Connecting...

W1siziisimnvbxbpbgvkx3rozw1lx2fzc2v0cy9iz2mtagsvanbnl2jhbm5lci1kzwzhdwx0lmpwzyjdxq

BGC HR Back to Basics: What is Phishing in Malaysia?

BGC HR Back to Basics: What is Phishing in Malaysia?

11 May 13:00 by BGC HR

W1siziisijiwmjavmduvmtevmduvntqvmzevmzgzl0nvchkgb2ygr2ficmllbcdziejhqybcbg9niejhbm5lcnmgkdq1ks5wbmcixsxbinailcj0ahvtyiisijgwmhg0ntajil1d

Depending on the type of Malaysian employee occupying your organization. Phishing might either be a familiar or unknown term for you. In this article, we’ll break down everything your organization needs to know about phishing. From the different cybersecurity risks to look out for the different steps employees can take to prevent phishing in Malaysia. We’ve got it all! Are you ready? 

 

What is Phishing?  

 

how-companies-in-singapore-can-stay-safe-from-phishing-attacks

 

Phishing, a cybersecurity term that might also be familiar to you as email scams, are a growing concern. The term phishing basically refers to a method of gathering personal and sensitive information through malicious emails or websites. 

But what exactly does phishing entail? Typically, the characteristics of a phishing email contain: 

  • The tone of voice is different: Phishing emails usually attempt to mimic someone you know (e.g. your manager, parents, partner, or colleague). However, not all scammers will be able to mimic their tone of voice accurately. Keep an eye out for jokes, anecdotes, or greetings that seem to be out of the ordinary.
     

  • Check for spelling and grammatical mistakes: Depending on the person they’re aiming to emulate. Spelling and grammatical errors that are out of the ordinary can signal a phishing email. In some cases, a phishing email might claim to be from a multi-million dollar company. But think about it: would a multi-million dollar company send you an email laced with multiple spelling and grammatical mistakes?
     

  • Dodgy email addresses: Take a careful look at the sender’s email address. A phishing email trying to impersonate someone you know might try to imitate their email address. For instance, instead of (daniel@yahoo.com), a scammer might use this email address instead (cIaniel@yahoo.com). 


Types of Phishing Scams  
 

common-examples-phishing-scams-malaysia

 

There are a number of different phishing scams out there. They include: 
 

  • Traditional phishing: You might have seen some of these traditional phishing emails in your inbox. In a traditional phishing attack, the same spammy emails are sent to thousands of collected email addresses. These emails often use forged addresses claiming to be from credit card companies.
     

  • Spear phishing: This form of phishing aims to steal sensitive information from a specific individual. Compared to other phishing attempts, spear-phishing attacks target a specific person. This means that the messages in it are personalized and tailored to lure that person. In the corporate world, spear-phishing often targets mid to lower-level employees.

    Unlike regular phishing, spear-phishing usually contains the target’s personal information to gain their trust. Cybersecurity scammers might try to target someone in the finance department by impersonating their bosses and asking for a large funds transfer. Oftentimes, the information retrieved to scam the victim can be obtained from social media websites such as LinkedIn to name a few.
     

  • Whaling: This is a form of spear phishing that attacks the head of the organization (e.g. CEOs, CFOs, or other C-suite individuals). Unlike spear-phishing, the targets of whaling are usually high-level employees who don’t work full-time. This means that these C-suite employees often rely on a personal email address instead of a corporate email address. Much like spear phishing, the goal of whaling is to obtain sensitive, corporate information.
     

  • Vishing: This is another word for phone scams. However, this is a slightly more sophisticated form of phone scams. With vishing, the victims often report receiving a phone call alerting them to either a family emergency or fraudulent activity on their credit card. The victims are then given a phone number to call and confirm personal data. 
     

  • Botnet: Much like zombies, botnets are a collective group of infected computers that send spammy messages in hopes of infecting more computers. Other common tasks that botnets are known to execute include; DDOS (Distributed Denial of Service), generating fake internet traffic, as well as taking over ads targeted at you. Learn more about botnet scams here


What Information do Phishers Want? 
 

what-information-do-cybercriminals-want-from-organizations

 

Cybercriminals who use phishing to gain ‘sensitive information’ from unsuspecting victims. But what does ‘sensitive information’ here mean? 

 

  1. Personal information: One of the main targets of cybersecurity criminals is identity theft. The information at stake here varies from email addresses to personal information such as one’s full name, employee ID number, and even the name of their workplace. This information can be lifted from social media websites such as Facebook to LinkedIn. Additionally, gaining access to your personal information allows phishers to commit medical fraud.
     

