Criminals operating online use hoax 'phishing' emails to trick millions of people into parting with their passwords, credit card details and other critical personal information. The consequences can be devastating.
Depending on the information you give them, they could take money out of your bank account, sell your information on to other scammers, or hijack your social media and email accounts to launch more phishing attacks on your friends. These fake emails and websites can be very difficult to tell apart from the real thing.
Here are some useful tips to help you spot and deal with a scam.
- Never reply to any email asking for your passwords, PINs or other account details.
- Make sure you know how to spot suspicious links and websites.
- Don't open attachments unless you completely trust where they have come from.
- If in doubt, please check IT Status for any known phishing emails or contact the IT Service Desk or your service provider (e.g. your bank) before responding to anything that looks suspicious.
- If you received a phishing email or are concerned (e.g. you responded to a suspected phishing email), please report this to the IT Service Desk immediately. To report outside normal service hours (08:00 until 18:00 Monday to Friday), please telephone 0115 95 16677, which is available 24/7.
How to spot phishing emails
Why phishing emails work
Phishing emails can be extremely convincing and can easily catch you out, particularly if you're pushed for time and ploughing through lots of emails on autopilot.
- They can send a lot of emails for next to nothing and they only need one or two replies to get a return on their investment.
- It's easy to imitate the genuine article when sending an email. Fraudsters can make an identical copy of an official email from an organisation such as your bank or email provider and they can make links in emails look real.
- Websites can also be made to look just like the real thing. The only sign it's a scam may be the address in the menu bar.
What phishing emails look like
There are several signs that most (though not all) phishing emails exhibit. While these signs do not necessarily mean the message is fake, you should be suspicious of emails that:
- Ask for a password, PIN or other personal information.
- Warn you about a problem or imminent threat (eg 'If you don't respond within 48 hours, your account will be closed').
- Contain technical jargon and an incentive to part with your data (eg 'We are asking you for your password because we are currently refreshing our database to create more space for you').
- Ask you to open an attachment or make a donation.
- Relate to topical news items and upcoming events in the public domain (eg tax return deadlines).
- Contain poor spelling and grammar.
- Claim to offer something that is too good to be true.
- Contain generic greetings such as 'Dear Bank Customer' or 'Dear Email User'.
How to spot fake links in emails
The key to spotting phishing emails and websites is in the links and website addresses (otherwise known as URLs). Scammers can replicate legitimate sites down to the last pixel. However, while the links and website addresses they use can be deceptively similar, they can’t be identical.
Here's how to pick a URL apart using Barclays bank as an example:
Barclays Bank URL is http://www.barclays.co.uk
The important bit (the domain name followed by the top-level domain) is marked in bold. To make it easier, modern web browsers highlight this bit for you.
- As long as barclays.co.uk remains intact and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL:
- http://evil-scam-at.barclays.co.uk would still be a genuine Barclays URL
- barclays.co.uk followed by a forward slash, as in http://barclays.co.uk/log-in would be a genuine URL
- Be wary of dots and/or dashes after barclays.co.uk
- http://barclays.co.uk.log-in.com/ - the domain is now log-in.com
- Be wary of any forward slashes before barclays.co.uk
- Don't trust URLs using numbers instead of words (usually, these are domain names in their original IP address form, which effectively anonymises who owns the site).
- https://188.8.131.52/barclays/login.html - in this example barclays.co.uk is no longer intact. It has been replaced by numbers and comes after the first single forward slash, so this would suggest a scam.
- Don't let similar domain names trick you
- https://www.barclays-real.co.uk/ - barclays-real is no more 'barclays' than 'umbrellas' or 'unicorns'. Look the real website up on a search engine to make sure you know, down to every last character, what the genuine address should be.
If an email directs you to a completely random site, such as a Google spreadsheet for example, never put in your password or other data.
More ways to stay safe
As well as knowing a fake web or link address when you see one, there are several other useful tools and tactics you can employ to protect yourself from phishing attacks:
- Use the 'junk mail' filter in your email client to block spam.
- Make sure the link text inviting you to click through to a website is not disguising a rogue URL (hover over it to display the URL in the bottom left corner of your screen, or follow the guidance if it's a short URL such as Bit.ly, TinyURL, etc.).
- Don't follow links in emails that ask you to enter or change personal account information. If you want to verify or perform any requests, go directly to the website in question and log in to your account in the normal way.
- Never trust the sender name or the address in the 'from' field. Unlike true URLs, these are easily forged to mimic a genuine sender exactly.
- Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites.
- Before submitting personal details on any website, always check for the green padlock icon in the address bar at the beginning of the website address – this tells you that the connection is secure (i.e. encrypted).
- However, criminals can still create encrypted scam websites, so a green padlock is not a guarantee of safety. You still need to be eagle-eyed about checking the address is exactly what you are expecting it to be (and not, say,bbbc.co.uk, barcleys.co.uk, amaz0n.com, etc.).
What to do if you’ve been phished
If you receive a phishing email that asks for University credentials such as your password or to update your account, please contact the IT Service Desk immediately and also forward the email to firstname.lastname@example.org.
To report phishing outside normal service hours (08:00 until 18:00 Monday to Friday), please telephone 0115 95 16677, which is available 24/7.
The University will never ask for your password or other details, either by email or by phone.
Delete all other phishing emails and/or report them to the organisation they were masquerading as - links are available below for some of the most commonly targeted sites.
You can often report fraudulent sites using your web browser (e.g. Mozilla Firefox has the ability to do this) or service provider.
If you've given away a password, PIN, your banking details or other sensitive data, change the password and inform the relevant service provider immediately.