishing
12 months.
they tend to follow the same basic email mimicking
methodology. PayPal:
Meanwhile, Verizon’s latest Data
IfBreach Investigations
your security measures Report found
account for
that more than two thirds
the ways in which you are targeted, of data
breaches
rather thaninvolved
specific social
forms engineering
of attack,
attacks
you such asyourself
will defend phishing. effectively
from a range of attacks.
In this blog, we use real phishing
Inemail examples
this post, to demonstrate
we outline five thingsfive
clues Image:
you cantodo
help you spotthe
to improve scams.
way you
WeLiveSecurity
approach information security.
This is a nearly flawless scam email. It uses 2) The domain name is misspelt He reasoned that the target’s curiosity Therefore, in many ways, criminal hackers
PayPal’s logo at the top of the message, it kept bringing him back to the link but often still win even when you’ve thwarted
is styled professionally and the request is There’s another clue hidden in domain that he was suspicious enough not to their initial attempt.
believable. names that provide a strong indication of follow its instructions.
phishing scams ¬– and it unfortunately That is to say, indecisiveness in spotting
But as much as it attempts to replicate a complicates our previous clue. Boteanu explains: a phishing scam provides clues to the
genuine email from PayPal, there’s one scammer about where the strengths and
huge red flag: the sender’s address is The problem is that anyone can buy weaknesses in your organisation are.
‘paypal@notice-access-273.com’. a domain name from a registrar. And
although every domain name must be It takes very little effort for them to launch
A genuine email from PayPal would have unique, there are plenty of ways to create “I’m guessing [the target] saw that subsequent scams that make use of this
the organisation’s name in the domain addresses that are indistinguishable from something was going on and he information, and they can keep doing this
name, indicating that it had come from the one that’s being spoofed. started digging a bit deeper and […] until they find someone who falls victim.
someone at (@) PayPal. That PayPal isn’t trying to find out what happened […]
in the domain name is proof that this is a The Gimlet Media podcast ‘Reply All’ Remember, criminal hackers only require
scam. demonstrated how difficult it can be to “And I’m suspecting that after, one mistake from one employee for
spot a spoofed domain in the episode What [the target] maybe sent an email their operation to be a success. As such,
Unfortunately, simply including PayPal Kind Of Idiot Gets Phished?. Phia Bennin, internally saying, “Hey guys! This everyone in your organisations must be
anywhere in the message is often enough the show’s producer, hired an ethical is what I got. Just be careful. Don’t confident in their ability to spot a scam
to trick people. hacker to phish various employees. click on this […] email.” upon first seeing it.

They might glance at the word PayPal The hacker bought the domain Boteanu’s theory is exactly what had
in the email address and be satisfied, ‘gimletrnedia.com’ (that’s r-n-e-d-i-a, happened. But why does that help
or simply not understand the difference rather than m-e-d-i-a) and impersonated the hacker? Bennin elaborates:
between the domain name and the local Bennin.
part of an email address. “The reason Daniel had thought [the
His scam was so successful that he tricked target] had done that is because he
the show’s hosts, Gimlet Media’s CEO and had sent the same email to a bunch
its president. of members of the team, and after
[the target] looked at it for the fourth
time, nobody else clicked on it.
Top tip: You don’t need to fall victim
to help criminal hackers “And that’s okay for Daniel because
he can try, like, all different methods
As Bennin went on to explain, you don’t
of phishing the team, and he can try
even need to fall victim for a criminal
it a bunch of different times. [And]
hacker to gain vital information.
since [the target is] sounding alarm
bells, he probably won’t include
In this scam, the ethical hacker, Daniel
[him] in the next phishing
Boteanu, could see when the link was
attempt.”
clicked, and in one example that it had
been opened multiple times on different
devices.
3) The email is poorly written However, this only applies to outlandish Automated attacks Remember, many of them are from
schemes like the oft-mocked Nigerian non-English-speaking countries and
You can often tell if an email is a scam if it prince scam, which you have to be With phishing, scammers don’t need from backgrounds where they will have
contains poor spelling and grammar. incredibly naive to fall victim to. to monitor inboxes and send tailored limited access or opportunity to learn the
responses. They simply dump thousands language.
Many people will tell you that such errors That, and scams like it, are manually of crafted messages on unsuspecting
are part of a ‘filtering system’ in which operated: once someone takes to the people. With this in mind, it becomes a lot easier to
cyber criminals target only the most bait, the scammer has to reply. As such, it spot the difference between a typo made
gullible people. benefits the crooks to make sure the pool As such, there’s no need to filter out by a legitimate sender and a scam.
of respondents contains only those who potential respondents. Doing so reduces
The theory is that, if someone ignores might believe the rest of the con. the pool of potential victims and helps Top tip: Look for grammatical
clues about the way the message is those who didn’t fall victim to alert others
But this doesn’t apply to phishing. mistakes, not spelling mistakes
written, they’re less likely to pick up clues to the scam, like we saw in the earlier
during the scammer’s endgame. example with Gimlet Media.
When crafting phishing messages,
scammers will often use a spellchecker or
So why are so many phishing emails poorly
translation machine, which will give them
written? The most obvious answer is that
all the right words but not necessarily in
the scammers aren’t very good at writing.
the proper context.

