What’s the easiest way to steal someone’s car? Ask them for their car keys, of course.
That’s how some criminals get hold of your information – they just ask you for it. But, if you received an email from a hacker asking for your username and password, naturally you’d refuse.
Instead, criminals use a technique called phishing to trick you into handing over personal information, usually through email. They then use this information to steal your identity or your money.
Phishing emails are designed to look like they are genuine messages from a company, organisation or someone you trust, for example the University or your bank. They may also appear to come from a legitimate email address or someone in your address book.
A phishing email might ask you to:
- reply directly to an email
- open an attachment
- click a link to a website and fill out a form
- make a phone call
What to look out for
- Does it use your full name? Phishing emails typically use terms like ‘Dear Customer’ as they do not have your personal details. However more sophisticated scams may use your real name.
- Suspicious website addresses. Phishers often mask links to make them appear genuine. If you’re asked to click a link to a website, hover your mouse over the link to see where it’s really pointing to. If the tooltip doesn’t match the link in the email text, don’t click it.
- Urgent warnings. Phishers will try to make you panic. Messages like “if you don’t respond within 48 hours, your account will be closed” convey a sense of urgency so that you’ll respond immediately without thinking.
- Sloppy spelling or grammar. Look out for Americanisms or strange terminology. Genuine emails won’t be littered with poor grammar and spelling mistakes.
- Attachments you aren’t expecting. Some phishing emails may ask you to open an attachment, for example an order receipt or invoice. These attachments may contain harmful viruses or malware that steal information from your computer.
- Different reply-to addresses. If you click reply, is the reply-to email address the same as the sender address? If it doesn’t match, it’s likely to be phishing.
Other types of phishing
Some phishing attempts are more subtle. Hackers might use information you post on social media to persuade you that they are someone you know. Think carefully before you share information online and check the privacy settings on your social media accounts.
Whaling involves phishing attacks directed at senior individuals in an organisation. Hackers use publicly available information to make it look as though they know the person they are emailing. The key is in what they are asking you to do. If seniors staff don’t normally ask you to email staff payroll details or transfer large amounts of money between accounts, then the email probably isn’t genuine.
Think you’ve received a phishing email? Here’s what to do
Stay calm. Don’t reply to it, don’t action it, just delete it. There’s no risk in simply receiving a phishing email. If you would like a second opinion you can contact the IT Helpdesk.
You can report a phishing email by forwarding it to firstname.lastname@example.org
Download and print our phishing poster