Phishing in the workplace: practical examples and some golden rules

November 12, 2020

“Hi, I’m the office manager, I’m about to catch a flight and I can’t call, could you send me the company credit card number asap? I forgot it.”

If you think you would never fall for it, know that it is actually an extremely common and effective scenario.

Phishing is a cybersecurity attack that relies on a weak point that no antivirus will ever be able to counter: the person. For this reason, it is now common practice to train your employees against phishing attempts and create long and accurate cybersecurity procedures.

But the creativity of hackers is often surprising.

The urgency of the request

Going back to the example above, how many would say no to a manager who writes directly from the company email? You can't wait, because he/she is about to take a flight, he/she will need the credit card.

Note how the characteristic of urgency is common to many scams, even before the advent of information technology. However, urgency is also a constant in corporate communications, and we cannot use it as the only alarm bell.

Another very common example of phishing in companies is the request to change IBAN. Needless to say, it is a very urgent email, from the usual email address of the supplier, asking to change the new IBAN with immediate effect, and to have all subsequent payments flow there.

How long will it take before you notice the scam? Months, probably.

Often these emails trigger complicated multiple authentication procedures, which each company designs according to its own needs. But it happens more and more often that employees, in a hurry or not suspicious of the tone of the email, or already confused and stressed by the anti-Covid procedures, change the IBAN without too many problems.

Can you repeat your login credentials?

Another very common case of phishing is that of login credentials. The most recent known case dates back to April 2020, against people connected to the University of Oxford. Hackers hijacked the University's mail server, sending messages to users that redirected to a seemingly secure server. There, the victims confidently entered their Office login credentials.

The redirection method is one of the most sophisticated, because if the domain you see is reliable, why shouldn't you re-enter your credentials? Or, you could receive an email with a link or an attachment inside. Obviously, from a known recipient.

Golden Rules of Anti-Phishing in Business

Possible countermeasures are usually established by individual businesses, but some common rules apply:

  • Do not enter your account credentials unless you are 100% sure of what you are doing;
  • Always check the web address of the page you are accessing: if you need to access your bank's website, it is always better to manually enter the address into the browser (for example, typing www.tuabanca.it), rather than following a link. If the address bar instead indicates something like "oaweweijoei.tuabanca.ws", you are probably on a phishing site;
  • If you still have doubts, check for the padlock next to the web address (which indicates a secure connection) and click on it to verify that the certificate is authentic. For example, if you are accessing your Paypal account, the certificate indicated should be this:

  • Verify the email: scroll over the supposed sender's address, and check that there are no accents or strange symbols. It seems like common sense, but there are plenty of cases of successful phishing using this technique;
  • Call! Especially if the tone of the email is unusual, if the sender shows unusual haste, or if the text has strange grammar, as if it was translated with an automated tool;
  • Do not send passwords and credentials to customers, even if they ask for it. Every system should have an automatic credential recovery. In this regard, we recommend you read our in-depth study ontwo-factor authentication.
  • Training, training and training: to be integrated with some good cybersecurity practices, is the only way to keep your employees and managers updated on the new trends in corporate phishing.

Finally, if you think you have been the victim of a phishing attack, do not pretend that nothing has happened. The best thing to do is to immediately speak to the managers in your company. Furthermore, we recommend that you immediately report any malicious sites: for this purpose, the Postal Police provides a very useful reporting page.

More articles from our Tech Blog

May 7, 2025
Stripe Alternatives (with Lower Fees!)

It goes without saying that if Stripe has become one of the most used web payment methods, there is a reason. Stripe is in fact a reliable payment gateway, with modern APIs and that offers an optimal user experience, however its fees are not the lowest on the market. If you are looking for alternatives to Stripe, equally […]

14 April 2025
Most Interesting Tech Startups in 2025, Says Pizero!

The news seems to paint a triumph in every sector of businesses somehow linked to Artificial Intelligence. Let's not get carried away by easy enthusiasm: it is better to rely on data to outline the most interesting technological startups of 2025. Technological innovation is now a constant feature, at rates that 20 years ago would have been unthinkable, and […]

10 April 2025
RAG: What it is, how to implement it and why it will revolutionize your AI projects

RAG (Retrieval-Augmented Generation) is one of the most innovative technologies in artificial intelligence, combining the power of document search (retrieval) with the generative capabilities of the most advanced linguistic models, such as GPT-4. This combination allows for the creation of highly accurate, contextualized and up-to-date answers, making AI-based systems significantly more reliable. In this in-depth […]

24 March 2025
What is a VPN and Why You Might Need One (Updated 2025)

Need to connect to your company server? Get around an IP block (for ethical reasons, of course)? Or just make sure the connection you’re browsing on keeps your data safe? For any of these cases, and many more, a VPN is the technology you need. If you’ve heard of it and […]

Request a meeting

Fill out the form to get a personalized consultation for your project.

Fill in the fields to be contacted

© Pizero Design srl, all rights reserved - PI 02313970465 - REA LU-215417
X
lockuserscartcalendar-fullsmartphonelaptopbriefcase