What can we do about online scams and phishing emails?

Firstly, let me explain what an online scam or phishing email looks like.

‘Phishing’ is when criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.

As of February 2023 the National Cyber Security Centre had received over 18 million reported scams – and this is increasing by the minute.

In this blog article i’m going to discuss phishing emails but i appreciate that phishing texts and calls are also a very modern issue. I’m sure we’ve all had those calls pretending to be from our Internet provider indicating we have a problem with our internet connection and that actions need to be performed to resolve the issue!

So, what can we do about phishing emails?

Well, it’s a very big challenge as there is no significant technical element that will remove all phishing scams.

Below i will outline practical things that we can all do as individuals to help combat such issues.

What can i do to prevent myself from being a victim of a scam/phishing email?

The best advice i can give is

  • Ignore and delete emails where the “From” name and email address doesn’t marry up or where well known domain names are spelt incorrectly. Even if the From name and Email address do “marry up” use the below advice if something doesn’t quite add up i.e. the language is odd or they are requesting something that you are not expecting
  • be suspicious of emails that have attachments from sources that you don’t recognise
  • be suspicious of emails that request you to make payments or to provide bank details
  • be suspicious of emails that you don’t automatically recognise and that request you to click on links to complete forms. Hover over the link and see where it is getting you to go to – if the website address doesn’t look genuine or doesn’t marry up with the sender email then it’s likely to be an infected site
  • be suspicious of emails that have content using language that doesn’t seem “normal” or is poorly written
  • be suspicious of emails that have a sense of urgency about them
  • be very suspicious of all emails with “zip” files in them, even from people whom you recognise.
  • use your own common sense and ask yourself whether the person in question would send the email in that format and using the language they do. If you know the person, check with them to see whether they sent that email

Example

In this example, you can see that the sender’s email address doesn’t align with the message’s content, which appears to be from PayPal.

However, the message itself looks realistic, and the attacker has customised the sender’s name field so that it will appear in recipients’ inboxes as ‘Account Support’.

Other phishing emails will take a more sophisticated approach by including the organisation’s name in the local part of the domain. In this instance, the address might read ‘paypalsupport@gmail.com’.

At first glance, you might see the word ‘PayPal’ in the email address and assume it is legitimate. However, you should remember that the important part of the address is what comes after the @ symbol. This dictates the organisation from which the email has been sent.

If the email is from ‘@gmail.com’ or another public domain, you can be sure it has come from a personal account.

Where can i report phishing scams and is there anything else i can do?

You can report suspicious emails to the National Cyber Security Centre at report@phishing.gov.uk. You may also be able to report the email to your local trading standards – but please check with them first.

In terms of technical solutions, it is very hard to stop these scams coming through, because of the way email systems are built. Anyone who has a functional email account can change the display name of the account to look like it has come from someone else – for example, it would take literally 1-2 minutes for myself to create an account that looks like it is for Richard Branson at Virgin – it is that easy!

If you are a business then we do recommend using mail filtering services on top of your email provision. If you use Microsoft 365 then additional filtering services can be used to help filter some of these out. If you use other email services then you may be able to pay for additional filtering services – in this scenario call your email provider to see what they can do.

We would also always recommend that you have good quality anti-virus and anti-ransomeware protection where possible. Although there is free anti-virus software out there, if you can afford paid solutions that come with anti-ransomeware protection then we’d always recommend that.

What do i do if i have clicked on a link within a phishing email or replied to a phishing email?

Ultimately, the answer to this question, depends on how much you have engaged with the scam. For example, if you have simply replied to an email that you now believe is a phishing email then we simply recommend trying to blacklist the email address that it was actually sent from, with your email provider, and to ignore any other emails you may get from that person. It is unlikely that further problems will be caused by this type of engagement.

If you clicked on a link within a phishing email then it may be nececcary to do a scan of your computer just in case additional software has been installed on the device. If you do click on a link in a phishing email and then realise something doesn’t quite sit right, then simply close any of the additional boxes or browser windows that will have come up and end the process as quickly as you can. This may well be enough to stop virus infected software being installed on your device.

If you went further than that and provided bank or card details then we would recommend the above advice plus contacting your bank immediately to try and get the payment cancelled. You may also need to get the credit/debit card cancelled at the same time to prevent any potential for the scammer to re-use the card on multiple occasions.

In this scenario we would also recommend reporting this to the National Cyber Security Centre.

Summary

Ultimately the best protection against phishing emails is our own common sense and education! Absolutely, as an individual or organisation, we need to make sure we have appropriate anti-virus and anti-ransomeware protection, but ultimately it is our education and common sense which will help prevent these attacks from harming any of us.

If you are an individual then try and take the above advice on board. If you represent an organisation, then regularly remind your staff about what they should be looking out for and pointing out recent examples of phishing emails. Empowering staff with knowledge by regular reminders will provide the very best protection.