Roughly 8.3 billion emails are sent each day in the UK and nearly half of them are spam or phishing emails.  That’s a whole lot of rogue and potentially malicious emails – and a pretty frightening number too!

We all know that spam is generally unwanted or irrelevant email, but what about phishing emails? 

In this blog we’ll be explaining what phishing is, how to spot a phish (or a vish, a smish or even a quish) and what to look for in a suspicious email, as well as sharing some tips and tricks to help you stay safe online.

So firstly, what is phishing?

Phishing is a method of attack used by cyber criminals, where they send malicious and deceptive messages to unsuspecting targets.  Their common goal is for the recipient to take some kind of action, whether that is providing usernames and passwords, downloading malware, visiting fake websites or even stealing financial information. It’s never a positive action.

How to spot a phishing attempt

Learning how to spot a phishing email is the best way to help prevent team members from falling foul of malicious emails.  Here are our top things to look out for or check:

• Check the sender’s email address:

Take a closer look at the sender’s email address.

Phishing emails often use email addresses that mimic legitimate sources but may have slight misspellings or contain random characters that you wouldn’t usually see in a normal website domain, for example 3154sdf5@dlh.co.uk.

• Look out for generic greetings or a sense of urgency:

Phishing emails often use generic greetings like ‘Dear User’ or ‘Hello’ and create a sense of urgency, like ‘ACT NOW’, pressurising you to take immediate action, whether that’s clicking a link or providing personal or sensitive information.

• Abuse of authority:

Another popular scam is for a criminal to impersonate a person of authority (such as your bank, the Inland Revenue or your Manager or Director) in order to manipulate you.  This type of message is typically coupled with the need for urgency and is an attempt to fool you into not asking questions.

• Hover over links without clicking:

Hover your mouse pointer over any links in an email without clicking them. This will reveal the actual destination URL.  Be cautious if the link doesn’t match the sender’s domain or appears suspicious.

• Check for typos, spelling or grammatical errors:

Phishing emails frequently contain spelling and grammatical mistakes. Be on the lookout for poorly written content, as it’s a common red flag.

• Verify requests for personal or financial Information:

Legitimate organisations rarely request sensitive information, such as passwords or credit card details, via email.  If an email asks for this information, independently verify its authenticity by contacting the organisation through their official channels.

But wait, there’s more…

Unfortunately, the traditional email phish is no longer the only tool in the cyber criminal’s arsenal and there are now multiple variations of this attack concept, including vishing, smishing, spear phishing, whaling, and the latest addition, namely quishing.

Vishing:  Vishing (or voice phishing) uses traditional phone communication – and criminals may use voice changers or even AI to obscure or impersonate voices, in an attempt to get you to take action.

Like traditional phishing emails, urgency and authority are often used to try and manipulate the victim.  Quick compliance is demanded in these situations, whether that’s a need to visit a website, provide information, or make a purchase.  The scammer’s goal is for their victim to take action, before they have the time to consider security.

Smishing:  Smishing is a phishing attack conducted through text messaging.  Because most phishing education and awareness campaigns typically focus on emails and computers, smishing attacks benefit from an increase in trust.  Bogus SMS or text messages can take the form of delivery notifications, alerts, or public service messages, and can appear to come from legitimate sources or organisations.

Spear phishing:  Spear phishing is a targeted and personalised version of phishing.  It is more sophisticated as it is likely to be tailored to you or your organisation and can therefore be harder to spot.  Information needed to customise these phishing attacks is typically gathered from news sites, company sites and social media, so it can appear to be very relevant, topical or timely. 

Whaling:  Whaling is an evolution of spear phishing.  Criminals understand that different victims have different potential value.  Whaling is the term used when a sophisticated phishing campaign is being launched against high-ranking individuals, so CEOs, CFOs, founders, etc.  As these individuals may have access to more valuable systems, data and confidential information, alongside busy schedules, they are prime targets for a well-crafted phish.

Quishing:  Quishing (QR phishing) is the most recent addition to the criminal’s toolkit.  Quishing campaigns use similar pretexts as all other phishing campaigns, but with a goal of manipulating the victim into moving away from a computer and onto their smartphone.  The reasoning behind this is that many victims are less likely to have anti-virus protection on their phones, despite them often holding a whole host of valuable information.

What else can I do to protect myself?

First and foremost, make sure that you are encouraging others to stay secure and aware that not all messages are what they seem.  But more specifically:

Stay sceptical:  the old adage of ‘if something is too good to be true it probably is’ still applies today.  Stop (before you click) and think twice about any requests being made and whether they are reasonable.

Verify messages:  don’t hesitate to confirm a message really is from who it claims to be from.  Always question authenticity, especially if it involves requests around sensitive or financial data.

Keep software up to date:  If the goal of a phishing campaign is to download malware, up to date anti-virus software can protect you – and ensure you stay on top of any patches and updates to operating systems and apps too.

Enable Multi Factor Authentication (MFA):  when accounts are protected with MFA (the system used where a password and unique verification code are both required during the login process) they are more resistant to account takeover through phishing.

And finally, report suspicious activity:  If you think there has been a phishing attempt, report it to the relevant authorities.  Most organisations and email providers have a process to report phishing attempts. 

None of us are infallible, even if you fall for a phishing message, report it to the National Cyber Security Centre (NCSC) to help protect others – forward suspicious emails to report@phishing.gov.uk or forwards suspicious text messages to 7726.

For help with all your cyber security needs, get in touch with the team today.