Plenty of Phish, but they're not in the sea.

Aug 14 / Eloise Watts
Cyber Crime is on the rise, so as we spend more time online, we need to know how to protect ourselves. To help this: welcome to our new Cyber Crime series! We’ll be tackling some common Cyber Crimes, looking at how they work, and how to protect yourself.

To make it easier for you to find what you need, we’re breaking each post down into sections. They’ll each follow a structure like this:
  • What is it
  • How to protect you
  • How to protect your business
  • What’s coming next

Today, we’re tackling Phishing. So, with no further ado… let’s get started.
An illustration of a brain

Phishing: What is it?

According to the National Cyber Security Centre, Phishing is where cyber criminals attack email users “to install malware (such as ransomware), sabotage systems, or steal intellectual property and money”.

Ok, but what does that actually mean?

Basically, when someone sends you an email that looks real, but is actually tricking you into giving sensitive information away. This could be things like, your password to an email account, your bank card information, or it may trick you into downloading an attachment full of malware that breaks or weakens your computer and its security.

Although Phishing is usually over email, it’s important to note that attackers have been known to use text messages, social media sites, and phone calls.

They can also attack thousands of users, or a large organisation, or attack one individual. This is usually based on who is completing the attack: an individual wanting some quick cash, or a larger group after some sensitive data.
An illustration of a hacker

How does it work?

Phishers range in expertise, and some phishing emails are incredibly difficult to spot.However, typically it’ll go a little something like this:

1. You get an email about:
  • “Urgently reset your password because your account has been hacked” - this could be for an email account, account, or something for your business
  • “Payment request” - possibly seems like it’s from a bank, and is requesting to make a payment into your account - “payment mistake, so we’re reimbursing you”, or an invoice from a large company.
  • A promise of something amazing that you desperately want or need - an email promising something that is just too good to be true. That someone is giving away an expensive or viral gift for free, or giving money away. Something that’s just not real.
2. Depending on the type of email, you’ll either be directed to a realistic but fake website asking for your details (email account login page, business account login page), or be asked to download an attachment.
3. Hopefully you spotted that it was a Phishing email and didn’t hand any of your details over! Or, if you weren’t sure then you took a minute to do a bit of research or get someone else’s opinion - sometimes other people would’ve got them before so will be able to spot them easier!
A locked folder of documents

How to protect yourself against Phishing

Here are our top tips for protecting yourself from Phishing. We’ve split them up for businesses and individuals, but it’s worth reading both so that you’re as protected as you can be.

Protecting yourself and your family

  • Don’t fall for URGENCY - even if the email says that you need to do something immediately, try and take your time to actually read the email and check that it doesn’t seem dodgy. The more stressed you are, the less likely you are to see the glaring mistakes the Phishers have made. Take your time, and read everything carefully.
  • Know your bank and account policies! If you get an email from your “bank” asking you to do something they wouldn’t normally ask, then ring them! Ringing the bank to double check that the email came from them is always a good thing to do. If it doesn’t seem right, it probably isn’t, when it’s something important, take the time to double check.
  • Hover over links before you click them - usually, links will give a description or name the website they’re going to take you to if you hover on them before clicking. Just check that the link you’re clicking actually takes you to the website it says it does and not a dodgy site you’ve never heard of. If it does - don’t click it!!
  • The sender address - does it look legitimate? If the email is supposedly coming from your bank, then does the email address match the format of others you’ve had before? If it’s a jumble of mismatched and random numbers, then likelihood is - it’s not who you think it is.
  • Check for spelling and grammar mistakes - this is a huge giveaway. Commonly Phishing emails are littered with spelling and grammar mistakes that you can spot if you take the time to read the full email. Think about it this way - would a huge company send out an email full of typos? Probably not.

