Whether you’re at home or at work, most of us will be familiar with unsolicited emails. Sometimes, they can be a relatively harmless effort to sell you goods or services — spam, in other words.

Other times, they can attempt to deceive and trick you out of your sensitive information.  Usually, these communications claim to be from a trusted organisation or person, asking you to follow a link, download something or provide them with important details.

These are called ‘phishing’ attacks. They are usually messages sent to thousands of people, in the hope that even one or two end up parting with valuable sensitive information. Sometimes, they can be more carefully targeted to you or your business, which can make them even easier to fall for.

Not only are phishers smarter than ever, but there’s more of them, their numbers having soared during the pandemic. Last year, over £2.3bn was lost in phishing scams in the UK.

Whether the victim is a business or an individual, phishing can cause incredible financial consequences — not to mention stress and even embarrassment, as well as being an irritating distraction.

So, what is phishing?

Phishing is an attempt by online criminals to trick people into revealing sensitive information — like credit card, personal banking and account password details. These online scammers usually use email to contact their victims, although phishing by text message, phone call and platforms like WhatsApp, Messenger and Twitter are also common.

It’s classed as a ‘social engineering’ attack. As part of their activity, phishers usually want you to download an attachment or click a link. Sophisticated phishing attacks may take you to a fraudulent website where you’re invited to enter personal details.

A phishing attack could also install malware on your device(s). Malware is short for ‘malicious software’, a catch-all term referring to any type of computer program developed by cyber criminals — also often known as ‘hackers’ — to steal data or to damage computer systems.

Some phishers may get you to install software to remotely control your computer so that they can try to gain information about you that they can use to hold you to ransom. This could include locking you out of your devices and asking for payment.

To increase their chances of success, phishers make their communications appear as legitimate as possible. They may pretend to be a bank, a popular organisation, a company client or any other sort of legitimate entity. They may even impersonate one of your colleagues, friends or relatives, something known as spoofing.

Why do phishers do it?

You probably didn’t need us to tell you this, but the most common motive behind phishing is financial — whether that’s by stealing money directly, or by pinching data that can be sold on or used to hold you to ransom.

However, some phishing attacks — especially in recent years — can even have ideological or political motives. Understandably, these are usually aimed at larger organisations, bodies or individuals involved in important state or government activity.

‍

How to spot a phishing email or text scam

Whether you’re at home or at work, phishing attacks can have devastating consequences. They usually start as an email, phone call or text. They are targeting the weakest link in your arsenal of protection – you. You can be manipulated or tricked.

They can do this by triggering false alerts and making you worry – ‘your mobile data limit has been reached’, ‘your email box is full and we need you to log in to continue access’, ‘your computer is infected with a virus…’, ‘we’ve detected fraudulent activity on your bank account…’ etc, etc.

So, although there’s no definite way of immediately identifying a scam, these top tips will give you the best chance of seeing through one, stopping you or your business being a victim of cybercrime…

1. Checking an email is from a trusted source

Inconsistencies in an email address are tell-tale signs of a phishing attempt. Don’t just trust the name of the sender. Check out the email address itself.

Explore any drop downs near the sender field on the message, or check out what’s in the angled (< >) brackets or other parenthesis. This may be displayed differently depending on your email provider or client. Here’s a couple of examples:

‍

Check, in particular, the domain name (the part that comes after the @... in an email address) matches up to any website, individual or organisation it’s claiming to be associated with. Often, phishers bank on people not checking addresses and domains.

The same goes for a text message or phone call. Research the number — a quick tip is to just search it on Google. If the organisation or person claiming to be represented doesn’t appear, exercise caution. Other people may have reported and flagged the number, too.  Maybe put the phone down and ring them back on the number shown on the legitimate website.

If you think you know the sender or person in question…

Check the email address against any previous ones. Also, ask yourself whether it’s out of the ordinary for this person to be contacting you. Do they usually talk to you? Is the message a bolt from the blue? If so, exercise extreme caution in clicking any links or attachments.

You may receive a bogus phone call, perhaps claiming to be from someone in your organisation. Are you expecting this call? Are they adopting a strange tone, or requesting information? 

If something doesn’t feel right, don’t be afraid to just hang up and report the incident. If you have a line manager, be sure to contact them right away. If you’re the business leader or have the responsibility, get in touch with Action Fraud, the UK’s National Fraud & Cyber Crime Reporting Centre. 

