Demystified – Phishing

Continuing our series on demystifying prevalent cyber-attacks, let’s delve into the world of phishing. Phishing is one of the most common forms of cyber attack and is all about tricking users into completing the desired action of the attacker, this could be sharing sensitive information (account info, passwords, addresses etc..) or downloading malware. Hence the name Phishing, the hacker is like a fisherman throwing out a hook (email) and the user is the fish that ends up taking the bait. 

Phishing attempts can occur through various channels like text messages, social media, websites, or phone calls. However, the most prevalent method remains phishing emails. These deceptive emails are often mass distributed, cleverly disguised as legitimate companies, seamlessly blending into individuals’ inboxes. It only takes one individual within an organisation to make a mistake – click a link or share login details – and the attack begins. 

At times, it’s an indiscriminate mass attack where hackers seek an easy victory. However, there are instances when it serves as the initial stage of an orchestrated assault on a company. These precision strikes, commonly known as spear phishing, come with a distinct objective, such as stealing personal information or credentials. Attackers leverage specific details about employees or the company itself to craft convincingly deceptive messages. These socially engineered emails often elude email filters due to their sophistication. This puts organisations of all sizes, be it large corporate firms or small family-run businesses at risk of phishing attacks. 

As phishing techniques continually evolve to surpass filters and human detection, organisations must consistently update their staff on the latest strategies. Continuous training is vital to maintain knowledge and awareness. If uncertainty arises, promptly report any concerns to an IT team member. A good way to double check emails is by using the SLAM method below.

Use SLAM to spot phishing emails:

  • Sender: Check the email is from the company they pose themselves to be.
  • Links: If uncertain around links don’t click on them, they may contain malware. Instead, hover over the link in the email and check  it matches the pop-up in the bottom left corner of your browser. 
  • Attachments: Don’t click on any attachments from unfamiliar senders. If it is from someone you know just make sure the format matches their previous sends.
  • Message: Does the message make grammatical sense and are the spellings correct? Is the language consistent with past messages from the sender? 

How secure is your castle?  

The Arx platform contains a suite of tools to add to your defence such as employee awareness training, guides and resources and automated scanning. 

If you enjoyed today’s article, please give us a like, share or add your own comments and suggestions on combating social engineering attacks.  

You can find out more information at or by booking a platform demo here.