  2. Credit card information: Imagine taking all the careful steps needed only to lose valuable information in a single cybersecurity breach. There’s a lot that phishers can do with your credit card information. It ranges from credit card fraud, large amounts of financial theft, as well as damaged credit.
     

  3. Passwords: Your password protects everything from bank accounts to emails and private social media accounts. Once your password is cracked, cybercriminals can have access to your bank account or even access your deepest darkest secrets to blackmail you with.
     

  4. Company reputation: Phishing can also be used to damage your company’s reputation. Organizations that are hijacked often lose money, working hours, and most importantly, both current and potential customers.
     


What Kind of Employee Falls For Phishing Scams?
 

who-falls-for-phishing-scams-in-malaysia

 

Fortunately, there are ways to identify employees who are more likely to fall for email scams. 

 

  1. Gen Z employees: Despite being younger, hip, and acquainted with the technology. Gen Z employees are more likely to drop strict cybersecurity habits in favor of more personalized internet experience. Learn more about why Gen Z employees could potentially be your organization’s biggest cybersecurity threat here.

 

  1. Personality type: It is controversial but some studies show that employees with a certain personality type tend to fall for phishing scams. For instance, employees with an “Intuitive” personality type are more likely to fall for phishing and email scams.

    Recommended Readings: 

 
  1. Male employees: Oddly enough, a controversial study revealed that men are more likely susceptible to phishing attacks. The 120-day study showed that 5.42% of men clicked on phishing emails compared to 4.94% for women.
     

  2. Small to Medium businesses: It’s no surprise that cybercriminals tend to target small to medium-sized businesses. The lack of proper cybersecurity technology, as well as a proper business continuity plan, are just some of the reasons why SMEs seem like a better target. 


How to Stay Safe From Phishing Attacks?
 

staying-safe-phishing-attacks-in-malaysia

 

When it comes to phishing, there are two potential security risks to look out for: the human (end-user) and the cybersecurity technology in use. It is important for both the human resources team and the IT team to collaborate and identify potential breaches. 
 

If your employees are potential cybersecurity risks: 

  • Educate them: To put it simply, your employees won’t know what to protect unless they’ve been told what to look out for. Educate your employees by sharing articles and even holding short training seminars on how cyber scammers target individuals through phishing.
     

  • Encourage better password protection habits: Password protection is crucial. A compromised password might allow cybercriminals to download dubious and harmful software. Click here to learn more about the best password protection practices all organizations in Malaysia should follow.  
     

  • Implement 2FA (two-factor authentication): Malaysian employees might already be acquainted with 2FA, as it is required to access your Singpass account. 2FA is basically a fancier term for an additional layer of security. With this, an employee might need to enter a uniquely generated code in order to log into their accounts.
     

  • Encourage skepticism: The best way to stay safe online is to be skeptical of everything. Encourage your employees to judge everything from simple widget add-ons to full-blown software before downloading them. Better still, encourage your employees to confer with the organization’s IT team before proceeding. 
     

  • Simulate attacks: Training your employees to identify phishing emails is one of the most effective ways to prevent your organization from falling into the hands of an email scam. Phisherman Alert!, an application developed by CSIntelligence allows your organization to simulate potential phishing attacks. Specially crafted emails are created to find potential security holes in your organization. But it's not just attacks they're focused on. Your organization will also receive proper training from cybersecurity professionals in Malaysia along with a specially generated report to help you keep track of potential phishing related breaches. 

    Learn more about CSIntelligence and its anti-phishing application and training package Phisherman Alert here

 

Recommended Articles: 

 

If the lack of technology is a cybersecurity risk: 

 

Spear phishing expert and cybersecurity provider, CSIntelligence recommends following these steps below in order to stay safe from potential phishing attacks: 

 

  • Invest in proper end-user technology: Are you aware that free anti-virus software is not enough to protect your organization from potential phishing scams? Instead, investing in the right technology is the key to proper cybersecurity protection. You might want to check out CSIntelligence for the different applications and training to help protect your organization's key assets. 
     

  • Invest in proper tech manpower: You've got the technology and your employees are trained. You might ask yourself, what more does my organization need? Well, an in-house IT team will be a great addition to your organization's line of defense. 


What are some "Back to Basics" guides would you like BGC Malaysia to create? Let us know in the comments section below!


*This article first appeared at BGC Singapore under the title, "BGC HR Back to Basics: What is Phishing?". Click here to view the original article.

Read More: How to ⁠— Interview Tech and Cybersecurity Candidates in Malaysia