Four principles to protect against phishing

There are four simple principles you can follow to reduce your risk of falling victim to a phishing attack, find out more:

What is phishing? 

‘Phishing’ (pronounced: fishing) is an attack that attempts to steal your money or your identity, by getting you to reveal personal information, such as credit card numbers, bank information, or passwords usually via websites that appear to be legitimate. Phishing can be conducted via text, social media, or by phone, but the term 'phishing' is mainly used to describe attacks arriving by email. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.

Four principles to protect against phishing:

1.    Always practice zero-trust
2.    Look out for red flags
3.    Think before you click
4.    Verify authenticity

1. Always practice zero-trust 

Phishing is one of the oldest and most successful techniques. It remains highly effective because so many people are unaware of the risks and believe much of what they see and read online. A more cautious attitude is called for when you consider the following:
•    Emails can easily be forged to look genuine.
•    Someone you know may have had their account compromised, and a fraudster is controlling their email.
•    Attachments can contain malware. 
•    Log-in pages can be faked, allowing your username, password and other private data to be stolen.

2. Look out for red flags

There are numerous ways of spotting a malicious message. Typos and poor grammar are easy to spot, but some common signs are more subtle. If an email contains more than one of these red flags, or any other indicators that seem strange, then alarm bells should be ringing:
•    Urgent call to action – scammers deliberately try to override your natural caution by creating a false sense of urgency, so beware of claims like: ‘you have an outstanding invoice to pay’, ‘your account is frozen’, or ‘you have an undelivered package’.
•    Link to a login page - a fake sign-on where you hand over your credentials.
•    A phone number to call for help - scammers have call centres too, with premium-rate numbers and staff trained in social engineering techniques.
•    Attachments - often the message body contains little or no detail, but there is an enticing attachment that appears to offer more detail. 
•    Personal data request - some scammers will ask you to confirm various personal details for 'verification purposes'. This could help with identity theft, but they are also testing your gullibility.
•    Inconsistencies in content - discrepancies between sender address, display name, reply-to address, and website domain names in links.
 

3. Think before you click

Some phishing attacks are very convincing, so it can be helpful to pause for a moment and challenge yourself before acting on an email. Ask yourself:
• “Do I know this person or deal with this organisation?” 
If not, then as with any new relationship you should proceed with caution.  
• “I recognise this person, but am I sure they are genuine?” 
Unfortunately, based solely on an email, it is not possible to be certain that you are not dealing with an imposter. Think about contacting the person via another trusted method. 
• “Is this how the person or company normally contacts me?” 
Banks and other official organisations have preferred methods for customer contact. Be wary of deviations.    
• “Is this request normal?” 
Similarly, most organisations send out information, but rarely do they issue urgent requests. Anything out of the ordinary should be challenged.  
•  "Do I actually need to deal with this?” 
Even after we suspect a message is a phishing attack, curiosity can take us on an interesting but unproductive investigative trail. Sometimes it’s better to just delete and move on.     

4. Verify authenticity first

If by this stage you haven’t identified that it's a phishing attack, there are still a few more things to consider before doing anything else:
•    Discuss suspicious messages with a colleague; a second pair of eyes often helps.
•    Telephone the sender to confirm the message is valid. Make sure you call a published number; do not rely on any contact details in the message. This is essential for any request for financial assistance.
•    Forward the message on to your IT or cybersecurity contact for analysis.
•    Where the message concerns an online service, simply login through the normal channel (not via the links in the suspicious message) and check everything is in order.

Things to avoid

•    NEVER click on a link to see if it's legitimate; if it's not you probably won't know until it's too late. 
•    NEVER open an attachment to see if it's safe; as with links, simply opening a malicious document could silently compromise your device, giving full control to an attacker. 
•    DO NOT worry about not acting immediately on an urgent email request - email is not for urgent matters; if it's really important someone will get in touch another way.
•    DO NOT waste time engaging with scammers. Unless you are qualified to deal with criminals, leave it to the experts. 

For more information please visit the UK’s National Cyber Security Centre