Phishing is widespread in the UK. It is one of the most common types of cyber crime that targets businesses regardless of their size or sector.
Recently, there has been an increase in malicious cyber activity - including phishing - relating to COVID-19. You should take steps to protect yourself and your business against these threats.
Check NCSC weekly threat reports and the advisory on cyber exploitation of the coronavirus pandemic.
What is phishing?
Phishing is a type of cyber attack that most commonly happens through email. In a typical attack, thousands of people receive fake emails from unknown criminals asking them to:
- provide sensitive or confidential information (such as passwords and bank details)
- send money to individuals or organisations
- download something that infects your computer
The email usually contains attachments infected by malware or links to a 'spoof website' where attackers try to trick you into surrendering sensitive data.
Variations of phishing include:
- vishing- when fraud is attempted by phone
- smishing - when fraud is attempted via text messages
Targeted phishing attacks
Rather than delivering mass emails to random individuals, some forms of phishing target specific individuals or organisations. One such form is spear phishing.
As with regular phishing, spear phishing emails appear to come from a trusted or familiar source. The criminals gather personal information about the target and modify their message to make it look legitimate. This method is known as social engineering - it increases the chances of tricking the target into divulging sensitive information or downloading malware from infected attachments and links.
Whale phishing attacks use the same personalised technique but target high-profile individuals, such as celebrities, politicians or C-level executives.
Read the National Cyber Security Centre (NCSC) blog to find out more about these targeted forms of phishing.
Social media phishing
As well as email, text messages and phone calls, criminals can also use social media websites to commit financial or identity fraud.
Social media phishing usually involves:
- fake social media accounts that impersonate known or trusted people
- fake customer support accounts to impersonate brands
- click-bait posts that include malicious links
- fake surveys, promotions or contests to get personal information
See Get Safe Online tips to help you avoid social media phishing.
How to spot phishing websites
Fraudulent websites can be difficult to identify. They may closely resemble, for example:
- your social networks
- your email providers, such as Yahoo or MSN
- your banking provider
- government service, such as HM Revenue & Customs
- IT service providers and vendors such as Microsoft, Google or Apple
- online marketplaces, such as eBay or Amazon
- money transfer websites, such as PayPal
Once you enter information into the fake sites, criminals are able to steal it and use it to commit identity or financial fraud.
Common warning signs that you are on a fake website may include:
- a different URL address to that you have originally clicked on
- an element of urgency in whatever the website is asking you to do
- requests for personal information such as financial account or social security numbers
- spelling errors, unusual navigation or substandard graphics
- suspect ads or pop-ups on the website
- a mix of legitimate links with fake links
- incorrect company name
- an absence of legitimate contact details
Keep in mind that an HTTPS site (where the padlock symbol next to the URL address claims secure connection) can also be malicious.
How to prevent phishing
The key to avoiding phishing is to treat all email with caution. For example:
- Be wary of emails that begin with 'Dear Sir/Madam' or another type of generic greeting (eg 'Dear account holder', 'Dear customer', etc). Legitimate companies and individuals will generally call you by your name, eg 'Dear [FIRST NAME]'.
- Look for inconsistencies in the sender's email address and any links to webpages. Make sure that they match legitimate sources, including when you hover your cursor above them.
- Be careful with unsolicited emails carrying attachments or directing you to download document or files from unknown websites.
- Ignore emails that appear to come from a bank or similar institution, and request sensitive information. If in doubt, contact your bank directly using trusted contact details and do not use the contact details or links provided in the email.
- Ignore emails demanding urgent action or making offers that are too good to be true.
- If in doubt, do not click on any links within an email. Instead, contact the sender through a known source, such as phone or their official website. Do not use contact details supplied within the suspicious email.
A good email filter will block many of these types of messages. You should also train your employees to recognise scam emails and act appropriately. If you need help training your staff, the National Cyber Security Centre has created a free online tool to help you do just that - access the NCSC's Stay Safe Online: Top Tips for Staff tool.
See also how to detect spam, malware and virus attacks.
If you receive a potential phishing message, you can report it to the NCSC using their Suspicious Email Reporting Service: email@example.com.