The Sender

In a phishing attack, the sender imitates (or “spoofs”) someone trustworthy that the recipient would likely know. Depending on the type of phishing attack, it could be an individual, like a family member of the recipient, the CEO of the company they work for, or even someone famous who is supposedly giving something away. Often phishing messages mimic emails from large companies like PayPal, Amazon, or Microsoft, and also other banks or government offices.

The Message

Under the guise of someone trusted, the attacker will ask the recipient to click a link, download an attachment, or to send money. When the victim opens the message, they find a scary message meant to overcome their better judgement by filling them with fear. The message may demand that the victim go to a website and take immediate action or risk some sort of consequence.

The Destination

If users take the bait and click the link, they’re sent to an imitation of a legitimate website. From here, they’re asked to log in with their username and password credentials. If they comply, the sign-on information goes to the scammer, who uses it to steal identities, pilfer bank accounts, and sell personal information.

How do these attacks usually happen?

Phishing attacks begin with the scammer sending a communication, acting as someone trusted or familiar. The sender asks the recipient to take an action, often implying an urgent need to do so.

Email Phishing

Email phishing is one of the most common types of phishing and occurs when fraudsters masquerade as a trusted organisation to obtain confidential information such as personal information, bank details or passwords. The attacker sends an email claiming to be someone trustworthy and familiar (e.g. local retailer) and asks you to click a link to take an important action, or perhaps download an attachment. Often the email will link to a fake website which may appear almost identical to the legitimate website. This website will then entice the victim to enter log-on credentials or download malware. Additionally, the email communication will usually suggest that you must act urgently, maybe to prevent your online access from being blocked.

Remember, phishing emails can look extremely convincing by copying branding and spoofing email addresses to seem genuine.

Spear Phishing

Spear phishing is a targeted form of a phishing attack. Spear phishers generally disguise themselves as a legitimate, familiar sender, often from within the same organisation, to increase the chance the recipient will carry out the intended action.

This could include opening the attached file or visiting a website which would typically download malware, divulging sensitive personal or commercial information or being duped into completing a transaction. For instance, a fraudster might spear phish an employee whose responsibilities include the ability to authorise payments. The email implies to be from an executive in the organisation, commanding the employee to send a substantial payment either to the CEO or to a company vendor, but instead, the malicious payment link sends it to the attacker.

Whale Phishing

Whale phishing is for phishers looking to target high-profile victims. This can include Chief Executors and Directors. Typically, the attacker is trying to trick these well-known targets into giving their personal information and/or business credentials. Whaling attacks usually involve social engineering efforts to trick the victim into believing the deception.

Pop-Up Phishing

These cyberattacks use pop-up messages to trick users into sharing their financial details or downloading malicious software by pretending you have won a prize.

Recognising an attack

Recognising a phishing attempt isn’t always easy. They often use fear to cloud your judgement. Here are a few common signs of a phishing attempt:

Bank of St Helena would not contact you requesting your Local Debit Card number, PIN or Online Banking Customer ID / password. To verify your identity, you will be asked for your Security Information which includes your Card Security Number (Local Debit Card) and memorable questions (Online Banking).

The Bank’s official e-newsletters include link buttons but customers can search the official website directly for information on the newsletter topics or contact the Bank.