Q. What do you call someone who is good at fishing? A. Annette!
Q. What do you call someone who is good at phishing? A. A Criminal!
Q. What’s the difference between fishing and phishing? Read on.....
|An activity that involves someone catching fish for food or as a sporting pursuit.||A criminal activity that involves someone trying to trick you into sharing your personal information; ultimately for them to steal money.|
|Can take the form of fly, line, pole, net, spear or even hand.||Can take the form of an email, a website or even a telephone call.|
|Usually involves some sort of bait used to attract and catch fish, such as insects, maggots, worms and smaller fish.||Usually involves some sort of malware such as adware, bots, bugs, rootkits, spyware, Trojan horses, viruses, and worms.|
To help raise awareness of the dangers of phishing we’ve compiled this quick guide to help.
Spotting a phishing email
Look out for some tell-tale signs to help you spot a phishing email:
- Phishing emails tend to start with "Dear Customer", whereas reputable companies will use your full name
- Often badly constructed, the content often doesn’t make sense and it’s likely to contain spelling and grammar errors
- Sometimes there’s very little or even no content at all, just an attachment which can often be posing as an invoice, a statement or invite
- There’s may be a request to click on a link contained within the email, to open an attachment or to provide personal information
- The content may be threatening or may ask you to donate to a charitable organisation often after a recent disaster
- And sometimes it may offer what seems like a lot for not very much effort. If the deal sounds too good to be true it probably is!
Protect yourself against phishing scams:
- The email will often contain a link, don’t click on it. Rest your mouse over the link and check that the address and link in the message match.
- The email will often include an attachment, don’t open it.
- If you have clicked on a link, do not enter any personal data, take care because some scams can request that you log into your account (e.g. Google, Apple, Microsoft, Facebook), this is a trick to steal your account details.
- You can check the legitimacy of a website by opening a new browser window and navigating to the URL; don’t click on the link in the email. Look out for spelling and grammar errors in the site, check that the content makes sense and that images match the descriptions. You could also find which company has registered the web domain using a service such as whois.net.
- Some phishing emails will look like they come from a known contact; your contact's email account has been hacked and is being used to spread the phishing attack out widely amongst their mail contacts. Again, hover over the sender's email address to check whether the link matches the address in the email. Do not reply to the email or contact the sender. If you are not expecting an attachment or link from someone you know it is safer to call them to ask for assurance before opening or clicking.
- Contact your email administrator to report the suspicious email. There are a number of steps that your administrator can take to block the sender and report the attack to your mail provider.
Emails of this nature are often very difficult for Email Servers and Spam Filters to spot; they come from genuine email addresses, they don’t usually contain offensive language that might trigger a response and the sender is often in your list of approved contacts.
If your email account has been compromised and is being used to send out spam or even phishing emails to your contacts then you may find yourself or even your school blacklisted. Talk to your email provider who will be able to help advice on what steps to take next.
The most dangerous part of a phishing email is the Malware (the attachments etc.). Malware is a type of software designed specifically to disrupt or damage a computer system (it includes viruses, spyware, worm etc.). If you get infected it can not only affect your device and data but the wider network, data storage and software that your device has access to.
Protect yourself against Malware
- The latest variants of Malware (teslacrypt in particular) may not be picked up by anti-malware and anti-virus software, however please ensure that your virus definitions are up to date as all vendors will be urgently working on a resolution.
- Keep your plugins such as Adobe Flash Player and Java up to date; the most recent attacks have been using vulnerabilities that exist in older versions of Adobe Flash Player and Java but are fixed in the current version.
- Keep users with local administrator rights to a minimum - up to 90% of malware can be prevented if the user does not have local administrator rights.
- Ensure that your backups are up to date and verified; upon infection restoration of a backup is the only guaranteed method of getting your data back.
If your email service is provided by SWGfL then please forward any instances of phishing emails to email@example.com and to talk to the tech team call 0845 307 7870.
For more information on phishing please visit the Anti-Phishing Working Group (APWG).