What is Phishing and how to spot it?
The fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. — Wikipedia
Phishing is the name given to scams sent via email that try to trick you into revealing sensitive information or downloading malicious software such as viruses, malware or ransomware. These phishing messages pretend to be from recognisable organisations or people you know in order to gain your trust so that you will follow the action they are requesting. These organisation can include banks, online retailers, delivery companies, technology companies and other trusted organisations including the University.
Social Engineering
The perpetrators of phishing use often very simple social engineering techniques in order to trick you into revealing information.
- Phishing emails often scare you into taking urgent action, for example asking you to enter your details on a website to avoid your account being suspended.
- The opportunity to get something for free is another common practise of phishing. Entering a competition or claiming a price is another way you can be enticed to enter your details online.
- They can also present innocent-looking links to also lure you in, such as for shipping tracking or updating your contact details.
- As well as impersonating companies, perpetrators of phishing can also impersonate people you know. Doing this they can ask you to purchase items such as online vouchers on their behalf and request that you send them the codes.
How to spot a phishing message?
Think before you click. Phishing is the most common kind of attack. Look out for Language, Design, Name, Action
Language
- Many phishing emails have poor grammar, punctuation and spelling.
- Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
- Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like ‘send these details within 24 hours’ or ‘you have been a victim of crime, click here immediately’.
- If it sounds too good to be true, it probably is. It’s most unlikely that someone will want to give you money, or give you access to a secret part of the Internet.
Design
- Is the design and overall quality what would you’d expect from the organisation the email is supposed to come from?
- The entire text of the email may be contained within an image rather than the usual text format. The image contains an embedded link to a bogus site.
- Is the email asking you to click on a link? Look at the link carefully to see if it looks credible. For example, if the hyperlink seems to be from your bank, make sure it would go to your bank’s website, and not to something with a different name.
Name
- Look at the sender’s name. Does it sound legitimate, or is it trying to mimic someone you know?
- Double check the sender’s email address. Often phishing emails attempt to mimic an official email address by making it look as close to the original as they can. Make certain you check what proceeds the ‘@’ symbol.
Action
- Think, what is the email asking you to do?
- Your bank, or any other official source such as the University, should never ask you to supply your personal information or logon details.
- If the email is from a person, is what they are asking you to do unusual or out of character.
- Are you being asked to view an attachment or to install some software?
For more information and watch a training video (produced by Microsoft), please click here.