Any website, online service, phone call or text message that impersonates a legitimate company or brand you recognise using social engineering techniques designed to convince you to hand over valuable personal details e.g. account passwords, or your money, or download something that infects your computer.
Below are the main types of this social engineering technique:
Phishing is the practice of using using e-mail to persuade you to give up personal or work information and will often look legitimate and professional.
Spear Phishing is the same as phishing but you target the attack rather than use a scatter-gun approach. They tend to be more sophisticated as the attacker will do more homework on their target. Whaling is when a senior manager is targeted.
Vishing is the practice of using the telephone to get you to hand over your personal or work information.
Smishing uses SMS (messaging) technology in order to get the same information.
The UK's National Cyber Security Centre & Centre (NCSC) for the Protection of National Infrastructure (CPNI) have teamed up to offer more advice on spear-phishing, which is available on the CPNI website.
Spotting the signs
Some Phishing scams will look very professional and email content or web links within them can take you to websites that will look exactly the same as the legitimate website they are imitating. There are some tell-tale signs that you should look for though:
- Their spelling, grammar, graphic design or image quality is poor quality. They may use odd ‘spe11lings’ or ‘cApiTals’ in the email subject to fool your spam filter.
- If they know your email address but not your name, it’ll begin with something like ‘To our valued customer’, or ‘Dear...’ followed by your email address.
- The website or email address doesn’t look right; authentic website addresses are usually short and don’t use irrelevant words or phrases. Businesses and organisations don’t use web-based addresses such as Gmail or Yahoo.
- If your work account has been compromised you may notice e-mails in your sent items that you did not send or e-mails are marked as read that you have not actually read.
The Google link below has a short quiz which will show you examples of how to spot phishing signs.
So, how do you avoid getting reeled in by the phishers?
- Never respond to requests for personal information via email, phone or SMS.
- Visit web sites by typing the URL into your address bar or using a legitimate search engine rather than following a link sent to you.
- Check to make sure the web site is using encryption, that is the little locked padlock on the top menu bar that shows it is a secure site.
- Always check your credit card and bank statements for unusual transactions.
Help and advice
Phishing e-mails can be very difficult to spot so if you are in any doubt please follow the same advice for any Spam Message & just delete it !
If you have responded to the phishing email by replying or clicking on a link and entering any personal details please report it to your IT Support so it can be investigated and remediated. If you think it may cause a data breach, also report it to your DPO.
If you do receive a phone call from someone asking for personal information or trying to remotely connect to your device, please politely hang up. Only ever allow an IT person to connect to your device once you have verified they are legitimate.
If you want to report any phishing attempts that have occurred outside of work, further advice is available on the UK Action Fraud Website.
If you need further help then please contact your local IT Support.