Dealing with a phishing attack

A phishing attack is when a criminal communicates with you via email to try and trick you into sharing sensitive information, such as credit card numbers, account usernames & passwords and security information. Phishing emails often try and lure you to a fake website to trick the you into entering your log in details so the criminals can gain access to the real website. The phishing emails - or fake websites - may also be loaded with malicious software that infects the recipient and enables a wider cyber attack.

How to spot a phishing email

Phishing emails used to be more straight forward to spot. You would get an email from a Nigerian Price asking for money so he could make you rich. However, cyber criminals have realised there is money to be made and put a lot of effort into tricking people into thinking it is a real email from friend or official organisation like an bank. Cyber criminals sometimes research their victims before sending the emails and include personal information that makes it much more likely you will click.

  1. The email address is sent from a public email address - Look at the sender’s email address, as this can help identify if the person is truly who they claim to be. Often, the criminal will use a public email address such as gmail.com. If your bank or a company is going to email you, it will come from a company email account with the company name in the email address. Note that an email sender can display one email address, but actually send it from the other. At the top of your email click on the sender email name to see the real email address being used.

  2. Asks you to verify secret information - Phishing emails often ask recipients to verify personal information, such as bank details or a password. Organisations will never do this by email and emails that do this are phishing emails.

  3. Strange attachments - If you receive an unexpected email or an email from someone you don’t know asking you to open an attachment, do not open it. These attachments can contain malware that can harm your computer and capture your personal data.

  4. The creation of a sense of urgency - Phishing emails often ask recipients to verify personal information, such as bank details or a password. They can create a sense of urgency by warning that your account has experienced suspicious activity or pretending to be someone you know who is in urgent need of financial help. These are massive warning signs. If you are ever unsure, contact the company or person using the contact details you already have for them or that are on their legitimate website. Never use any contact details or click any links provided in the email.

  5. Links to unrecognised website addresses - Phishing emails may ask you to click a link within the email. By hovering your mouse over the link or address, you can see the linked site’s true URL (the website address). These URLs can be slightly misspelled or completely different to what you are expecting, so always double check before you click.

  6. Poor spelling and grammar - You can often detect a phishing email by the way it is written. The writing style might be different to that usually used by the sender and it might contain spelling mistakes and poor grammar.

What to do if you have fallen for a phishing scam

It is very easy to fall for a phishing scam, even cyber security experts can fall for them. Don’t feel ashamed or embarrassed. The key focus once you realise you have fallen for one is acting quickly.

  1. Take the device you were using offline - There is a chance you have malicious software on the device you used and you should turn off wireless, bluetooth or any cabled internet connections. This will limit the malicious softwares ability to work - for example sending phishing links to everyone in your email contacts.

  2. Change your passwords - If you provided a password, clicked on a link or downloaded an attachment it is worth changing the passwords for the accounts you have used on the device. Use a different device to change your passwords, not the device that got hit.

  3. Contact the organisation that was spoofed - Report the phishing attack to the company, whether it’s your email provider, your utility company, or your employer that the criminal impersonated. Let the company know that you changed your password, and follow their instructions for safeguarding your information and your account. If you gave out financial information, you will need to contact your bank and may need to cancel your existing card and get a new one.

  4. Scan your devices for malicious software - Whether you downloaded an attachment or clicked on a link, it’s a good idea to scan your computer for viruses and malware. Anti-virus software can examine your computer, alerting you to any files that may have been infected. You can see our guide for finding and removing malicious software here.

  5. Watch out for warning signs of identity theft - If you’ve revealed any financial information or other sensitive data like your bank details, you need to watch for signs of identity theft. First, keep a close eye on your bank and credit card statements, looking for any withdrawals or purchases that you didn’t authorise. You can also ask your bank to alert you of any unusual activity.

Report the crime

If you are in England, Wales or Northern Ireland you should report all cyber crime to Action Fraud. In Scotland, you can see details of reporting to Police Scotland here.

How to avoid falling for a phishing scam again

  1. Be suspicious of emails - anyone who knows your email address can email you and it is likely your email address is easy to find online. Be suspicious of every email you receive - ask yourself if the email could be a scam.

  2. Trust your gut - most people who fall for phishing scams had a funny feeling about the email before they clicked the link, shared the information or downloaded the attachment. If it doesn’t feel right it probably isn’t. Delete the email and check direct with the person or organisation that ‘sent’ the email.

  3. Never provide personal information over email - Never divulge personal information requested by email such as your password, security code or credit card number. Legitimate organisations will not ask you to do this.

  4. Type in the website address into your browser, don’t follow email links - Never click a link in an email. If you receive an email from an organisation go to their website and log in there. This greatly reduced your chance of being scammed.

  5. Check any phone numbers online before calling them - if a phone number is provided in an email you should go to the organisations website and call their regular number.

Donate

To help people like you we rely 100% on donations from people like you.

Without donations we cannot keep our service free and provide help to the most vulnerable victims of cyber crime when they need it most. As a not-for-profit organisation, 100% of your donation goes towards keeping The Cyber Helpline up and running - so 100% goes towards helping people like you. Donate now and help us support victims of cyber crime. 

To help people like you we rely 100% on donations from people like you.