Protecting your business

The National Cyber Security Centre (NCSC) recommends that businesses create a 4 layer protection against Cyber and Phishing attacks. Here’s the breakdown to minimise the risk to your business:

The NCSC's 4 Layer Approach

A diagram showing the NCSC's 4 Layer Approach
1. Make accessing your users difficult
  • Stop Phishers from being able to copy your email addresses and domains by signing up to sites such as DMARC, SPF, and DKIM. Let your contacts, partners, and friends know also, and get them to join.
  • Clean up your digital footprint - Phishers use whatever information they can find on the internet to make their emails look as realistic as possible. Make sure that none of the data you’re sharing on your website or social media could be used to trick you or your customers. Just be mindful.
  • Set up Spam blocks and filters - by stopping Phishing emails before they even reach you or your employees' inboxes you're minimising the time needed to check the emails, and minimising the risk that your employee falls for it. There’s loads of ways of doing this - email clients, server-side tech, or on the cloud-based email provider. Checking for a DMARC policy can also help with this.
2. Teach users how to spot Phishing emails, and what to do if they spot them
  • Training for your employees - hold workshop sessions where you give examples of Phishing emails, or ask your employees to spot which example is a Phishing email can help your company become more vigilant. There’s lots of online and external body training that can help you train your employees.
  • Explain how to report a Phishing email - reporting it to the IT or Security department for example, or an external body. Show your employees how to do that, and explain that it’s totally ok and helpful to get someone else to check the email for Phishing if you’re unsure.
  • Don’t punish your employees for not spotting a Phishing email. Not only are they sometimes incredibly hard to spot, but this could have a detrimental effect on your business. If you punish an employee for missing an email, then people may become scared to report them, so don’t (leaving your business vulnerable); or they may report every email, creating a large pile of emails that have to be checked again. This could lead to a real email becoming lost, or a Phishing email slipping through.
3. Put protection against undetected Phishing in place
  • Ensure that your devices are updated regularly, and are well configured. This means that the security measures on the device are most recent, and trained on the most recent attacks. You can also install extra security programs onto your devices to make sure you’re super safe.
  • You can also block dangerous websites by using Proxy services or Firewalls. This means that people can’t get to websites deemed “malicious” by the company. Again, this can be done by the company, or downloaded using a specialist service.
  • Make your secure logins even more secure - add a pin, or 2-factor authentication so that a Phisher with a hacked password still can’t access your data. You can do this using Google’s 2-Factor-Authentication process, in-house, or using external technologies. You can also limit the number of people who have access to these passwords so that Phishers struggle to get them. You can also use Password Managers such as Nord Pass or Bitwarden, who securely contain all of your passwords, and don’t autofill on fake websites.
4. Respond to attacks quickly
  • Detect phishing emails - check where employees report suspected phishing emails regularly, or create/join a logging system, where issues are detected and logged.
  • Create a response plan for attacks - by creating a strategy in case of attacks, if the worst is to happen then you know exactly what to do to minimise issues and get it sorted as soon as possible. There are lots of online guides that you can follow to create your plan, such as the 10 Steps to Cyber Security guide provided by the NCSC.
  • Practice runs - by practising the steps your company intends on taking when an attack hits, you can make sure the response is as seamless as possible. This also means that people won’t freak out if an attack happens, as they know exactly what to do, and steps can be taken as soon as possible. This will also show you any issues with your response plan, or anything that needs to be changed. You can use the NCSC’s Exercise in a Box, an online tool, to practise your responses.
An illustration of a webpage with a smiley face on it

So, what's next?

Hopefully this guide has given you a better understanding of Phishing, and how you can avoid it. Our key takeaway? Take. Your. Time. Does it really sound realistic?

If you’d like more information on Phishing, there are so many amazing resources online. Government websites are a great place to look. They have the most up-to-date information, policies, and links to report it.

And that’s everything for Phishing! Watch out for our next instalment… Identity Theft.

Normal heading 2

Why don't you check out our Web Development Mastery course? Go from complete beginner to industry-ready Junior Developer in as little as 28 weeks. 

Study around your life with our self-led course, and cancel at any time. Why don't you have a go? Enjoy a whole month on us...

Start your free trial today! Check it out here.