Where does the word ‘phishing’ come from?
Here’s a little bit of history for you.
The word phishing – and the use of ‘ph’ rather than the traditional ‘f’ spelling – relates to the slang phrase ‘phreaking.’
Phreaking was first defined in the late 1950s and refers to the act of hacking into secure telecommunications systems and committing telephone fraud.
One of the earliest examples of internet phishing took place in May 2000 – you may remember it. The virus, known as ‘Lovebug’ (or ‘ILOVEYOU’), was a global-scale attack that used an email with an anonymous love letter attached to lure in its curious victims. On opening the attachment, the virus infected the machine and then copied itself into Outlook address books. The spread was catastrophic and, in a matter of days, over 50 million people had been affected.
The creator of the virus stated that he was struggling to pay for internet services, and intended to steal the passwords of other users so that he could log on for free.
Phishing has since gained in horrifying momentum. Criminals tend to have money on their minds, and they are becoming more and more inventive in their quest to get it.
What are phishing scams?
‘Phishing’ refers to an online scam, and can come in the form of emails, texts, phone calls, and WhatsApp messages.
Phishers are criminals who shamelessly take advantage of people’s financial vulnerability. They mimic someone or something trustworthy (such as a well-known bank, or a delivery service), and attempt to gain faith and steal your personal information (for example, your bank details) to use in a fraudulent way.
The emails and texts they send often look very real and incorporate existing logos and almost identical website addresses. If they link to a website, the sites may also duplicate the original.
No matter how savvy we think we are when it comes to protecting ourselves online, sometimes it can be really tricky to distinguish what’s genuine and what’s not. Remember, ‘phishers’ are professional scammers; this is their job, and they are often very good at what they do.
In the current cost-of-living crisis, many people are strapped for cash. It’s only natural, therefore, to consider clicking on a link in a text that promises us an instant tax refund of £250. Unfortunately, that one tap on a seemingly innocent link could lead to drastic consequences and could result in a breach of your personal information and, possibly, a loss of funds.
What are some examples of phishing?
Below is a very limited list containing just some of the many ways criminals are attempting to deceive their victims.
- A text from somebody claiming to be from Royal Mail advising that a delivery attempt had been unsuccessfully made, and the parcel would be returned to sender if a delivery fee was not paid. The text included a link to an authentic looking but ultimately fake Royal Mail website, which prompted the user to submit their bank details to release their parcel. This particular scam is seen a lot around Christmas when there is a rise in people placing online orders. Similar texts have been sent claiming to be from various couriers, including Evri (formerly Hermes) and DPD.
- An email from an undisclosed sender claiming to have personal video footage of the person they are targeting. The sender states they have hacked the victim’s phone, have access to their contacts, and will share the embarrassing video unless a large sum of money is sent.
- The ‘Hi Mum’ scam is generally a text or WhatsApp from an unknown number, stating something along the lines of: ‘Hi mum, I’ve smashed my phone – this is my new number.’ The sender will then engage in general chat, before asking the victim to transfer money (usually for ‘repairs’ or ‘emergencies’). Parents have, naturally, been responding to these messages by asking which child they are speaking with. The senders have been known to respond by claiming to be ‘the oldest one.’
- An email claiming to be from PayPal alleging that the victim’s account has been suspended, and the only way to rectify this is to follow the link and enter your card details.
- A text claiming to be from HMRC offering the victim a link to click on to claim back their ‘pending tax refund’.
- A phone call (most likely from an unknown or withheld number) from someone claiming that they are from a mobile network provider, promising money off your next bill, or stating that you have been ‘chosen at random’ to receive a free upgrade.
How can I tell the difference between a phishing scam and a genuine communication?
Sadly, scammers seem to be evolving along with the advance of technology. It seems that every day, phishers are conspiring to ‘reel us in,’ in an attempt to gain our personal information.
Here are some tips that may help you to spot a scam before you fall for the phisher, ‘hook, line and sinker’.
Check the spelling and grammar of the email or text. The majority of legitimate companies require all customer correspondence to be carefully examined and signed off, eliminating any potential errors. If an email claiming to be from a genuine company is littered with spelling mistakes, there’s a high chance that it could be a scam.
Pay particular attention to the email domain. Emails from genuine sources (such as Santander) will be sent from the valid company addresses – and NEVER personal Hotmail, Google or Yahoo accounts. Scammers may also make subtle changes to legitimate email addresses, which may go unnoticed at first glance. An example of this could be @r0yalmail.com, where the ‘o’ has been switched for a ‘0.’
