Phishing: What it is and how to avoid it.

Composing an email on a digital device

As a result of the COVID-19 lockdown and the rapid increase in people working from home, there has been a growing concern about the increasing numbers of people trying to gain access to accounts using 'phishing' techniques. Here are some hints and tips to avoid being 'phished' by being #scamaware

What is phishing?

Phishing is when someone tries to get information from you, or asks you to do something, that will allow them to access your online account.  It can be done by phone or through social media, but is most common through emails.

Key things to look out for are:

• being asked to log into a webpage, make a payment, or download something;
• being given an urgent deadline to do something;
• receiving an email from a company you have not had contact with before, or recently;
• being offered an incentive or being told of the dangers or not doing something.

The messages can seem very realistic, but there are often clues which can help you to identify if it is a phishing attack.  Spelling mistakes and grammar problems might suggest that the email is not from an official source, or the email address it was sent from might seem unusual.  In the example below, published by HMRC, the email hasn't come from an NHS address, the grammar is inaccurate, and there's a missing picture before gov.uk.

What should I do if I get a phishing email?

• The key thing is to ignore the instructions - don't click on a link, open or download an attachment, or phone a telephone number unless you know it is legitimate.
• Contact the sender via another means to check if the email is legitimate.  That could be as simple as going to a website directly rather than following a link in the email, or checking bank cards or letters for an alternative telephone number;
• Be suspicious.  If you are unsure about a message, don't follow the instructions.

The National Cyber Security Centre has made additional guidance available, at the following link https://www.ncsc.gov.uk/files/Phishing-attacks-dealing-suspicious-emails-infographic.pdf.

What can I do to protect myself?

• If you use any online service that offers 2-factor authentication (2FA), you may want to turn it on.  Using 2-factor authentication means that even if someone has access to your password and username, they would still not be able to your account. You need to have a username, password and access to another device to log-in. The 2FA system sends you a password or code, to that device, that is time-limited.
• Check the email carefully and use the preview function.  You may recognise the name of the sender, but is the subject something that you would expect them to email you about, or is there nothing but a link?

What can I do if I have given my details to a phishing attack?

If you have received an email and clicked on a link, given your login details or otherwise followed the instructions in the message please report it to the appropriate body immediately. They will be able to deal with your compromised account but only if you let them know.  Contacting them as quickly as possible will help them prevent any loss.

Further resources

More information on these types of cyberattacks can be found on the National Cyber Security Centres website https://www.ncsc.gov.uk/guidance/suspicious-email-actions and they have a video here https://www.ncsc.gov.uk/training/top-tips-for-staff-web/story_html5.html.