Working Securely: How to combat phishing
What is phishing?
Read our essential awareness guide to work more securely and combat the threat of phishing in all its forms.
Phishing is any deception designed to trick you into communicating sensitive information or personal data. Messages come in different forms (email is most common), and will look authentic and legitimate.
Communications may appear to come from an official or ‘known’ entity – a bank, HMRC, the University or a high-profile individual. But once you have opened a fraudulent email, it will normally ask you to take action – to click on a link or open an attachment.
By using malicious links or infected attachments, cybercriminals are often able to obtain key personal information - passwords, personal data, bank or passport information or access to a computer network.
How to defend against phishing attacks
- Cyber criminals use publicly-available information about you (often culled from social media posts) to target their messages - so review your privacy settings and think about what you disclose in online posts.
- Understand the techniques and methods phishers use (see 'types of phishing attacks' below). These can include calls of urgency or authority or faked identities to exert a pressure to act.
- Cyber criminals often try to exploit circumstances of change or uncertainty (such as the Covid-19 situation) to trick people into action - so knowing and understanding the University's policies and processes will help you to spot unusual activity.
- It can happen to anyone - when you are busy, anyone can make a mistake and click on a phishing email.
- If you do, report it immediately – contact the IT helpdesk – it's not your fault and swift action can reduce the potential for harm.
What is Social Engineering?
Social engineering is about manipulating individuals, so they disclose confidential information. The types of information sought by criminals and hackers may vary, but targeted individuals are often tricked into sharing passwords, personal data or bank information or access to their computer via the installation of malicious software. For more information see our longer guidance page here.
Criminals use social engineering tactics because it is often easier to trick someone into disclosing their password than it is to hack their password (unless the password is weak - see how to create strong passwords).
Types of phishing attacks
If you are in doubt about any unexpected or unsolicited online communication, always check. Contact the IT helpdesk immediately if you feel you are being targeted in any way.
Use the guidance below to understand the range of activities and techniques used and how to combat them.
|
Name |
Method |
Defence |
|
Phishing |
Typically involves sending emails to multiple recipients to try and get recipients to click on links or reply with information. |
Don’t reply or click on links if you are unsure. Check company details on official websites. Protect your devices with anti-virus software and apply strong spam filters. |
|
Spear-phishing |
Targeted at you specifically, using information available about you to sound convincing and to request data or money. |
If they claim to be a person you know, contact that person by other means to verify the request. |
|
Whaling |
Spear-phishing aimed at key senior targets. Greater effort may be exerted for the greater potential 'reward'. |
If you are a senior (or high grade) employee, be aware you may be subject to targeted and sophisticated approaches. |
|
Shared Document phishing |
Fake messages claiming that a document has been shared with you. |
Do not click unsolicited links or download files you are not expecting to receive. |
|
Vishing |
Vishing is short for ‘voice-phishing’. It involves targeted phone calls to individuals to elicit confidential information. |
Be suspicious of unknown numbers and unsolicited calls. Do not disclose sensitive data or install software on your device in this context. If callers claim to be legitimate, find official contact details and call them back to verify any request. |
|
SMShing/Smishing |
SMShing or smishing both refer to phishing attempts sent via text message. The same principles for other phishing attacks apply. |
Check numbers online for verification, origin and legitimacy. Never click suspicious links or reply to texts you suspect are SMShing attempts. |
|
Social Media Phishing |
Fake social media profiles are created to look real, exploit existing profiles and use publicly available information to trick you. |
Be wary of unsolicited messages. Do not click links that look suspicious or come from strangers. |
How to avoid getting caught out
1. Read emails carefully before acting – phishing emails may include a generic greeting (e.g. ‘Dear friend’), an overly-friendly tone, grammatical errors or an urgent request. Take a moment to consider the contents of the email before responding. If it feels wrong, use other means to verify any request for information.
2. Exercise caution when opening links and attachments – hover over any links to check the URL is legitimate. If you’re unsure, contact the IT helpdesk
3. Never reply to an email asking for your passwords, PINs or other account details. Ever.
The University will never email or phone you to ask for your account details. Likewise, any email asking for bank details will be fraudulent, without exception.
4. Verify the source – check the sender’s email address when you receive an email and when you reply. Malicious scammers might be able to spoof the ‘From’ address in an email to make it look like it comes from someone you know, but when you reply the address may change. If in doubt, type in the email address manually.
5. Report it – report anything suspicious to the IT helpdesk including attachments or links you’ve clicked on.
6. Turn on two-step authentication – this will ensure that only you can access your Warwick account. Find out more about setting up two-step authentication