Text and WhatsApp Messages
Ask yourself if a reputable firm like NatWest or Royal Mail would be using a generic mobile number to text customers? It’s highly unlikely.
Most companies will not reach out to you on WhatsApp.
Take a look at the WhatsApp account that the message has been sent from. Does the person or ‘company’ have a photo, or a status? Suspicious accounts could be totally blank and show no photo or status. On the other hand, if the phisher is an amateur, it may well show a personal photo (such as a selfie or a picture of a dog, etc).
If you are unlucky enough to receive a ‘Hi mum’ message, contact your child on their original telephone number to determine the facts.
In the past, if you received an incoming phone call from an unknown or withheld number, the chances are that you would decline it. Now, scammers often operate via mobile numbers which look a lot less suspicious when they flash up on our phones, meaning that we tend to be more inclined to answer.
What if it’s someone calling about that job we applied for, or the kids’ school?
A simple solution is to ignore any incoming calls that you are unsure of. If it’s genuine and urgent, the chances are they will leave a message (just make sure the voicemail setting is enabled on your phone).
If you do answer the phone, or reply to a text, but quickly start to suspect phishing, do not engage any further. As tempting as it is, don’t try to challenge them.
Scam messages tend to come with a sense of urgency – for example, they will urge you to act ‘as soon as possible’ or ‘within the next 24 hours’.
How can I reduce the risk of being a victim of a phishing scam?
The sad reality is that phishing attacks can happen to anybody although, according to the Office for National Statistics, those aged between 25-44 are more likely to be targeted.
Being vigilant and wary is our best bet, but as we have established, it’s not always an easy feat to distinguish the real deal from the downright dodgy.
If you’re ever in any doubt about a text or email you’ve received, find the official website for the company and reach out to them for assurance that the communication is genuine. Send them screenshots if necessary.
If you have even the faintest suspicion that you have been sent some inauthentic content, DO NOT click on any of the links supplied. If you do not wish to report the potential threat, block the email address or mobile number and delete the message straightaway.
Sometimes, we may receive suspicious messages that appear to have been sent by people in our contact list, either by text or on social media. Such messages may contain generic text such as, ‘Hey! Check out this hilarious video!’ followed by a link. Like the ‘LoveBug’ scam, the link will be corrupt, spreading a virus through your device before sending itself on to your contacts.
In this instance, there is a high chance that your friend or family member has been hacked. Connect with them via another form of communication and let them know what you have received.
It’s unpleasant to think about, but some criminals may study you before they target you. They may trace or spot you online and use the information they can get hold of to authenticate their messages. For example, if you recently made a public Facebook post about ordering a dress from a certain clothes shop, they could well use this to trick you: ‘You missed a delivery from (name of the shop you’ve purchased from). Click the link below to rearrange with your courier’.
Minimise this risk by ensuring that all of your social media accounts are set to private.
Regularly changing your passwords for all online platforms (including online banking) is also highly recommended.
What should I do if I think I’ve been a victim of phishing?
It can be easy to blame yourself if you fall victim to phishing but try to refrain from beating yourself up about it. Just to reiterate – this could happen to ANY of us.
If you have trusted a link or an email that has turned out to be fake, it is not your fault. The fault lies with the criminal taking advantage of honest people.
Reporting the scam may help authorities to identify the source and prevent further attacks from happening to other people.
Be sure to jot down every detail of your encounter, including any information that you might have shared (passwords, bank cards, etc). Before you block and delete the number or email address, make a note of them on a separate piece of paper so you have them for future reference.
If you have given out your bank details, contact your bank right away. They will be able to issue you with new cards and PINs and temporarily freeze your account so that no money can be taken.
If you have accidentally opened a link on your computer, run your anti-virus software as soon as possible to limit the damage. If things still don’t look right after your software has had a clean-up, you might want to take your computer to Curry’s – they offer a virus removal service for £45.
Contact your company’s IT department if the link was opened while you were at work and using company equipment.
You can report any suspected phishing attempts to the Gov.uk website. They will pass the information on to the National Cyber Security Centre (NCSC) to investigate. You can also report potential phishing to Citizens Advice Bureau. Citizens Advice Bureau have a handy online form that allows you to make a report quickly and easily.
For suspected HMRC scams, follow the specific advice set out on the Gov.uk website.
If you feel as though you are in immediate danger or are being threatened, do not hesitate to call the police. Your safety is priority, and nobody has the right to make you feel frightened or intimidated.