SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
4 tips to keep safe when phishing for treats this Halloween
Wed, 31st Oct 2018
FYI, this story is more than a year old

Trick or treat. Those words are spoken by millions of children around the world every Halloween, though we always expect the sugary treat and not the scary alternative.

Unfortunately, tricks are all too real. Have you ever knocked on a door waiting for a handful of sweets only to be scared stiff by someone who looks like they've just finished playing an extra in a Tarantino film? Maybe you've been made to put your hands in pumpkin mush at a halloween party? What about the one where a stranger gains access to all your business, financial and personal data in the blink of an eye? No?

You have clearly never been victim to a phishing attack - yet. A phishing attack, or scam, is the result of a criminal disguising themselves, albeit via an email or website instead of a skeleton costume, and pretending to be someone or something they're not. The aim is to trick you, the recipient, into divulging sensitive information that could see you or your business out of pocket.

On paper these may sound like the types of scams you'd spot a mile off, but every day more and more people like yourself are failing to identify increasingly elaborate phishing scams. Since last Halloween alone phishing attempts have grown by a frightening 65%, with 76% of businesses reporting to have been victims of phishing attacks. With 1.5 million new websites used for phishing being created each month it's clear that this is just the beginning. These attacks are only going to get smarter.

So smart, in fact, that they infiltrated the world's biggest social media platform. Just last month, Facebook reported a breach in which criminals stole information on over 50 million user profiles, including users' religious beliefs, their state and place of work, family and social relationships and lots of other information these unknowing victims chose to share. Perfect ammunition for an extremely tailored phishing attack, if you ask me.

Scary stuff, right? Nobody likes being tricked, least of all in lieu of putting your feet up and falling into a sugar induced coma. That's why we're deadly serious about keeping you safe this Halloween, sharing our top four tips to protect your business and help you identify a phishing scam from a mile away.

Creep it real

The first port of call when deciding whether what you're looking at is real or not is right under your nose. Always check and study an URL before clicking through, especially if it has found its way to you rather than you searching for it. Fake links loosely imitate other websites, often by adding unnecessary words and domains. A telling sign is an URL that doesn't quite fit the hyperlink you're used to from that source, contains extra words in the domain, or ends with a string of random characters. For boo-nus (sorry) points, always make sure to hover over and inspect any hyperlinked text before clicking through.

Don't believe your eyes?

This one's easy. Suddenly get told you've won the lottery, you've received a free holiday to the Maldives, or that there's £3 million with your name on it if you could just send some cash over to a rich king in a foreign land? Call me pessimistic, but if something sounds too good to be true then it usually is. Especially if it's coming from an unidentified source. If your luck suddenly changes, you might want to inspect the email a little further before packing your suitcase and handing in your notice.

Exorcise vigilance

Have a hunch you're being spooked? If you think the person you're speaking to isn't who they say they are, take it up with ‘them' via another channel. The beauty of the 21st century is the plethora of ways we can communicate, be it via the phone, web, email, text, or social media. That'll soon sniff out the imposters.


Does the email or URL ask you to convey sensitive or personal information? It's a rule of thumb that banks will never ask for personal information over email, instead directing you to your app or online banking portal. No matter how convincing an email may seem, never share sensitive information, especially if you didn't instigate the conversation in question.