Twitter Chat held 4 Sep 2020 on Phishing #MulletOverChat

On UK National Fish and Chip Day GCA moderated a Twitter Chat alongside @TakeFive @ActionFraudUK @CyberProtectUK and @CyberAwaregov addressing a series of questions on phishing. #MulletOverChat was part of the #MulletOver campaign, led by The City of London Police, which has been running throughout the week - more info on that here: Public reminded to ‘mullet over’ when it comes to suspicious emails ahead of National Fish and Chip Day | Action Fraud
Here’s the Q & A transcript:

1 Like

Q1. What is phishing?

@TakeFive: Phishing emails contain a call to action, encouraging people to visit a website that criminals use to steal valuable personal and financial information. They often use urgent language to trick people into making a quick decision and not inspect the email closely.

@CyberProtectUK: Phishing is when criminals attempt to trick people into doing ‘the wrong thing’, such as clicking a bad link that will download a virus, or direct them to a dodgy website that will steal their personal information. Phishing can come in many forms, such as phone calls, emails, text messages, or even messages on social media.

Q2. Many people may think they could spot a phishing email a mile away, all those spelling mistakes! What’s changed?

@TakeFive: Criminals are sophisticated at using tactics such as social engineering to trick people into revealing their personal and financial information. They also using branding from government departments or trusted organisations in emails to convince you they’re genuine.

@CyberProtectUK: Criminals have gotten far better at making fake emails look real. They’ll use correct spelling and grammar, real logos from the company’s official website and sometimes even personalise the emails with the recipient’s personal information, such as their name.

Q3. What could phishing scams it lead to?

@TakeFive: Links in emails often lead to fake websites designed to look like that of the genuine organisation but are used to obtain your personal and financial information. This can also lead to your identity being stolen and your device being infected with malware.

@CyberProtectUK: Criminals want to convince you to do something which they can use to their advantage. In a scam email or text message, their goal is often to convince you to click a link. Once clicked, you may be sent to a dodgy website which could download viruses onto your computer, or steal your passwords and personal information. Over the phone, the approach may be more direct, asking you for sensitive information, such as banking details.

Q4. Can you give examples of popular phishing emails?

@TakeFive: There are a lot of phishing scams that are circulating. Some of which include fake emails from government departments (HMRC) offering refunds or “spoofed” emails from service providers claiming that your payment details have failed, and urgent payment is required.

@TakeFive Criminals may also exploit data breaches to send seemingly genuine emails purporting to be from the impacted company using alarmist language to trick you into clicking on links.

@CyberProtectUK: Some of the most reported phishing emails over the last few weeks include fake tax rebate emails claiming to be from HMRC, and we’ve also seen a sharp rise in fake PayPal that ask the recipient to “verify” their account details.

Q5. What should I do if I don’t know whether an email is real or fake? How can I check if it’s legitimate?

@CyberProtectUK: Scam emails aren’t always easy to spot, and criminals are constantly getting better at making them look real. These type of emails will also want you to act “urgently”… Before handing over any information, check what the organisation’s website says they will and won’t ask for.

@TakeFive: Criminals often send unexpected emails pressuring people to act quickly, claiming that there’s been suspicious activity on an account or that account details need to be “verified”.Always contact organisations directly using a known email/number to verify requests.

Q6. What action should be taken by someone who receives a suspicious looking email?

@CyberProtectUK: The NCSC’s guidance on dealing with suspicious emails, phone calls and text messages will give you more information on what to do. Dealing with suspicious emails, phone calls and text messages

@TakeFive: If you receive a suspicious looking email you can forward it to [email protected]. You should always contact organisations directly using a known email or number to verify any requests and log in to your account to make payment or update your information.

Suspicious text messages should be forwarded to 7726 . This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.

Q7. What guidance is there to help businesses protect themselves against phishing?

@TakeFive: Businesses should seek to educate staff on phishing scams and update them on the latest threats.
Our business toolkit includes leaflets and posters with many materials provided as editable artwork files for those businesses who wish to add their own logo.
Business Advice | Take Five

@CyberProtectUK: The National Cyber Security Centre’s Small Business Guide includes lots of quick, easy, and low cost ways for small businesses to improve their cyber security. Take a look here: ncsc.gov.uk/collection/small-business-guide

Q8. One of my online accounts was hacked and I’m worried they might be able to get into my other accounts. What should I do?

@ActionFraudUK: Don’t panic. The first thing you need to do is change the passwords on all accounts which have the same password as the hacked account. Use three random words to create strong passwords for your online accounts, and enable two-factor authentication (2FA) to add an additional layer of security. For information on how to recover a hacked account, visit: Recovering a hacked account

@EMEA_GCA reply: Two factor (also called multi factor) authentication so important. #CyberGriffin has a great video on setting this up in their utube video series: Cyber Griffin Guides: Home Working - YouTube

Q9. It’s difficult to remember the passwords for all of my different online accounts, what should I do?

@CyberProtectUK: It’s good practice to use different passwords for the accounts you care most about, such as your email or social media. You can save your passwords in your browser; it’s quick, convenient and safer than re-using the same password (don’t forget to keep your browser up to date with the latest software updates). For more info, visit: Cyber Aware

Q10. What should be done if someone is impacted by a phishing attack or any cyber related/online malicious activity?

@TakeFive: If you believe you’ve fallen for a phishing scam, you should contact your bank immediately on a number you know to be correct, such as the one listed on your statement, your bank’s website or on the back of your debit or credit card.

@CyberProtectUK: If you have lost money you should report it to your bank. You should also report it to Action Fraud if you live in England, Wales and Northern Ireland and Police Scotland if you live in Scotland. Report fraud here: www.actionfraud.police.uk

Q11. Any other resources or recommendations for staying safe online?

@CyberProtectUK: Visit the Cyber Aware website for more advice on how to stay safe online. Cyber Aware

@TakeFive: For more information on fraud and scams and how you can protect yourself please see below General Advice | Take Five