It’s good general practice to treat any unexpected communications — and any software, links or attachments they show you — with suspicion and caution.

2. How do I know an attachment or link is safe?

Since the ultimate aim of any phishing scam is to trick you into parting with sensitive information, the phishers need you to take some action that compromises you. Most often, this is through clicking a link — often disguised as a button — or downloading an attachment.

Links can easily be made to look legitimate. To see whether one is, hover over it (or any buttons on an email) with your cursor — a pop-up towards the bottom left of your browser window usually helps to reveal if it’s taking you to a strange-looking website. It may contain a rogue-looking series of words or letters.

If this is the case, you should not click it.

‍

It’s sensible practice to not follow any links or open any attachments you’re not expecting to receive, particularly from people you do not recognise or do not do business with. The same applies for strange-looking software. Unless you’re expecting to receive something from someone you do business with or know closely, exercise caution.

If you’re not sure exactly what we mean by a link or attachment, hopefully the below help to clear things up.

• A link, also known as a hyperlink, is something that takes you to a destination on the web. These often start with ‘http’ and are often underlined. When you hover over the link, a destination usually appears near the bottom-left of your screen or browser window. Links can easily be disguised to look legitimate, take you to websites also that may look legitimate, but then steal sensitive information from you.
• An attachment is a computer file sent within an email message. These usually appear at the bottom of the email. If you download this attachment, your computer may be infected with malware (which most people know as a virus). These can damage your computer system and steal your information.

3. A sense of urgency or threats

Phishers play on our emotions to get what they ultimately want — you to click a link or download an attachment. To do so, they inject a sense of urgency. You might see messages like ‘quick — you must act within 24 hours!’.

Sometimes they appeal to your curious side to get you to click the attachment or link — ‘have you seen this photo of you?’; ‘why haven’t you paid this invoice?’. Even though a message like this may immediately grab your attention and even shock you, don’t click these links or attachments and seek a second opinion.

Do not respond to any messages, click any links or download any attachments from senders promising the world — especially if you don’t know them and aren’t expecting a message!

4. A strange, unusual or unfamiliar tone

Sometimes, phishers can pose as your friends, relatives, colleagues, clients or suppliers, inviting you to share sensitive information. This type of phishing is called spoofing.  They are trying to make you think they are someone you trust.

An email may claim to be from someone in the business, usually asking for either a payment of access to their systems or software.

A bit of common sense can help you to see through these cunning phish attempts. Ask yourself the following… 

• Are they using the same language and turn of phrase they normally use? Do they sound overly friendly or formal? If a family member or close friend suddenly says ‘Dear…’, for example, suspicion should be aroused…
• Does this friend, client, supplier or colleague usually message you, or someone else in your friendship group or organisation?
• Are they using any nicknames or phrases you associate with them?
• If it’s an email, do they have the same font, text size or colour they usually use?
• Do they usually message you over the particular platform they’re reaching you on?

Are they trying to direct you to a link, get you to open an attachment or get you to provide critical details? Needless to say, don’t click, open or download anything suspicious.

‍

These sorts of phishing attempts — where an attacker tries to imitate someone you know — can also occur over text message, Facebook Messenger or WhatsApp; their account may have been compromised. If you click any links or attachments, you could be next!

The same principle — of spotting a strange tone — can be used for identifying bogus phone calls. If you’re not expecting a call, and its contents are rather out-of-the-blue, suspicion should be aroused.

5. Poor-quality imagery, dodgy formatting and bad spelling

Phishing emails are often created and built shoddily, occasionally by scammers without good digital marketing or design skills.

You may notice the text is formatted strangely — perhaps it just doesn’t look right. Images may be grainy or stretched out — ask yourself whether this would be quite unusual or unprofessional from the institution, organisation or individual claiming to be represented.

Similarly, phishing emails or text messages can often have poor wording. Many originate from overseas, where their creators may not speak English as their first language. Although it’s entirely possible for them to have impeccable grammar and spelling, more often than not a discerning eye will be able to spot some errors.

After all, it’s unlikely that any reputable bank, for example, would allow glaring typos to slide in their email communications! The same goes for any website a phishing email, text or call directs you to: does it look professional and well designed? If not, it may be wise to click away… 

‍