What is phishing? Meaning of email scam term, what is ‘spear phishing’, online malware attacks explained

The government’s National Cyber Security Centre - part of GCHQ - has said fraudsters are likely to try to exploit Queen’s death and related events like, the state funeral

Hundreds of thousands of people have either queued to see her lying in state, or have lined the procession routes her coffin has followed in Scotland and London.

While the national gaze has focused on the Royal Family over the past week, the government has warned cybercriminals are likely to attempt to use the Queen’s death as an opportunity to scam people out of money.

One of the main methods through which scammers attempt to steal cash is known as phishing. But how does phishing work - and what is spear phishing?

Here’s what you need to know.

Phishing scammers are targeting the Queen’s death (image: Adobe)

What is phishing?

Phishing is a type of scam that involves emails, text messages (smishing), social media messages and/or phone calls. Criminals use this type of scam to try to trick people into giving them money or sensitive personal details, like passwords.

This type of scam works in several different ways, but the main method involves sending links or attachments via email. If clicked on, these links will download malware (software that allows your device to be hacked).

Another form of phishing is a message that persuades you to send over sensitive information, including: passwords, card details or intellectual property. These messages may be written in a formal style, or may come from someone posing as a well-known company.

Phishing can be very easy to spot - but sometimes, the scams are well disguised (image: Adobe)

Typically, a phishing scam will come in the form of an email. This email is likely to be from someone you have never heard of who has never emailed you before.

The message may create a sense of urgency - asking you to act quickly to, for example, protect your bank account from being hacked - or it might promote scarcity, for example, urging you to buy tickets to a concert that has sold out. The idea is that the criminals get you to act quickly without thinking.

Usually, the scammers behind these messages will have sent them to a vast number of people. So, the message is likely to be generic.

Popular subjects for phishing attacks at present include: bitcoin and other cryptocurrencies; UK cost of living payments; and supermarket savings.

For most, the next Cost of Living Payment will arrive in autumn 2022 (Photo Illustration by Matt Cardy/Getty Images)

What is spear phishing?

Spear phishing is a more sophisticated version of the phishing scam. It tends to be much more targeted, better designed, and therefore much more dangerous.

Fraudsters may research you or your company or personal life so that they can tailor the message to you. So, for example, you might get a message from your boss using your name and asking you to remind them what password to use for a particular work system. Or the message could appear to come from a friend who wants to borrow money.

The idea is the same as general phishing - to get the person to click on the link or send over the vital details without giving it any thought.

What are Queen-related phishing scams?

The government has issued a warning about phishing emails that are specifically tailored to exploit the death of the Queen, as well as the events surrounding it.

The National Cyber Security Centre (NCSC) - part of GCHQ - said it has not seen much evidence of phishing relating to the Queen’s death taking place.

Thousands of people have paid their respects to the Queen as she lies in state at Westminster Hall (Photo: Getty Images)
  • about paying for a ticket to see the Queen lying in state
  • urging you to book a place in the queue to see the Queen

The NCSC has urged people to forward any suspicious emails to [email protected] to help them to identify potential wide scale attacks.

It has advised people to check official sources of information, such as the government websites relating to the Queen lying in state, to find out the correct information for what you need to do to visit.

How can you protect yourself from phishing?

There is no real way to stop phishing emails or messages from appearing (although junk inboxes on email and social media servers have become better at filtering out the messages). So, you should familiarise yourself with what these messages look like to avoid being phished.

According to Microsoft, the tell-tale signs of a phishing attack include:

  • First time or infrequent senders: these messages could be from someone you have never heard of, or someone who has never emailed you before. It recommends taking time to carefully think about the message before clicking anything or replying to it. The government says scammers may also play on your emotions, offer a deal for something scarce or expensive, or try to pretend to be someone authoritative, like a bank manager or someone from a government department.
  • Poor spelling and bad grammar: phishing messages tend to have bizarre turns of phrase or obvious spelling mistakes. While this is sometimes because the attackers are not good at spelling or are translating the message across from a different language, it’s usually part of a deliberate attempt to evade spam filters whose job is to block these attacks.
  • Generic greetings: often, phishing scams will not refer to you by name and will open with a very formal greeting usually reserved for letter writing. For example, a typical opening may read: ‘dear sir/madam’.
  • Strange email domains: if you click on the contact details of the supposed person who has sent you what you think could be a phishing email, the email address is usually a major giveaway. It will often bear no relation to the company the scammer might say they are contacting you from. Or the address may be made up of lots of random letters and numbers.
  • Odd attachments or links: if the message is already suspicious, you should never click on any of the links or attachments included with it.

If you are convinced that the message you have received is a phishing scam, it’s worth forwarding it to the government scam email address (see above) before reporting it as junk and then deleting it.

Should it have apparently been sent by someone you know, contact them via another means of communication to see if it was really them. If the message is from your bank, it will never ask you for personal information over email or via text.

Contact your bank straightaway if you think you have been scammed (image: Adobe)

What do you do if you have been scammed?

If you accidentally click on a phishing link or attachment, or you have shared any sensitive information with a fraudster, you have to act quickly to avoid being hacked or having your money stolen.

Say you have shared financial information, you must immediately contact your bank to report it. They may be able to stop the scammer before they can access your accounts.

Should you have clicked on a link that may have installed malware on your device, immediately open up your antivirus software and run a scan. If it finds a problem, let it clean it up immediately.

It is also an idea to change your passwords on any accounts you feel may be affected by the phishing attack. Getting two-step verification (where you have to verify your identity via another source before you’re allowed to log into an account) can also help.

Two-factor authentication can help protect you from scammers (image: Adobe)

If the phishing attack has happened at your place of work, you should contact your company’s IT department immediately. They may also be able to tell you if a seemingly suspicious message is a scam or not.

Sometimes you may not be able to act quickly enough to stop scammers from taking your money. If this happens to you, make sure you’ve got as much information about the attack as possible as this will help the police with their investigations.

Your bank might give you money to make up for your loss, but they do not have to compensate you if they find you have been ‘grossly negligent’ with your sensitive personal information.

The UK Financial Ombudsman Service may be able to help you if your bank refuses to reimburse you.