According to DBIR verizon report, in 2020, 22% of the data breaches involved phishing attacks. Phishing attacks are among the oldest and most loved tricks of cybercriminals to manipulate humans with the illusion of reliability to gain access or execute malicious activities for their privileges on the target. It is important for anyone on the Internet to know how to spot and report phishing attacks.
Feel free to watch this video containing a condensed version of the article.
What is phishing?
Phishing is a social engineering attack used to steal sensitive information such as financial information, personally identifiable information (PII) or credentials. This attack utilises email, text, voice as attack vectors and attackers masquerade as trusted contacts luring victims into executing attachments, clicking links or opening text messages.
Types of phishing attacks
There are several types of phishing attacks differentiated by attack vectors used during the campaign. The top 7 types of phishing attacks are described below:
A well crafted and highly targeted attack to lure a victim into clicking a malicious attachment or submitting sensitive data. This target could be any employee within an organisation.
This is the form of phishing via SMS or phone texts targeted at mobile users. Messages often include QR code, notifications, links, etc.
Vishing involves using phone calls purporting to be from legit contacts such as tech support, supply chain vendors or other contacts to extract sensitive information or convince victims to perform actions.
Pharming involves changing the web traffic route to an attacker-controlled legit-looking page without the user’s knowledge, aimed at stealing user information. A user types in the correct website address, and traffic rerouting occurs without the user’s knowledge.
Whaling is a targeted phishing attack, similar to a spear-phishing attack, aimed at senior management or high ranking employees only. It is launched using social engineering techniques such as a legitimate-looking email showing urgency or prompting victims to act such as authorising funds transfer or invoice approvals.
An example of a whaling attack is a Snapchat employee falling susceptible to someone impersonating as CEO and revealed payroll information.
BEC (Business Email Compromise)
Business email compromise involves phishing email targeted at business users requesting actions such as submitting information, executing files hidden in MS office documents, email attachments or performing wire transfers.
Malvertising involves utilising online advertisements with embedded malicious code that distributes malware to customers.
Whaling vs phishing
We get this query about ‘whaling vs phishing’ sometimes. Whaling is a form of phishing where the highly targeted attack is meant for specific high ranking individuals in an organisation. Phishing is a broader attack vector where victims are lured into attempting a click, browsing an infected website or executing a malicious file.
Read about real-life examples of phishing attacks here:
How to spot a phishing email?
Spotting phishing emails in 2020 is harder than before due to increased sophistication and messages targeted towards specific interests suited to a victim. This leads to the increased potential of a success rate. For cyber criminals that operate under organised crime groups, phishing is one of the most successful business operations due to the low-cost infrastructure and setup required to carry out these operations.
Even though phishing emails are the oldest cyber attack method, many people and companies still fail to spot phishing emails and become victims of phishing attacks. Learn how cybercriminals use typosquatting techniques to trap users into clickbaits.
The below-mentioned techniques to identify a phishing attack are the most practical and fundamental approaches. These are used in the cyber security industry to help companies, employees, and individuals identify and prevent identity and financial frauds scams.
The very first thing that helps spot a phishing email is the domain of email addresses. Whenever you get email(s), see the domain first and review if the domain field is a legitimate organisation or uses the public or unknown domains. The majority of the organisation have their own domain, but small companies often rely on third-party email providers for their business operations.
To ensure security and identify a phishing attack, look closely at the email and email address domain and search over the search engines to look into its credibility.
Often domain names look the same because of the alphabetical structure. Thus, it makes it essential to examine the difference in spelling in the domain. Sometimes people overlooked a single spelling mistake and got into phishing scams. For example; [email protected] and [email protected], [email protected] and [email protected]
Also, compare the “from” and “return path” of the email to verify the sender’s legitimacy. You can also hover your mouse over the sender’s email address to see the alterations. One way to verify the alternation is to examine numbers, letters, special characters, or any suspicious thing that may have been forged into the email address.
Poorly worded email content
Phishing emails are usually poorly written, with some and even major grammatical or spelling mistakes. While you spot phishing scams in your emails, pay attention to message content and sender tone. The one way to spot phishing is to see how the email is crafted. In this manner, the sender has conveyed his message, has it too beneficial, or have natural forceful words pushing you to do any activity?
Every legitimate organisation or service provider always calls out their customer or employees by their name and similarly knows to write a grammar-free email. The solely and authentic email must have your name in it instead of any generic references. For example, notice whether the email sender has called you by name or used generic words like a dear customer, dear account holder, etc. It is crucial to spot details that differentiate between a phishing email and a legitimate one.
Asking for sensitive information
Do not stop yourself from checking the email domain and writing-tone because the attacker is after you to gain sensitive information for his benefit in the phishing email. Suppose you have received an email asking for your username, password, phone number, credit card numbers, bank details, tax number, or identity information. It is necessary to spot phishing in this case because there are high chances that such emails could be a scam of another phishing email.
Employees are the most favourite threat actors for a phishing attack. If you think you have received a reliable or legitimate email, then cross-check it to identify phishing. It can be proved by directly calling or messaging the person or company you have received the email.
Unsolicited attachments or links
Unsolicited attachments and links are often used in most phishing emails. Suppose you have received an email with authentic signatures, copyrights badge, and forcing you to click on a link or open an attachment in the form of documents, files, images. Do not try to open it without verification.
