Protect against phishing, vishing & other inbound scams.

Personal Finance
Written By Helen Carey

We’ve all noticed the number of scam emails and phone calls increase over the past few years. But with their increasing level of sophistication, what steps can we take to protect ourselves online?

What is phishing?

What is phishing?

Phishing is a type of fraud whereby criminals create emails and websites that look like they are from a trusted sender such as your bank or council, or a site like Amazon or eBay. In reality they are just trying to get your confidential information such as bank details, usernames and passwords. The word phishing is a combination of the words ‘phone’ and ‘fishing’ and accurately describes how scammers are putting their email bait out there remotely and waiting for someone to bite.

What are the other types of phishing?

Continuing with the fishing-related terms, there are a number of phishing subtypes:

  • Spear phishing is a highly accurate targeting of an individual or company and usually involves the criminal doing some research first to help them increase the likelihood of a catch. This information is often found on social media accounts.

  • Whaling is where the criminals target high-profile targets or senior company executives in an attempt to gain sensitive data, which may come in the form of legal documentation or a customer complaint.

  • Catphishing is a form of deception where a criminal will get to know someone in control of sensitive data before attempting to control their behaviour in relation to that data.

  • Catfishing is slightly different in that criminals will create fake identities (often on online dating or social media sites) in order to lure users into a romantic relationship, but they will typically need some money before meeting in person.

  • Smishing is SMS phishing or phishing over text message. This is where criminals send their bait over the SMS network to your phone and try to get you to click on a link, make a call or send an email.

  • Vishing is voice phishing and the criminals will make contact via phone to get targets to part with their bank details or money. This often involves the use of fake caller-id so the call will look local or like they are from a trusted institution.

What do the criminals want?

Typically the criminals’ aim is to extract money from their targets, either in the short or long term. For example, they may be trying to get your online bank account details or get you to send money to them. They may also be trying to infect your devices with viruses that track your inputs to build a log of all your keystrokes for every site that you visit. In the corporate world, they may be trying to get sensitive information for the purpose of corporate espionage or even be engaging on behalf of other nations to gain access to sensitive targets, such as sub-contractors of firms that have access to national infrastructure networks and such like.

What techniques are the criminals using?

The criminals are becoming increasingly sophisticated in their attacks and are continuously improving their skills to conceal their intentions. For example, most forms of phishing include some form of link deception to make you think they are from a legitimate website. Examples of this include:

  • Subdomains of a fake website posing as a real website like www.realwebsite.fakewebsite.com.

  • Misspelled addresses such as www.realwebssite.com or www.rea1website.com.

  • Making a link to their fake website, but showing the text as a real website.

  • Making a web address look the same by using a foreign language character that looks the same as an English character (such as one in Latin, Greek or Cyrillic).

  • Attaching benign looking documents to emails such as Word documents, Google documents or PDFs that actually infect your computer or take you to a phishing website.

  • Sending links to a legitimate website but overlaying a popup window that makes you think that website is asking for your credentials.

How can you spot the signs?

The first thing to do is be aware that Phishing is happening and that criminals are dedicating huge resources to trying to get your data. Think of your data, usernames, passwords, accounts and pins as one of the most valuable things you have and protect them at all costs.

Phishing attempts broadly have some form of time-sensitive urgency about them. You will read things like:

  • Your account needs to be verified immediately.

  • Your bank details have expired and your account will be closed unless you reconfirm them.

  • Your website will be taken down very soon unless you act.

  • You will face legal action unless you open this document.

In the cold light of day, it seems fairly obvious that these things don’t add up, however we don’t all read every email thoroughly and may click on links without thinking. So we need to slow down when dealing with any email that may involve us having to login or part with account details.

Another dead give-away is the information contained in the email. Organisations often include things like the last four digits of an account number or your first name to prove that they are legitimate, but this is not always a guarantee and be aware that the first few digits are often the same for all accounts with an institution. Be alert when your emails are addressed as ‘Dear Consumer’, ‘Dear Customer’ and the like.

Equally, sometimes the emails don’t look quite right and they are poorly formatted, but as techniques improve, as does the presentation of the phishing emails.

Stay up to date and use extra authentication where possible.

Make sure you use the latest web browsers on your devices which often have anti-phishing measures built-in and will warn you of suspected website forgeries.

Furthermore, many banks allow you to write a special phrase or choose a picture to be shown each time you log in to prove that the website is legitimate.

Many websites also now allow you to choose multi-factor authentication tools whereby you have to generate a code from an app or receive a text message with a code to log-in. Be sure to use these wherever possible.

Conclusion.

Phishing attacks are getting more and more sophisticated and increasingly difficult to spot. What’s important is that you maintain a sceptical attitude to every email and phone call you receive and make sure you keep your friends and family up to date with how to spot the signs.

Also, you can report any suspicious emails to Actionfraud and find out more information on their website.

You can also read our article on keeping your data private online.

Helen Carey
Previous

The proposed changes to Capital Gains Tax (CGT) explained.
Next

What is Pension Tax Relief?