Phishing is a term used when attackers try to get your information and use it without you permission.
It sounds like ‘fishing’ for a reason. It is just like when a fisherman puts bait on a hook to try and catch the fish. These attackers use bait and tricks to try and catch you, the victim. They will then use the information you give them to take advantage of your accounts.
There are lots of different ways attackers might try to do this, but the most common one is phishing emails. These emails look like trustworthy, genuine emails from people or companies you know.
But in reality, they’re actually trying to fool you. They want you to put personal information like your bank details into scam websites.
There are lots of personal details which probably don’t seem too important to you. But, if they fall into the wrong hands it can do a lot of harm. Here are some examples of simple, personal information they could use to exploit you:
- Your full name
- Your date of birth
- Your bank account details
- Your National Insurance number
- Names of your children or immediate family
- Where you work
- Name of your manager
The first phishing email happened in the 1990s. Since then, it has become a huge problem. It can target everyone from a teenager using a computer to the head of a big company. Some experts say that over 1 million websites pop up every year to phish others’ information.
You’ve probably already come in contact with one. Maybe a Nigerian prince who needs someone to share his £50 million fortune with contacted you. Or your long lost aunt has left you a huge inheritance. Her solicitor just needs your bank details to deposit the money.
The easiest way to protect yourself from phishing emails is to educate yourself. It is important to learn what they look like, how to recognise them and then what to do if you receive one. We’ve broken all this down below, so the next time you get one, you’ll know what to do.
What are phishing emails?
As we’ve said, phishing emails are one of the most common ways attackers try to scam you. The attackers try to get personal information through emails to then use for harm.
These emails are usually disguised as something trustworthy. They could be pretending to be your bank asking you to reset your password. Or Tesco’s asking you to reconfirm payment details for your grocery delivery. They will then use these details to take advantage of your accounts and money.
With phishing emails, they usually always contain a link to a website. This website is where they’ll ask you to input your personal information which they will then use. This website may also infect your computer with something called malware. Malware is a software designed to harm your computer and steal data from the websites you visit.
The website may look completely like the real one they are trying to imitate. This is more true with the very sophisticated phishing emails. If it is a serious attack, it could be almost impossible to tell that the website is fake.
Usually, the only difference between the fake website and the real one is the URL or web address. Sometimes, there are some other small differences which we’ve explained below.
The most common types of phishing emails
The three most common types of phishing emails are:
- Normal, generic phishing emails. These go to a large group of people and won’t target you personally. It will go to a large group of people and will contain non-specific information. They probably won’t include anything that links to you as a person, so this is one of the easiest to spot.
- Targeted phishing emails called ‘spear phishing’. This is when the attackers use information that applies to you. This could be pretending to be your bank, and using your name and address correctly. This is an especially tricky type of phishing email to spot and to protect yourself against.
- Clone phishing. Clone phishing is when attackers copy an email you have received before from a real person. They usually replace the URL or website link to their website. If you received an email from your boss, they could copy the exact same content and formatting to trick you. Clone phishing often happens because one computer has an infection. The attackers then use this as a springboard onto other computers.
How do phishing emails work?
The basic concept of a phishing email is that you receive it into your inbox and open it. There will usually be some kind of trick inside to attempt to fool you.
This trick can come in any form. Usually it will centre around money, inputting personal details or a free gift. Quite often, it is something that seems too good to be true.
Once the attackers have your personal information they can do things like:
- Make purchases using your cards or your accounts
- Steal your money
- Open credit cards in your name
- Add other names to your bank accounts
- Abuse your National Insurance number
- Misuse your address or telephone number
- Get a payday loan
- Sell your information to other people who will misuse it
Some examples of phishing scams are:
- Completing a survey to win a free prize. This survey will often start with asking you to fill in some personal details. Once you do this, you will also provide your address to receive the free gift. They now have information about you, including your name, email address and where you live.
- Re-confirming an order. Say for example you order goods from Amazon or Ebay. The hackers may email you asking you to reconfirm your payment details. They may claim the payment was unsuccessful. They may have copied an Amazon email and logo perfectly. This is how they can then take advantage of your credit card or bank details.
