How can I identify a Phishing website or email?
What is Phishing?
Phishing is when fraudsters send emails or set up fake websites, in an attempt to get users to provide confidential information such as user names and passwords for accessing anything from email accounts to online bank accounts. This confidential information can then be used by hackers and fraudsters. It is usually done by sending emails that appear to come from a valid and trusted source. Some are instantly recognisable as fake but others are constructed to look very convincing and use the exact design and logos of the company they are attempting to present themselves as. You can also end up on phishing pages by following links that you find on the web or in spam texts or messenger messages.
Software that protects your computer from viruses and other security risks, email account providers, web browsers and search engines are constantly trying to detect and combat phishing attempts by blocking phishing emails, taking down or blocking phishing websites or alerting users to content that is likely to be phishing. However, with new phishing emails and website being created and sent all the time, it isn’t possible to block all phishing emails or websites. This is why it is very important to always be aware of the signs that an email or website is fake and a possible phishing attempt.
Signs that an email is a phishing email:
-
Is the email requesting confidential information? If an email asks for confidential information or your username and password for an account or directs you to a website that requests confidential information then this should instantly make you wary. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
-
Check the ‘from’ address of the email: Is it a valid address for the company the email is claiming to represent? It may be similar to the company’s email address but if it is not identical then it shouldn’t be trusted. If it relates in no way to the company the email is claiming to represent then it is unlikely that it is valid.
Don’t trust the display name: You need to check the actual ‘from’ email address as the display name/email address that you see in the ‘From’ field on the email can be spoofed to look like a valid address. In Outlook you can hover over the ‘From’ address and view the full details to confirm the actual email address. If you are unsure then you can try googling the email address to see if that provides you with any indication as to whether it is a valid address for the company in question.
-
Urgent action required or a threat: Phishing and spam emails often stress that you have to act urgently, warning you that your account is at risk in order to get you to react and click on links. Be suspicious of emails that include wording such as "your account will be closed," "your account has been compromised," or "urgent action required." A recent phishing case stated - ‘A colleague has shared an important document with you’ and provided a fake link to the Microsoft Office 365 log on screen. You need to ask why the email refers to an ‘important’ document. This isn’t the sort of wording you would normally receive if someone shared a document with you.
-
Generic greeting: Be wary of any email that uses a generic greeting such as "Dear Customer" or "Dear Member". The fraudsters may have your email address but they are unlikely to have your name.
-
Link to a fake web site: The email may be very convincing and made to look exactly like an official email with the actual company logo and the same styling but does it link to a fake web site? A common trick is to provide a link to a fake web page which has been made to look exactly like the legitimate sign-in page of the company the email is pretending to represent. Do not click on any links on emails unless you are confident that they are valid. Hover over any links to confirm what the actual page is that it points to. You can also right click and select ‘Copy Hyperlink’ and copy this into a notepad or Word document so you can check whether it is valid. If the link looks suspicious and doesn’t relate to the company that the email is claiming to be from then do not click on it.
If an email provides a link to a page that asks you to log on to an account and you are not sure, it is always best to go to a bookmarked link or go directly to the companies’ official website and log in here rather than clicking on any links provided. If the email is alerting you to a valid request then you would be notified of the issue/request once logged on to your account through the standard method.
-
Look for signs that a webpage is secure and legitimate:
If you are confident that a webpage is legitimate then these further checks will help confirm that it is secure and legitimate:
i. Encryption: All web pages that ask you to log on to an account or submit confidential data should be secure and use encryption. The website address should always start https:// (and not http:// ) and a closed padlock should be displayed in the browser’s address bar.
ii. Most browsers including Internet Explorer and Chrome will also display the organisation’s name next to the padlock symbol if the website has passed additional validation to prove its legitimacy. Internet Explorer will also display a green address bar.
-
Legitimate links mixed with fake links: Fraudsters sometimes include authentic links in their spoof pages, such as to the genuine privacy policy and terms of service pages for the site they're mimicking. These authentic links are mixed in with links to a fake phishing web site in order to make the spoof site appear more realistic.
-
Don’t click on attachments: Phishing emails sometimes include attachments that contain viruses and malware. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments that you were not expecting. Legitimate companies are unlikely to send email attachments unless you are expecting to receive specific documents.
-
Spelling errors, poor grammar, or inferior graphics: Sometimes there are clear spelling or grammatical errors that a legitimate company would never include in their communications.
Here is a useful film published by the Met Police: https://www.youtube.com/watch?v=Q1bYf0-pYLs
Useful links: