Essential guidance: Combat Phishing
What is Phishing?
Read our essential awareness guide to work more securely and combat the threat of phishing in all its forms.
Phishing is any deception designed to trick you into communicating sensitive information or personal data. Messages come in different forms (email is most common), and will look authentic and legitimate.
Communications may appear to come from an official or ‘known’ entity – a bank, HMRC, the University or a high-profile individual. But once you have opened a fraudulent email, it will normally ask you to take action – to click on a link or open an attachment.
By using malicious links or infected attachments, cybercriminals are often able to obtain key personal information - passwords, personal data, bank or passport information or access to a computer network.
How to defend against phishing attacks
- Phishers use publicly-available information about you to target their messages - so review your privacy settings and think about what you disclose in online posts.
- Understand the techniques phishers use (see 'social engineering' below). These can include calls of urgency or authority to exert a pressure to act.
- Phishers often try to exploit circumstances of change or uncertainty (such as the Covid situation) to trick people into action - so knowing and understanding the University's policies and processes will help you to spot unusual activity.
- It can happen to anyone - when you are busy, anyone can make a mistake and click on a phishing email.
- If you do, report it immediately – contact the IT helpdesk – it's not your fault and swift action can reduce the potential for harm.
Who is behind cyber attacks?
Online criminals – are good at identifying what can be monetised, for example, stealing and selling sensitive data, or holding systems and information to ransom.
Hackers – individuals with varying degrees of expertise, often acting in an untargeted way – perhaps to test their skills or cause disruption for the sake of it.
Political activists – proving a point for political or ideological reasons, to expose or discredit individuals or organisations.
Foreign governments – can be interested in accessing highly sensitive or valuable information that may give them a strategic or political advantage.
Disaffected insiders – can use their access to data and systems to cause disruption or steal information to share with competitors.
Honest mistakes – any staff member, with the best intentions, can sometimes just make a mistake; in a hurry, click on a link or send something sensitive to the wrong email. If you do, report it immediately – it's not your fault and swift action can reduce the potential for harm. Contact the IT helpdesk
Remember our ten security measures to stay cyber-safe online.
What is Social Engineering?
Social engineering is about manipulating individuals, so they disclose confidential information. The types of information sought by criminals and hackers may vary, but targeted individuals are often tricked into sharing passwords, personal data or bank information or access to their computer via the installation of malicious software.
Criminals use social engineering tactics because it is often easier to trick someone into disclosing their password than it is to hack their password (unless the password is weak - see how to create strong passwords).
The following guidance outlines some typical social engineering techniques used by hackers and cyber-criminals.
Examples of Social Engineering
Contact from a friend |
Once one email account is compromised, messages are sent to all its contacts: so if a friend’s email account is accessed, you may receive phishing messages, apparently from them, with encouragement to click a link or download an attachment. |
Contact from a trusted source |
Messages appear to be from a trusted source - a bank, tech or utility company or your employer. They aim to steal sign in credentials or other sensitive data or inject malicious software. It is common for fraudsters to mimic University staff. |
Answering unasked questions |
Relying on trusted authority, criminals pose as agents of well-known organisations - such as Microsoft, for example, offering to take control of your machine to remove a virus. |
Creating distrust |
By gaining access to email and social media accounts, hackers spread lies and incriminating information through false messages and doctored images. Their goal is usually extortion or reputational damage. |
Trust and Authority |
Communications will appear to come from legitimate sources or people you know. |
Urgency |
You are presented with messages and scenarios that require immediate action to make you panic and not stop to think or check the source of the request. |
Generosity |
You receive requests for charitable donations in response to a distressing story. |
Verification |
A faked sign in screen or request to verify your account information is often used to harvest sign in credentials and other personal data. |
Temptation |
You are notified that you’ve won a valuable prize, tempting you to take the risk and disclose personal information to claim it. |
Types of phishing attacks
If in doubt, always check. Contact the IT helpdesk immediately if you feel you are being targeted in any way.
Use the guidance below to understand the range of activities and techniques used and how to combat them.
Name |
Method |
Defence |
Phishing |
Typically involves sending emails to multiple recipients usually to get victims to click links and reply with information. |
Don’t reply or click on links if you are unsure. |
Spear-phishing |
Targeted at you specifically, using information available about you to sound convincing and to request data or money. |
If they claim to be a person you know, contact that person by other means to verify the request. |
Whaling |
Spear-phishing aimed at key senior targets. Greater effort over time may be used for the greater potential 'reward'. |
If you are a senior (or high grade) employee, be aware you may be subject to targeted and sophisticated approaches of this kind. |
Shared Document phishing |
Fake messages claiming that a document has been shared with you. |
Do not click unsolicited links or download files you are not expecting to receive. |
Vishing |
Vishing is short for ‘voice-phishing’. It involves targeted phone calls to individuals to elicit confidential information. |
Be suspicious of unknown numbers and unsolicited calls. Do not disclose sensitive data or install software on your device in this context. If callers claim to be legitimate, find official contact details and call back to verify. |
SMShing/Smishing |
SMShing or smishing both refer to phishing attempts sent via text message. The same principles for other phishing attacks apply. |
Check numbers online for verification, origin and legitimacy. Never click suspicious links or reply to texts you suspect are SMShing attempts. |
Quishing |
Form of phishing attack that uses QR codes to trick users to scan QR codes which then leads them to malicious websites. |
Never scan a QR code from an unfamiliar source. |
Social Media Phishing |
Fake social media profiles are created to look real, exploit existing profiles and use publicly available information to trick you. |
Be wary of unsolicited messages. Do not click links that look suspicious or come from strangers. |
How to avoid getting caught out
1. Read emails carefully before acting – phishing emails may include a generic greeting (e.g. ‘Dear sir’), an overly-friendly tone, grammatical errors or an urgent request. Take a moment to consider the contents of the email before doing what it asks.
2. Exercise caution when opening links and attachments – hover over any links to make sure they’re legitimate. If you’re unsure, contact the IT helpdesk
3. Never reply to an email asking for your passwords, PINs or other account details. Ever.
The University will never email or phone you to ask for your account details. Likewise, any email asking for bank details will be fraudulent, without exception.
4. Verify the source – check the sender’s email address when you receive an email and when you reply. Malicious scammers might be able to spoof the ‘From’ address in an email to make it look like it comes from someone you know, but when you reply the address may change. If in doubt, type in the email address manually.
5. Report it – report anything suspicious to the IT helpdesk including attachments or links you’ve clicked on.
6. Turn on two-step authentication – this will ensure that only you can access your Warwick account. Find out more about setting up two-step authentication
Security & Information Management is Everyone's Responsibility
How to get help
Who needs to know this?
This information concerns us all. If you use a Warwick staff card, a Warwick email address, access one of our staff or student record systems or share your Warwick work with colleagues within or beyond the University, you are involved in activities that must be kept secure.