Don't be phished! An expert's guide to avoiding phishing scams.

Phishing came to prominence at the turn of the millennium, and hasn’t abated since.

Everybody with an email account will have received a dodgy-looking email at some point. In fact for some, it may be a daily occurrence. Suspicious attachments, poor grammar, bad spelling, all sent from an unfamiliar email address: quite often they can stand out a mile. But these dodgy emails, or phishing emails, are evolving and becoming increasingly sophisticated.

Phishing is an attempt to steal sensitive data or personally-identifiable information, bank or credit card details, or passwords from a target, tricking the user into handing it over, usually via email, SMS (text message), or over a telephone call.

Ultimately, the user will generally end up at a data-harvesting website – often disguised as a legitimate or familiar online brand – where they will enter their personal details willingly. This stolen data can then be used to access personal accounts and can often result in financial loss or potential identity theft for the target.

With a huge uptick of people working remotely over the last couple of years, there has been an explosion in the numbers of phishing attacks. Cybercriminals have taken advantage of home-workers, away from their more secure office networks and with their guard down.

But with a few steps, it’s actually quite easy to keep our personally- and professionally-sensitive data secure.

Phishing attacks can come from anywhere

The primary channel for phishing attempts has always been via email, but cybercriminals have been branching out for a while. The COVID pandemic and the subsequent rollout of vaccine notifications became a grim opportunity for phishers to send SMS texts disguised as messages from the NHS. Facebook, Instagram and other social media platforms can be full of dodgy links posted as comments, replies or direct messages from seemingly benign users. Brazenly, cybercriminals can also simply call your work or personal phone number and pretend to be somebody they’re not, luring you into a sense of security.

It’s important to have a healthy sense of scepticism in all of these situations, and to keep your guard up, especially if something doesn’t feel right.

Trust your instinct

Phishers look to take advantage of the trust you already place in familiar brands or organisations, and of the trust you have in family, friends and colleagues. If you receive an email from somebody you know, but it doesn’t seem right, then it’s entirely possible that their account has been compromised, and cybercriminals are sending messages from their account, hoping to ensnare people in their email address book.

If the message seems out of character, or if they have an urgent request – especially financial ones! – then contact them via another communication channel to verify. You can’t beat picking up the phone and calling them directly to make sure.

If you can’t speak to them directly, then it might also pay to contact their organisation to speak to their IT department. They can take action to secure an account that they might not even know has been compromised.

Take a look at the email address it has come from

Checking the sender’s email address may sound basic but it’s often a dead giveaway. It’s not uncommon for a phisher to attempt to impersonate another email address to confuse you. The important bit to look for is the domain – that means everything after the @ symbol.

You may be expecting an email from sarah@planits.co.uk but may have received one from sarah@plan1ts.co.uk. Here the phisher is impersonating the planits.co.uk domain by substituting an i for a 1.

Another way of disguising it is with subdomains, such as sarah@planits.dodgy.com. Here the domain is actually dodgy.com, but the planits subdomain could make it look like it’s coming from Plan IT Support, when in fact it is not.

Don’t rest on your laurels with Multi-Factor Authentication

Two-factor or multi-factor authentication is a fantastic way of adding multiple layers to your account security. It requires your entering a password, but also authenticating via an app on your phone, a text message, a phone call or with a physical token, or a combination of a number of these.

However, it can be very easy to fall into a habit of indiscriminately allowing or accepting MFA notifications. Ask yourself – did I trigger this authentication? Did I log into my email or another service just now? Why am I being asked to authenticate a login?

If you did not trigger it, then it’s possible someone or something else is attempting to compromise your account.

Use a password manager!

If you use a password manager to generate and store passwords for all of your multiple online accounts, then chances are you don’t even know your passwords – you let the password manager sort all of that out for you. If you head to a known website, your password manager will prompt to autofill your account details.

But password managers can also flag phishing attempts. If you follow what looks like an authentic link to a convincing but fraudulent website, and your password manager does not autofill, then that’s a good sign that the URL in the link is odd, and the website is not what it seems.

Err on the side of caution

There is no perfect phishing attempt, and all phishing attacks can be avoided with vigilance and an absence of haste. Don’t be so quick to hand your data over! Stop and think before you follow a link, and especially before you enter into a website any information that could be used to compromise you. Ten seconds spent checking something out could save you untold costs.