What is a phishing attack?

A phishing attack is a type of cyber-attack where the scammer will attempt to get hold of your usernames, passwords, bank details, etc. by sending you a text or email that is disguised as an important message from a recognisable source. This could be your bank, your managing director, or large well-known companies. Their aim is to get you to interact with the message (e.g. by clicking on links to malicious websites or downloading attached malware files) so that they may steal your personal information.

Phishing messages can be very convincing and mimic legitimate companies’ communications to trick you into interacting with them. Often, they are written using urgent language and designed to panic you into an immediate response by clicking on a link or downloading an attachment. The scammer’s objective is to obtain your personal details for their own financial gain, and can lead to you suffering from personal financial losses.

But don’t panic! Here are some easy tips that you can use to help spot potential phishing attacks:

Sending Domain Names

Often phishing attacks will appear to come from a large or legitimate company using the correct domain name e.g. customerservice@wellknowncompany.com, but upon closer inspection when you hover your mouse over the email address it will reveal the true email address that the email has been sent from. The true email address of the scammer often will use a public domain such as gmail, outlook or similar providers- this is a sign that the email you have received is likely to be a phishing email as legitimate companies will almost never use these types of domain names, e.g. fraudster123@gmail.com. Always check to see if the legitimate company is actually messaging you.

Scammers can often be very devious and will create email addresses that are very close to the original legitimate companies email account, but have added an extra letter or full stop into the email address. These can look very similar to a legitimate source and are much harder to spot, e.g. @instagam.com, or @amaz0n.com. If you are unsure if the sender is from a legitimate source you can search for the companies contact email or phone number by doing a web search using a search engine.

Email errors/language

These are spelling mistakes or grammatical errors contained within the phishing message which indicate that the message has not been sent from a reputable source. Often phishing attacks can come from attackers which English is not their first language or they have been using an online translator, and therefore are prone to spelling and grammatical errors which “real” native speakers are less likely to make. Legitimate companies are also unlikely to take these types of mistakes in official communications. These mistakes can make the email hard to read and are a ‘tell-tale’ sign that the message received is a phishing attack. If you are unsure you can contact the company or person the message claims to be from by telephone and check it has originated from them.

Suspicious links

These are links that are included in a phishing email that once clicked will direct you to a scammer’s malicious website claiming to be the website of a reputable company. These websites will mimic the look of a real company’s website by using their company logo and colours, and they will include fields which ask you to enter your personal information such as user account and password, banking information etc. The scammer is hoping that you will enter your details so they are sent to them for their financial gain. Often if the link is clicked it can be too late, as this can trigger hidden malware to be downloaded onto your computer without your knowledge and sit in the background gathering your personal details and sending them back to the scammer. Always check any links or attached files before clicking on them.

Panic Inducing/Urgent Requests and Piquing your Curiosity

Most emails you receive from legitimate sources will not require immediate action and are simply emailing you to communicate non urgent information. Phishing messages will often try to create a sense of urgency and panic to make you act fast, e.g. “click this link to stop your account from being permanently deleted within 24 hours”. This is to force you into making a quick decision to click on their link and provide your private information without taking the time to question who you are providing this information to.

On other occasions a phishing email will try to peak your curiosity by telling you that you have won a prize in a competition, or “someone has sent you a video that you are featured in” and to click the link to follow up. This is again a ‘tell-tale’ sign that the message you have received is a phishing attack if it is unexpected.


Top 10 tips

This information is not to make you fear your inbox, but to make sure you are well informed about some of the crafty practices scammers will try to use to get their hands on your personal information. Below are some final top tips to remember to stay protected:

  1. Check the email address and domain from the sender.
  2. If any doubt, ring the sender and speak to them on a phone number that you already know.
  3. Do not click on any links contained in an email unless you are sure they are from the appropriate company.
  4. Even if the message seems vital/urgent, take a time out and think about it carefully before you act. Be suspicious of phrases like ‘send these details within 24 hours’ or ‘you have been a victim of crime, click here immediately’.
  5. Don’t open any unexpected attachments/downloads/QR Codes unless you are certain they are from a legitimate source.
  6. Check the spelling/grammar/language of the email.
  7. Is the contact very general (e.g. “dear valued customer…”) rather than addressed specifically to you?
  8. Encourage staff to tell their IT Manager/Supervisor if they have received a suspicious communication. Always report it.
  9. Watch out for emails from people claiming to be higher up in your organisation asking you to do something.
  10. If it sounds too good to be true, it is. Do not get sucked in.