Many phishing emails are crafted with malicious attachments and forged signatures, and once you click or open an attachment, you get trapped with the phishing scam. Remember that any genuine and legitimate organisation won’t send you the files in direct emails without prior acknowledgement.
Besides the attachments, never click on a link without verification. If there is any link in the email, always examine the URL. First, look if the URL has HTTPS or not. Then, hover your mouse over the link to ensure whether it directs to the mentioned website or another.
And lastly, go with your instinct, compare the email context and link and verify if they are identical and seem legit; click on the link.
Showing urgency and offers
Phishing emails have unnecessary urgency, emotions, and offer messages. Do not get yourself fooled by phishing emails of your colleagues or employees asking for an urgent reply. Besides this, anyone offering you a 50% discount or free coupons in return for registering any website, visiting any link, or sharing codes with your friends could be a scam too.
.Moreover, often attackers take advantage of FOMO (Fear of missing out) to manipulate people for their good. In such cases, it is vital to spot a phishing scam by not getting into the trap of any limited time offer within 24-48 hours’ immediate response or the consequences of fines or penalties.
What to do if you have responded to a phishing email?
In case you accidentally fell for the phishing email or responded to it and shared any of your company or bank accounts details, below-mentioned are some necessary steps you must take as soon as possible:
- Change your passwords of all accounts that have the same password. If you have shared your account credentials
- Contact your service provider to recover your account if the attacker has hacked the account before your knowledge. If you cannot retrieve your account, make a new one and notify all the important and concerned people, so they don’t fall for phishing trials through your reference.
- Inform your company’s IT and other relevant departments and let them know if you have shared your company’s account or IT details
- Run an antivirus scan and clean up the system if you have opened a suspicious link or downloaded a malicious file
- Freeze your account and check out your account statement; if you have shared your bank details.
- Contact your bank and report fraud to the cybercrimes unit if the criminals have already transferred the funds from your account.
How to report phishing?
No matter whether you have fallen for a phishing attack or suspect the one. You must always report the phishing email to the concerned authority because this way, you, along with others, can contribute to fighting against the scam. Your provided information will help the authority and cybercrime units hunt scammers and protect others from being affected.
You can contact and forward the suspicious and malicious email to the following anti-phishing and cybercrime reporting groups in the UK.
- crime agency
- National cyber security centre
- Crown Prosecution
- Service (CPS)
- South East Regional
- Cyber Crime Unit
Remember It is essential to save all of the communication and received emails as they can be used as evidence and help the crime department track off the criminals and claim your loss.
If something suspicious appears as an advert, you should report them to
How to report phishing email to Gov.UK, HMRC, DVLA or other messages purported to be from UK government departments?
If you have received an email that you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS):
How to report phishing email to apple?
If you received a phishing email appearing to be from Apple, you could report this to Apple at this addresS:
Forward the entire message with header information – the best way to do this is to use ‘forward as attachment’ option in your email program. More information is available here:
How to report phishing email to Amazon?
To report suspicious emails purporting to be from Amazon, you should report this by forwarding an email message to:
More information on Amazon phishing attacks is here:
How to report phishing emails to PayPal?
You can report PayPal phishing messages by forwarding the message as an attachment to:
With a quick google around the word PayPal phishing email examples, you will see many examples of how PayPal users face high amounts of phishing attempts. More information on PayPal phishing messages is available here:
How to report phishing emails to TV licensing?
Report tv licence phishing email in the UK to
If you have already entered your personal details on a scam website, report it to Action Fraud or call 0300 123 2040. if you submitted card information or bank account details, talk to your bank immediately.
TV Licensing is a handy guide on spot, report, and avoid phishing scams related to TV licensing.
How to report phishing email to Outlook?
Any emails from outlook.com can be reported from within the outlook reading pane – select Junk – Phishing – report to report the message.
If you are using outlook as part of an organisation subscription, your company may have specific provisions in place. In the outlook on the web/exchange online, you can report phishing as the following steps:
1. Select the message, click on the ‘Junk’ drop down, then select the second option ‘, Phishing’.
2. A dialog box appears with the title ‘Report as junk’ – click Report.
3. The selected message you just reported is sent to Microsoft for analysis. You can confirm this by checking the ‘sent items’ folder.
How to report phishing email to Microsoft?
Technical support scams are the most popular scams related to Microsoft. To report a technical support scam, you would need the following information handy:
- Fraudulent company name
- Representative name
- Phone number
There is additional information about yourself you should submit to support the investigation. Microsoft has a dedicated page to report such scams:
How to protect and make yourself a more challenging phishing target.
You cannot stop the cyber threat actors from spamming, but you can always enhance your security and protect yourself from getting into phishing attacks. Here are some security tips to protect yourself and avoid being on the phishing email target list.
- Do not share unnecessary or private information such as email addresses, phone numbers, credit card numbers, etc.
- Make sure you have the right privacy setting in place on all of your social media accounts.
- Enforce multi-factor authentication on your accounts.
- Limit your digital and social footprints.
- Do not share your personal information on the pop-up screen or publically accessible website.
- Do not share your personal information, account credentials, and important data with anyone (including family, friends, etc.) without verification.
- While online-shopping make sure you do not enter your data or credentials that could help anyone tracking you.
- Install and use anti-spam filters on your email and web browser.
- Use dummy emails for all of your public forums registration.
- Focus on security awareness training and spoofing risks.
Get in touch to discuss your security concerns around phishing, processes or technological controls or how to protect your business against phishing attacks.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.