What is phishing? Meaning of email scam term, what is ‘spear phishing’, online malware attacks explained

With the cost of living crisis and several major events in 2022, including the death of Queen Elizabeth II and the World Cup, it has been a big year for scammers.

There have been many warnings abouts criminal scams over the last 12 months. These include alerts from the government and financial experts about attempts to exploit the cost of living payments system and the energy bills support scheme, as well as a warning from British Gas about a ‘refund’ message.

Fraudsters can try to steal your money in several different ways, including via text - which is known as ‘smishing’ - and over email - ‘phishing’ - which is the most common method at present. There is even a more targeted approach to the latter known as ‘spear phishing’.

While modern-day email junk folders provide a decent layer of protection against these forms of attack, criminals have found increasingly inventive ways to try to secure their ill-gotten gains.

So, how can you guard against phishing - and how do these scams work? Here’s everything you need to know.

What is phishing?

Phishing is a type of scam that involves emails, text messages (smishing), social media messages and/or phone calls. Criminals use this type of scam to try to trick people into giving them money or sensitive personal details, like passwords.

This type of scam works in several different ways, but the main method involves sending links or attachments via email. If clicked on, these links will download malware (software that allows your device to be hacked).

Another form of phishing is a message that persuades you to send over sensitive information, including: passwords, card details or intellectual property. These messages may be written in a formal style, or may come from someone posing as a well-known company.

Typically, a phishing scam will come in the form of an email. This email is likely to be from someone you have never heard of who has never emailed you before.

The message may create a sense of urgency - asking you to act quickly to, for example, protect your bank account from being hacked - or it might promote scarcity, for example, urging you to buy tickets to a concert that has sold out. The idea is that the criminals get you to act quickly without thinking.

Usually, the scammers behind these messages will have sent them to a vast number of people. So, the message is likely to be generic.

Popular subjects for phishing attacks at present include: bitcoin and other cryptocurrencies; UK cost of living payments; and supermarket savings.

What is spear phishing?

Spear phishing is a more sophisticated version of the phishing scam. It tends to be much more targeted, better designed, and therefore much more dangerous.

Fraudsters may research you or your company or personal life so that they can tailor the message to you. So, for example, you might get a message from your boss using your name and asking you to remind them what password to use for a particular work system. Or the message could appear to come from a friend who wants to borrow money.

The idea is the same as general phishing - to get the person to click on the link or send over the vital details without giving it any thought.

How can you protect yourself from phishing?

There is no real way to stop phishing emails or messages from appearing (although junk inboxes on email and social media servers have become better at filtering out the messages). So, you should familiarise yourself with what these messages look like to avoid being phished.

According to Microsoft, the tell-tale signs of a phishing attack include:

• First time or infrequent senders: these messages could be from someone you have never heard of, or someone who has never emailed you before. It recommends taking time to carefully think about the message before clicking anything or replying to it. The government says scammers may also play on your emotions, offer a deal for something scarce or expensive, or try to pretend to be someone authoritative, like a bank manager or someone from a government department.
• Poor spelling and bad grammar: phishing messages tend to have bizarre turns of phrase or obvious spelling mistakes. While this is sometimes because the attackers are not good at spelling or are translating the message across from a different language, it’s usually part of a deliberate attempt to evade spam filters whose job is to block these attacks.
• Generic greetings: often, phishing scams will not refer to you by name and will open with a very formal greeting usually reserved for letter writing. For example, a typical opening may read: ‘dear sir/madam’.
• Strange email domains: if you click on the contact details of the supposed person who has sent you what you think could be a phishing email, the email address is usually a major giveaway. It will often bear no relation to the company the scammer might say they are contacting you from. Or the address may be made up of lots of random letters and numbers.
• Odd attachments or links: if the message is already suspicious, you should never click on any of the links or attachments included with it.

If you are convinced that the message you have received is a phishing scam, it’s worth forwarding it to the government scam email address (see above) before reporting it as junk and then deleting it.

Should it have apparently been sent by someone you know, contact them via another means of communication to see if it was really them. If the message is from your bank, it will never ask you for personal information over email or via text.

What can you do if you have been scammed?

If you accidentally click on a phishing link or attachment, or you have shared any sensitive information with a fraudster, you have to act quickly to avoid being hacked or having your money stolen.

Say you have shared financial information, you must immediately contact your bank to report it. They may be able to stop the scammer before they can access your accounts.

Should you have clicked on a link that may have installed malware on your device, immediately open up your antivirus software and run a scan. If it finds a problem, let it clean it up immediately.

It is also an idea to change your passwords on any accounts you feel may be affected by the phishing attack. Getting two-step verification (where you have to verify your identity via another source before you’re allowed to log into an account) can also help.

If the phishing attack has happened at your place of work, you should contact your company’s IT department immediately. They may also be able to tell you if a seemingly suspicious message is a scam or not.

Sometimes you may not be able to act quickly enough to stop scammers from taking your money. If this happens to you, make sure you’ve got as much information about the attack as possible as this will help the police with their investigations.

Your bank might give you money to make up for your loss, but they do not have to compensate you if they find you have been ‘grossly negligent’ with your sensitive personal information.

The UK Financial Ombudsman Service may be able to help you if your bank refuses to reimburse you.

The National Cyber Security Centre (NCSC) - part of GCHQ - has urged people to forward any suspicious emails to [email protected] to help them to identify potential wide scale attacks. It advises people to check official sources of information, such as government websites, to find out correct information about government-related financial support or public events.