Why phishing works
Phishing really is like dangling a hook in a big pond and waiting for someone to bite. The emails can be extremely convincing, especially if you're ploughing through a mountain of emails on autopilot. The threat actors can send thousands of emails for next to nothing and only need one or two replies to get a return on their investment. It's also really easy to make emails and links look as though they come from, say, your bank or email provider. Websites can also be made to look just like the real thing and the only sign it's a scam may be the address in the menu bar.
What phishing emails look like
There are several tell-tale signs that most (though not all) phishing emails exhibit. For example:
- Asking you for a password, PIN or other personal information
- Warning you about some problem or imminent threat (e.g. 'If you don't respond within 48 hours, your account will be closed')
- Using technical jargon and an incentive to part with your data (e.g. 'We are asking for your password as we are refreshing our database to create more space for you')
- Asking you to open an attachment or make a donation
- Relating to news items and upcoming public events (e.g. tax return deadlines)
- Poor spelling and grammar
- Using generic greetings such as “Dear Bank Customer” or “Dear Email User”
- Using a fake ("spoofed") email address - perhaps even your own
Within the overall category of phishing, there are several common sub-types, such as:
- Spear phishing: These typically appear to come from someone you trust, like a senior colleague. Replies might be answered in a convincing fashion, but often give themselves away by asking for something like a direct money transfer or purchase of gift cards
- Sextortion: The sender will claim to have used a webcam to film you in a compromising position and demand a payment, probably in a hard-to-trace format like Bitcoin
Those sending the messages might be malicious individuals, but could also be working for organised crime groups or even rogue nation states.
How to spot fake links and websites
The key to spotting phishing emails and websites is in the links and website addresses (known as URLs). Scammers can replicate legitimate sites down to the last pixel. However, while the links and website addresses they use can be deceptively similar, they can’t be identical.
How to pick a URL apart
The important bit (the domain name followed by the top-level domain, if you want to get technical) is marked in bold. Modern web browsers highlight this bit for you. If barclays.co.uk remains “intact”, and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL.
Be wary of dot and/or dashes
Dots and/or dashes after barclays.co.uk and of a forward slash at any point before barclays.co.uk.
URLs using numbers
Don't trust URLs using numbers instead of words
Similar domain names
Don't let similar domain names trick you - look up the real website on a search engine to get the genuine address.
Money mule scam
Fraudsters may ask you to receive money into your bank account and transfer it into another account, keeping some of the cash for yourself. If you let this happen, this is classed as money laundering which is a crime. The Financial Fraud Action UK website offers further guidance on how to avoid unwittingly becoming involved in 'money mule' scams.
Students in receipt of UK government support who are concerned about being targeted by phishing scams can also access specific advice from the Student Loans Company on their webpages.
More ways to protect yourself from phishing
Use the "junk mail" filter in your email client to block spam.
Make sure a text link is not “disguising” a rogue URL (hover over it to display the URL in the bottom left corner of your screen, or follow this guidance if it's a short URL, such as Bit.ly).
Don't follow links in emails that ask you to enter or change personal account information. Go directly to the website and log in to your account in the normal way.
Don't open attachments that you are not expecting, especially from senders that you do not recognise.
Never trust the sender name or the address in the "from" field. Unlike URLs, these are easily forged to mimic a genuine sender.
Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites.
Check for a green padlock icon in the address bar before submitting personal details on a website so you know the connection is secure. (But still check the URL is what you are expecting as this is not enough to guarantee your safety on its own).