Protect your business online

Phishing is widespread in the UK. It is one of the most common types of cyber crime that targets businesses regardless of their size or sector.

What is phishing?

Phishing is a type of cyber attack that most commonly happens through email. In a typical attack, thousands of people receive fake emails from unknown criminals asking them to:

• provide sensitive or confidential information (such as passwords and bank details)
• send money to individuals or organisations
• download something that infects your computer

The email usually contains attachments infected by malware or links to a 'spoof website' where attackers try to trick you into surrendering sensitive data.

Variations of phishing include:

• vishing- when fraud is attempted by phone
• smishing - when fraud is attempted via text messages

Read the National Cyber Security Centre (NCSC) guidance on phishing and how to defend against it.

Targeted phishing attacks

Rather than delivering mass emails to random individuals, some forms of phishing target specific individuals or organisations. One such form is spear phishing.

Spear phishing

As with regular phishing, spear phishing emails appear to come from a trusted or familiar source. The criminals gather personal information about the target and modify their message to make it look legitimate. This method is known as social engineering - it increases the chances of tricking the target into divulging sensitive information or downloading malware from infected attachments and links.

Whale phishing

Whale phishing attacks use the same personalised technique but target high-profile individuals, such as celebrities, politicians or C-level executives. Read the NCSC's blog to find out more about these targeted forms of phishing.

Social media phishing

As well as email, text messages and phone calls, criminals can also use social media websites to commit financial or identity fraud. Social media phishing usually involves:

• fake social media accounts that impersonate known or trusted people
• fake customer support accounts to impersonate brands
• click-bait posts that include malicious links
• fake surveys, promotions or contests to get personal information

See Get Safe Online tips to help you avoid social media phishing.

How to spot phishing websites

Fraudulent websites can be difficult to identify. They may closely resemble, for example:

• your social networks
• your email providers, such as Yahoo or MSN
• your banking provider
• government service, such as HM Revenue & Customs
• IT service providers and vendors such as Microsoft, Google or Apple
• online marketplaces, such as eBay or Amazon
• money transfer websites, such as PayPal

Once you enter information into fake sites, criminals can steal it and use it to commit identity or financial fraud.

Common warning signs that you are on a fake website may include:

• a different URL address to that you originally clicked on
• an element of urgency in whatever the website is asking you to do
• requests for personal information such as financial account or social security numbers
• spelling errors, unusual navigation or substandard graphics
• suspect ads or pop-ups on the website
• a mix of legitimate links with fake links
• incorrect company name
• an absence of legitimate contact details

Keep in mind that an HTTPS site (where the padlock symbol next to the URL address claims a secure connection) can also be malicious.

How to prevent phishing

The key to avoiding phishing is to treat all emails with caution. For example:

• Be wary of emails that begin with 'Dear Sir/Madam' or another type of generic greeting (eg 'Dear account holder', 'Dear customer', etc). Legitimate companies and individuals will generally call you by your name, eg 'Dear [FIRST NAME]'.
• Look for inconsistencies in the sender's email address and any links to web pages. Make sure that they match legitimate sources, including when you hover your cursor above them.
• Be careful with unsolicited emails carrying attachments or directing you to download documents or files from unknown websites. A good email filter will block many of these types of messages.
• Ignore emails that appear to come from a bank or similar institution, and request sensitive information. If in doubt, contact your bank directly using trusted contact details and do not use the contact details or links provided in the email.
• Ignore emails demanding urgent action or making offers that are too good to be true.
• If in doubt, do not click on any links within an email. Instead, contact the sender through a known source, such as phone or their official website. Do not use contact details supplied within the suspicious email. 

You should also train your employees to recognise scam emails and act appropriately. If you need help training your staff, the NCSC has created a free online tool to help you do just that - access the NCSC's Top Tips for Staff tool.

If you or your staff receive a potential phishing message, you can report it to the NCSC using their Suspicious Email Reporting Service: report@phishing.gov.uk.