Phishing scams – publishing is vulnerable too. What you need to know

At Frontiers, everything we do is embedded in technology. In fact, did you know that around 35% of Frontiers staff work in technology? Ranging from data scientists to software engineers, system administrators, application support, desktop technicians, and more.

With that expertise in mind, we thought it would be helpful to share some tips, tricks, and guidance with you in an area which could impact your work and lives. We share this information with our own teams so we can help them focus on publishing high-quality science, and hope we can help you too.

Since the coronavirus pandemic erupted last year, many of us have moved to full remote working mode. Unfortunately, this is making cybercriminals happier as their playground has grown.  It is becoming more and more important that we are extra vigilant to these threats, and pay close attention to keeping our systems and data secure as responsible cyber-citizens.

To illustrate what’s going on, here are a few statistics from over the last year:

  • In the UK, HM Revenue and Customs reported a massive 73% increase in email phishing attacks in the first six months of the pandemic, see this article in Infosecurity Magazine for more.
  • Survey findings reported in Security Magazine revealed companies were experiencing 1,185 phishing attacks every month last year.
  • The same survey found that 38% of respondents reported a co-worker had fallen victim to an attack.

If a phishing attack is successful, any number of things can happen from identity theft to data theft, username and password manipulation, the theft of funds, and fraud. Anything you were previously in charge of online, a cybercriminal may now be in charge of. Worrying, to say the least.

Scholarly publishing is an industry that is as vulnerable to phishing as any other. So below, we offer some guidance and what to look out for!

Let’s dive in, what is “Phishing”?

In a nutshell, fraudulent email messages which appear to come from a trusted source with the goal of stealing sensitive information, or even infecting your computer with malware. In the past, these emails were coordinated in mass campaigns. Today, however, they are growing increasingly sophisticated, targeted, and look incredibly authentic and convincing when you receive them.

So, how do you classify them?

  • Spear Phishing is a more targeted attempt to steal sensitive information and typically focuses on a specific individual or organization. These types of attacks use personal information that is specific to the individual in order to appear legitimate.
  • Whaling is a category of phishing which focuses on a high-level choice of target and is often targeted towards the senior management of businesses.  These are harder to spot as the content and language will have more of a corporate or sophisticated tone. 
  • Smishing is a type of phishing which uses SMS messages, rather than email to target individuals. This method involves sending an SMS to an individual’s phone number and usually includes a call to action that requires an immediate response.
  • Clone Phishing is when a legitimate and previously delivered email is used to create an identical email with malicious content.  It will look very similar to something you have previously received but may come at an unexpected time and contain malicious links or attachments.

What to look out for

It is vital that individual cyber citizens take steps to ensure they are doing all they can to learn about the dangers of phishing attacks, which include how to effectively recognize a phishing attempt.  Common tell-tale signs include:

  • Bad grammar
  • Wrong email address in sender ID
  • Instructions that seem odd or unexpected
  • Tone of the text may be too formal or too friendly
  • Asking you to reset your password or enter payment details
  • Offering free discounts or refunds

What should you do and not do?

  • If in doubt, delete the message. If it’s legitimate, the sender will come back to you through the official channels.
  • If the message is from a known sender or website and you have login details, go directly to the website immediately and check using your known login information.
  • Never click directly on an email to enter login details, load the website address via its URL.
  • Never click on pay directly!  You don’t know where your payment will go.
  • Always use 2-step authentication and strong passwords where possible.
  • If someone harassing about sensitive information, that is probably not an official representative of the business trying to contact you.  Open a support request if needed to check it out!
  • If you have an IT Service team at your business or institution that can help you out, ask for assistance. Better to be safe than sorry.

There is a lot of information out there to help you recognize these types of scams, check further by clicking here or using your favorite search engine using the key phrase, “How to recognize and avoid phishing scam”.