- A family member or friend needs money immediately because they are in trouble ‘abroad’. This is a common one and a difficult one if you can’t spot it. It is very rare a friend or family member would email you asking for money. If you feel unsure, you can try to contact them via phone or social media to verify it is them.
- Your workplace needs you to re-confirm bank details so you can receive your paycheck. Attackers may try to pose as the HR department in your office. They could send an official looking email with a general admin request. Call the office and double check it is legitimate before disclosing any bank details.
- If you’re a business owner, sometimes attackers may pose as one of your suppliers. They could email you asking you to re-confirm company details for an invoice of theirs.
How to recognise phishing emails
Phishing emails can seem very scary and you may worry about how to spot them. There are lots of different ways you can point out a phishing email from a genuine one. So next time you receive one, you won’t need to worry.
Here are our top ten ways to spot a fake, phishing email:
- Misspelled URLs. This means the link that they try and send you to isn’t spelt right. If you bank with HSBC or Natwest and you receive a phishing email pretending to be them, you may notice the link is wrong. They may use something like like Netwest or HSSBC. This might be difficult to spot if you don’t know to look out for this. Next time you receive an email asking you for personal information, double check the URL. This could be your first clue.
- Too good to be true? The best way to spot a phishing email is to ask yourself, ‘Is this too good to be true?’. It is unlikely a prince from a foreign country will want to share money with you. It is also unlikely that you have won a 5* holiday to the Bahamas without entering any competitions. Also, if a relative has left you money, often you won’t receive an email about it. If you think the email is too good to be true, it probably is.
- Poor spelling and grammar in the email. It may be a phishing email if the email doesn’t make sense, has lots of spelling mistakes and it looks weird in general. Often, attackers use google translate to send emails in lots of different languages. This can make the English hard to understand. Have a look for strange formats, spelling and grammar before entering any details.
- Odd or shortened URLs. This is different than the first point we talked about where the URL has spelling mistakes. Often, attackers may spell the URL correctly but change it slightly. This could be doing something like changing www.tesco.com to www.tescos.com. This is almost impossible to spot if you’re not familiar with the official website URL. If you’re unsure, do a google search and see what the official one is.
- Check the sender’s email address. Some attacks might be very professional in their email and use the right company logo. But if you check the sender address, it may give them away. Quite often, this will appear as a strange email address that is something a real person wouldn’t have.
- Lack of personal details. If the email uses your name wrong or doesn’t greet you, this is a phishing attempt. If they use Mr instead of Mrs or vice versa, this is a sign that they don’t know you personally. Most likely they have obtained your information the wrong way.
- They use threatening language. This is to make sure that you panic and give away information. They may say things like ‘Your account will be closed if you don’t reply today!’. This is not something that a reputable business would do, and so it is an easy way to spot a phishing email.
How to avoid phishing emails
Learning how to recognise phishing emails is very important. Something else which is important is learning how to avoid receiving them altogether.
There are certain protective measures that you can take. These make sure that fraudulent emails don’t end up in your inbox.
- Make sure your computer’s security software is up to date. A good security system will have phishing filters. These can protect you and your computer from any fraudulent attacks.
- Don’t visit websites you don’t recognise or that look unofficial. This can be a way that they find your email address and use it to target you in the future./li>
- Always look for the key or the padlock on a website. This appears in the URL box at the top right hand side of the page. Never put in personal details if that padlock doesn’t appear, as it means the website is unsecure./li>
- Keep yourself up to date with new phishing scams using this website:
- Make sure all your accounts have difficult passwords that would be hard to guess. You are much more likely to fall victim to a phishing scam if your passwords are easy like ‘password123’.
- Immediately delete any messages you think are spam. Block the sender so you don’t receive them again in the future.
- Turn on two-factor authentication for all your online accounts. This is like with any bank, when they don’t ask you for your password alone. They also have different security measures like texting you a pin to make sure it is you.
- Check your online accounts often for any unusual logins or behaviour.