Take this example of a scam imitating Windows:

Image:
KnowBe4
No individual word is spelled incorrectly, 4) It includes suspicious It doesn’t matter whether
but the message is full of grammatical attachments or links the recipient expects to
errors that a native speaker wouldn’t receive an invoice from this
make, such as “We detected something Phishing emails come in many forms. person or not, because in
unusual to use an application”. We’ve focused on emails in this article, but most cases they won’t be
you might also get scam text messages, sure what the message
Likewise, there are strings of missed phone calls or social media posts. pertains to until they open
words, such as in “a malicious user might the attachment.
trying to access” and “Please contact But no matter how phishing emails are
Security Communication Center”. delivered, they all contain a payload. This When they open the
will either be an infected attachment that attachment, they’ll see that
These are consistent with the kinds of you’re asked to download or a link to a the invoice isn’t intended
mistakes people make when learning bogus website. for them, but it will be
English. Any supposedly official message too late. The document
that’s written this way is almost certainly a The purpose of these payloads is to unleashes malware on the
scam. capture sensitive information, such as victim’s computer, which
login credentials, credit card details, could perform any number
That’s not to say any email with a mistake phone numbers and account numbers. of nefarious activities.
in it is a scam, however. Everyone makes
typos from time to time, especially when We advise that you never
they’re in a hurry. What is an infected attachment?
open an attachment unless
An infected attachment is a seemingly you are fully confident
It’s therefore the recipient’s responsibility that the message is from a
to look at the context of the error and benign document that contains malware.
In a typical example, like the one below, legitimate party. Even then,
determine whether it’s a clue to something you should look out for
more sinister. the phisher claims to be sending an
invoice: anything suspicious in the
Image: attachment.
• Is it a common sign of a typo (like MailGuard
hitting an adjacent key)? For example, if you receive
• Is it a mistake a native speaker a pop-up warning about
shouldn’t make (grammatical the file’s legitimacy or the
incoherence, words used in the wrong application asks you to
context)? adjust your settings, then
• Is this email a template, which should don’t proceed.
have been crafted and copy-edited?
• Is it consistent with previous messages Contact the sender through
I’ve received from this person? an alternative means of
communication and ask
If you’re in any doubt, look for other them to verify that it’s
clues that we’ve listed here or contact legitimate.
the sender using another line of
communication, whether that’s in person,
by phone, via their website, an alternative
email address or through an instant
message client.
 Suspicious links In this example, you would probably know 5) The message creates a sense That’s why so many scams request that
that something was suspicious if you saw of urgency you act now or else it will be too late. This
You can spot a suspicious link if the the destination address in the email. has been evident in every example we’ve
destination address doesn’t match the Scammers know that most of us used so far.
context of the rest of the email. Unfortunately, the rest of the message is procrastinate. We receive an email giving
pretty convincing, and you might click the us important news, and we decide we’ll PayPal, Windows and Netflix all provide
For example, if you receive an email from link without giving it a second thought. deal with it later. services that are regularly used, and any
Netflix, you would expect the link to problems with those accounts could cause
direct you towards an address that begins To ensure you don’t fall for schemes like But the longer you think about something, immediate inconveniences.
‘netflix.com’. this, you must train yourself to check the more likely you are to notice things
where links go before opening them. that don’t seem right.
Unfortunately, many legitimate and scam The business depends on you
emails hide the destination address in a Thankfully, this is straightforward: on a Maybe you realise that the organisation
button, so it’s not immediately apparent computer, hover your mouse over the link, doesn’t contact you by that email address,
where the link goes to. and the destination address appears in a or you speak to a colleague and learn that The manufactured sense of urgency is
small bar along the bottom of the browser. they didn’t send you a document. equally effective in workplace scams.

On a mobile device, hold down on the link Even if you don’t get that ‘a-ha’ moment, Criminals know that we’re likely to drop
and a pop-up will appear containing the coming back to the message with a fresh everything if our boss emails us with a
link. set of eyes might help reveal its true vital request, especially when other senior
nature. colleagues are supposedly waiting on us.

A typical example looks like this

Source: Malware Traffic Analysis

Image:
MailGuard
Phishing scams like this are particularly dangerous because, even if the recipient did
suspect foul play, they might be too afraid to confront their boss.

After all, if they are wrong, they’re essentially implying that there was something
unprofessional about the boss’s request.

However, organisations that value cyber security would accept that it’s better to be safe
than sorry and perhaps even congratulate the employee for their caution.

Prevent phishing by educating your employees Learn more with IT Governance

To combat the threat of phishing, organisations must provide regular
staff awareness training. You can find out more about how to keep your organisation secure by taking a look at
our blog, and visiting our free resources hub and YouTube channel.
It’s only by reinforcing advice on avoiding scams that your team can develop good habits
and detect malicious messages as second nature.
IT Governance is the one-stop shop for cyber security, cyber risk and
privacy management solutions.
Contact us if you require consultancy, books, toolkits, training or software.

t: +44 (0)333 800 7000

e: servicecentre@itgovernance.co.uk
w: www.itgovernance.co.uk

A GRC International Group plc subsidiary

Unit 3, Clive Court, Bartholomew’s Walk

Cambridgeshire Business Park, Ely
Cambs., CB7 4EA, United Kingdom

IT Governance Ltd

/it-governance @ITGovernance @ITGovernanceLtd

Free resources:
IT Governance Ltd registered in England No. 11311669
Free quiz: How to spot a phishing email
Free infographic: Minimise the risk of phishing attacks
Our Expertise. Your Peace of Mind