Phishing is a form of social engineering in which criminals use emails, text messages, phone calls, social media messages, adverts or websites to trick people into revealing information, opening malicious files, sending money, or visiting fraudulent websites.
The National Cyber Security Centre describes phishing as scam emails, text messages or phone calls used to trick victims. The aim is often to send the victim to a website that steals bank details or other personal information, or downloads malicious software.
Common Channels
Phishing can arrive through:
- email;
- text message;
- phone call;
- messaging apps;
- social media;
- fake adverts;
- QR codes;
- fake login pages;
- compromised websites.
Text-message phishing is often called smishing. Voice-call phishing is often called vishing.
Impersonation
Phishing usually depends on impersonation. Criminals may pretend to be a bank, courier, government department, police force, employer, cloud service, streaming provider, parcel company, dating platform or cryptocurrency exchange.
The message often creates urgency. It may claim that an account will be closed, a parcel is waiting, a payment has failed, tax is due, a refund is available, or suspicious activity has been detected.
Links and Attachments
A phishing link may lead to a fake login page, payment page, malware download or form asking for personal details. Attachments may contain malicious documents, scripts or links to further pages.
The visible link text may not match the real destination. Criminals also use lookalike domain names, shortened links, compromised legitimate sites and spoofed sender names.
Reporting in the UK
Suspicious emails can be forwarded to the National Cyber Security Centre's Suspicious Email Reporting Service at report@phishing.gov.uk. Suspicious text messages can usually be forwarded to 7726, the free spam-reporting service used by mobile providers.
If money has been lost, account access has been stolen, or a person has been hacked, GOV.UK directs people in England and Wales to Report Fraud. In Scotland, reports should be made to Police Scotland.
Practical Examples
Fake Bank Login
An email claims that a bank account will be suspended unless the user logs in. The link opens a copied bank page controlled by criminals.
Parcel Fee Scam
A text message says a parcel is waiting and asks for a small delivery fee. The payment page collects card details.
Business Invoice Attack
An attacker sends an email pretending to be a supplier and changes bank details on an invoice. This overlaps with business email compromise.
Prevention
Useful habits include checking the sender and domain carefully, avoiding links in unexpected messages, using bookmarks or typed addresses for important services, enabling multi-factor authentication, keeping software updated, and reporting suspicious messages.
See Also
References
Discussion log
Use comments for sourcing notes, corrections, and disputed details.
No comments yet.