Phishing Email: A cybercrime whereby individuals are targeted via email by someone fraudulently posing as a legitimate business to encourage them to reveal personally identifiable information, including passwords and bank details.

A huge number of cyber attacks are conducted by email, and they’re not even all that technically sophisticated. These types of attacked are commonly known as ‘phishing’, but when they target senior executives, are referred to as ‘whaling’. At first glance the emails can look legitimate, however, not everything is as it appears…

How to spot a phishing email:

Phishing emails come in all shapes and sizes and there’s no ‘one size fits all’ way to spot them. There are a few ways you can start to be extra vigilant. Here are our top tips on what to look out for.

• Does the sender’s email address match the URL of the organisation they claim to be from? e.g. hello@amazon.com vs hello@amaz0n.com or hello@aamazon.com or hello@amaz.on.com
• Does the sender’s display name match up to their email address? e.g. From: Joe Bloggs <steve.smith@company.com>
• Are there any contact details on the email signature? This isn’t a hard and fast rule as senders may sometimes omit their signatures for their own reasons.
• Is the email personalised to your name, or is it a generic greeting? This is particularly relevant if the message is meant to be from someone you know. If they usually address you by name, ‘Hi Emma’, but instead the email says ‘Dear Colleague’ – this is suspicious.
• Is the email written to the standard you’d expect from the sender? Everyone makes mistakes from time to time, but if an email comes in riddled with spelling and grammar errors this could be a sign of a fraudulent message.
• Are you being told you’ve won something from a competition you haven’t entered? It’s a common tactic to tell someone they’ve won the lottery to induce excitement, making the person forget that they didn’t buy a ticket…
• Is the email text-based or a solid image? It’s certainly unusual to receive an image-based email that isn’t for advertising purposes.
• Does the email ask for personal credentials? Banks repeatedly issue messaging saying they will never, ever request personal details from you via email. Equally, never give out personal information such as your date of birth, home address or national insurance number unless you are 100% sure as to why you’re doing it and who you’re giving this information to. If you need to, make a call to the number listed on the official company website to find out why you’re being asked for this information.
• Is there a sense of urgency attached to the message you’ve received? It could be an urgent request from your boss asking for payment to be made to XYZ account, or an urgent request for a child’s home address for ‘safeguarding’ purposes. Always double check an urgent request out of the blue, nothing is too urgent to guarantee you’re not putting information into the hands of malicious actors. 

What to do if you suspect an email is fraudulent:

You should never be concerned about double checking the legitimacy of an email and the required action within it. If you encounter one in a professional setting, always alert IT immediately, you could save your organisation from a successful attack on the network. In your personal life, knowing how to identify a fake email could save you from losing a lot of money to fraudsters. Here are some tips on what to do, and not to do, with a suspected phishing email.

• Don’t open the message if you think it looks suspicious.
• If there’s a link within the email, hover over it with your mouse, but DO NOT CLICK. You will be able to see if the written text of the link matches the website it’s actually going to. If they’re different, it’s possible it’s a malicious link that could even lead to download a virus.
• Don’t open email attachments you weren’t expecting.
• Don’t give out any personal information. If you think it’s from a known contact of yours but aren’t sure, drop them a message via another means (text or phone) to see if it’s genuine.
• Never reply to the suspicious email.
• If you want to attempt to contact the company who the email is from, don’t use the contact details provided. Always search for them independently online.
• If you identify an email as a phishing attack, report it to Actionfraud, the National Fraud & Cyber Crime Reporting Centre.
• Contact your bank immediately if you are concerned your bank details may have been compromised.

Although there’s nothing to mitigate against human error, we can advise on some of the best technical solutions available to increase your cyber defences.

Download our poster to share within your workplace or school to help increase awareness around ways to identify phishing emails.