Protecting from Phishing
Phishing has been the most prevalent form of cyber-attack for decades now, and the spread of coronavirus has seen a new wave of phishing attacks begin. In 2020, 83% of attacks on businesses and 79% of attacks on charities were phishing attacks (GOV.UK, 2021).
A phishing attack is a form of social engineering. Social Engineering is a form of attack where an attacker lures or manipulates a person into performing actions or divulging confidential information. An example of a current phishing attack that has drawn in victims is a Royal Mail attack. The attacker sends out a text or email that professes to be from Royal Mail. This contains a statement that a parcel has been missed or not delivered and that a fee must be paid in order for the parcel to be redelivered. This text or email directs the victim to click a link in order to pay this fee, where they then enter confidential details such as their address and bank card details, believing this information is being given to Royal Mail. When in fact, the information, and payment, goes directly to the attacker. Many people who fall victim of this scam may never realise that this process was not legitimate, due to the frequency of parcels that many people receive, or due to the convincing nature of the scam. Often, the site that the link leads the victim to, is designed to precisely imitate the real company’s website and can appear very authentic.
The nature of phishing scams means they can easily evolve and progress to imitate organisations that are currently popular and relevant amongst the public or businesses. This enables phishing attacks to stay one step ahead.
It is difficult to understand the true severity of phishing, as many victims of phishing scams are too embarrassed to admit it. A survey by Barclay’s estimated this figure as around 50%.
What to do if you think you have received a phishing text or email
If you have received an email or text and you think it could be a phishing scam, but you aren’t sure, here are some signs to look out for and questions to ask yourself.
- Has it come from an email or number registered to that company? Is the domain name sending the email an official company email? You can search the email or the number that the text came from on any search engine to see if it belongs to the correct company. You may also be able to view the number of reports placed on that email or number if it has been used in phishing attacks before.
- Does it contain grammar and spelling mistakes? Often scam emails and texts contain various spelling or grammatical errors and are often an easy sign to look out for. This is not always the case, but it is common. Sometimes the company name can even be spelt incorrectly.
- Does the email or text address you directly? Many phishing emails or texts are sent out to hundreds, if not thousands, of people at the same time. This means that the emails or texts do not refer to you directly but may use terms such as ‘Dear Customer’. Or may have no introductory terms at all. You can still receive phishing scams that address you directly, but this is unlikely.
- Are you being asked for personal information? The purpose of phishing attacks is to gain access to personal information, so most phishing scams will ask you for this, or direct you to click a link in order to do so. In general, organisations will NOT ask for any personal information over email or text. The best thing to do is to contact the organisation directly.
- Contact the organisation! If you have any doubt that a text or email you have received is fraudulent or not real, contact the organisation directly through their website or by using any contact details they have listed on their website. Do not enquire through contact details given in the suspicious email or text. The organisation will be able to verify the legitimacy of the email or text, and any issue identified in the email or text, if real, can be resolved with the organisation directly, where you know it can be handled safely.
What to do if you think you have been the victim of a phishing scam
- We’ll say it again, contact the organisation! They can help you take steps towards lessening the impact of a phishing scam. They are likely to have dealt with people who have previously suffered from phishing attacks. They can help you reset your details and secure your account.
- Change your passwords! If you have entered or given away your account details, you need to change them to prevent the attacker accessing your account.
- Contact the bank! If you have entered your bank details, you must contact your bank as soon as possible. They can restrict access to your account and disable your bank cards or details from being used. Preventing the attacker from accessing your account and your money. You will be able to request a new card and account details that will not have been compromised.
- Report it to Action Fraud! If you have been the victim of a phishing attack (or any fraud or cybercrime offence) and have incurred a financial loss or have been hacked as a result, you should report this to Action Fraud. Action Fraud is the UK’s national reporting centre for fraud and cybercrime across England, Wales and Northern Ireland. If you have received a suspicious email you can forward it to firstname.lastname@example.org. If you receive a suspicious text you can forward it to 7726. You can visit https://www.actionfraud.police.uk/ to find out more, or report an attack. If you reside in Scotland you can visit https://www.scotland.police.uk/advice-and-information/scams-and-frauds/ for more information on what to do.
How can we help?
The Digital Safety CIC offer free no obligation consultations to assess the digital health and security of your organisation. We also offer bespoke training and advice tailored to each organisation to help you best protect your organisation. Visit our website to find out more or contact us for your personalised consultation.
GOV.U.K. (2021) ‘Cyber Security Breaches Survey 2021’ Department for Digital, Culture, Media & Sport. 24 March 2021. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021