One of the most common cyber threats that’s becoming harder to spot is called “phishing”, which is where cybercriminals pose as a legitimate organisation to lure their victims into doing ‘the wrong thing’, such as clicking on a bad link that will download malware or a virus, or directing them to a dodgy website. So, we’ve put together our top ten tips to help you recognise and report phishing, so you don’t get caught out -
Be wary of communications that implore you to act immediately. As many phishing attacks attempt to create a sense of urgency to catch the recipient off guard, by making them fear their account or information is in jeopardy. So always take time to stop and think carefully before you engage with any communications you’ve received, especially if there’s a deal involved that seems too good to be true.
Avoid clicking on hyperlinks in any communications without checking them first. You can do this by hovering over the link with your cursor on a desktop or laptop device, which will reveal the full URL address at the bottom of your browser. Alternatively, you can check links on mobile or tablet devices by pressing and holding down on the link with your finger to view the full URL address before proceeding.
Phishing attacks use email addresses, sender names, phone numbers, or website URLs that are disguised as a trusted source, such as a financial institution or government agency. Tell-tale signs that communications you’ve received may be “phishy” are if they contain bad spelling or grammar, come from an unusual email address or number, or feature imagery, branding, or design that feels ‘off’.
Cybercriminals often exploit current news stories, big events, or specific times of the year (like tax reporting), to make their scams seem more relevant to you. It’s important to bear this in mind, as you don’t want to drop your guard just because you’ve received a message that appears to be relevant.
Criminals use publicly available information about you to make their phishing attacks appear convincing, so it’s always good practice to review your privacy settings and think about what you post. As information about yourself that you share online, such as where you go to school, where you work, and when you’re on holiday, could help cybercriminals gain access to more valuable data.
If you have any doubts about any communications that you’ve received, contact the organisation it purports to have come from directly. It’s important that you don’t use the numbers or address in the message itself but instead use the details from the company’s official website to contact them.
Use multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. Enable MFA by using a trusted mobile device, such as your smartphone, or an authenticator app.
Make sure you are running all the latest versions of software, including applications, on all of your devices. As these updates will often contain new security patches and new security features that, once installed, will make it harder for attackers to successfully compromise your devices.
If you receive a spam or phishing email message it’s important that you report it to the Suspicious Email Reporting Service (SERS), by forwarding the email as an attachment to report@phishing.gov.uk. Alternatively, mobile customers using UK networks can text ‘7726’, which spells ‘SPAM’ on an alphanumeric phone keypad, to report unwanted SMS messages or phone calls on a mobile. Either by forwarding the SMS to this number or the word CALL, and when prompted sharing the rogue number.
If you’ve recognised and reported suspicious communications you’ve received, make sure you mark any email messages as spam or junk as your email client will block any further mail from that address, and block on your device the sender or caller of any suspected phishing text messages or phone calls.
For more advice on phishing, including how to spot suspicious emails, text messages, calls and interactions via social media and how to report them, please read the 'National Cyber Security Centre's guidance on spotting and reporting phishing.
