What is phishing?
These days, we’re used to receiving regular fraudulent messages from poor Aunt Petunia in the US or the prince of a faraway land. We understand how these typo-riddled emails attempt to draw us in with big promises and ask for money to deliver on them.
But phishing attacks have become a lot more sophisticated than that, and they aren’t always easy to spot.
So what is phishing? It’s when attackers attempt to trick you into doing 'the wrong thing'. This could be clicking on a bad link that will download malware, or directing you to a dodgy website. However, threats against you and your business aren’t always this obvious to spot. These are carefully planned and often appear innocent at first, but soon after, the losses can add up. Which we can see from the 2022 UK fraud stats, where fraudsters stole £1.2bn, earning the UK the title of ‘fraud capital of the world’.
Phishing falls under the umbrella of ‘social engineering’. This is the practice of manipulating and exploiting people to gain access to your systems, information or money. It could involve your typical phishing emails, phone calls from someone claiming to be your bank or even a message on social media from a ‘friend’ in need.
But the term 'phishing' is mainly used to describe attacks that arrive by email. This is because phishing emails can reach millions of users directly, and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money.
Phishing emails can hit an organisation of any size. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data. In a targeted campaign, the attacker may use information about you or your company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.
How to recognise a phishing scam
Phishing scams normally trick you by playing on your emotions or creating a story to get you to click on a link or share your information. They do this by pretending to be your bank, doctor, the government or anyone with authority to create urgency and legitimacy with their claims.
The fraudsters could:
Claim they’re from your bank and have noticed some suspicious activity or log-in attempts, asking you to decline transactions and to add new (fraudlent) payees instead
Claim there’s a problem with your account or your payment information
Say you need to confirm some personal or financial information
Ask for your security information, like recovery codes or pin numbers
Want you to click on a link to make a payment
What are account takeover scams
According to Action Fraud, account takeover is when a scammer gets hold of your login credentials to your online bank account to steal your money or information. They normally get your details through phishing scams or if there has been a data breach where your details were leaked.
Experian explains that there are multiple things fraudsters can do once they get your banking information, such as:
Order a new card from your bank or credit card provider to make purchases with
Access and redeem your account credits or rewards points for their own benefit
Make a payment to a fraudulent company from your bank account
Open a new bank account in your name
If you ever notice any unusual transactions on your account, contact your bank immediately. At Mettle you can reach out to us through the in-app chat (see the If Mettle ever needs to contact you section for more information).
Take five to protect yourself from fraud
Fraudsters are good at putting you under pressure so that you don’t have time to think. To help you in situations like this, UK Finance has launched its ‘Take Five to Stop Fraud’ campaign to help you spot scams and keep yourself and your hard-earned money safe.
They advise:
Stop – Take a moment to stop and think before giving out your personal information or payment details
Challenge – Could it be fake? It’s okay to reject, refuse or ignore any requests you think seem suspicious
Protect – If you believe you’ve been targeted by scammers, report it to Action Fraud on 0300 123 2040 or at actionfraud.police.uk. If you’re in Scotland, please report it to Police Scotland directly by calling 101.
How to report a scam
If you think you’ve come across a fraudulent email scam, you can report it to the National Cyber Security Centre (NCSC) by forwarding it to report@phishing.gov.uk. The NCSC recommends you forward on as many scam emails as you come across. Since January 2023, they have removed 209k scam URLs.
If you’ve received a suspicious text message, you can forward it to 7726. Your provider will then be able to investigate the text message.
If you’ve been hacked or lost money because of a phishing scam, you must report it to Action Fraud. In England, Wales and Northern Ireland you can report this via the Action Fraud website or by calling 0300 123 2040. If you’re in Scotland, you need to report it to Police Scotland by calling 101.
How to create a strong password
Spotting phishing attacks and online scams is one thing, but protecting yourself and your information against attacks is another.
For starters, let’s look at passwords and how to set a strong one. The first rule of setting a password is that it should be unguessable. By unguessable, that also means by people who know things about you.
It’s pretty easy for a stranger to work out your birthday, perhaps how many children you have or your pet's name. All this information is normally shared across social media, and so, makes passwords related to those easier to guess.
The problem with using random numbers and letters – which, as you guessed, are more unguessable – is that they are also more difficult to remember. When it comes to a strong, unguessable password, one way to do it is to pick three or four unconnected words and a number.
When it comes to remembering it, there is a technique for that too. The easiest way is to think of a few items, objects, or feelings, and then work that into a little story. So you might, for example, think of your:
Favourite book
Favourite band
A town you drove through recently, and
An emotion
Then, put those words into your password with a number or special character, for added security. For example:
HarryPotterL0ndonH@ppy1
Why you need multi-factor authentication (MFA)
But passwords alone aren’t always enough to protect your information. Having an added layer of security, like multi-factor authentication – or two factor authentication (2FA) – is also important.
We’re all familiar with websites such as Amazon, Facebook, and Twitter that require you to create an account and protect access to it with a unique user ID (usually your email address) and a password. MFA takes that one step further. Having a strong password is great. Having a second layer of defence is even better.
So even if the attacker knows your password, they won’t be able to access your account without that second factor of authentication. It’s an extra line of defence for you. There are different types of MFA, like:
SMS or email one-time codes
Authenticator apps such as Google authenticator
Physical security keys such as YubiKeys
Biometric authentication such as TouchID, FaceID, etc.
The NCSC recommends that you set up MFA on your 'important' accounts. These are your high-value accounts such as your banking apps, that if hacked, could cause a lot of damage. Your email should also be included. If a cybercriminal can get into your email, they could use it to reset passwords and access to other accounts.
If Mettle ever needs to contact you
Here at Mettle, we want to ensure that all of our customers know what we’ll do if we ever need to contact you. And most importantly, the information we’ll never ask you to provide.
We’ve outlined the different ways we’ll contact you and the information we ask for in this article. If you get contacted in a different way or asked to provide any additional or different information, then it’s most probably a scam.
If this happens, or if you’re unsure it’s really us contacting you, you should hang up and call us back using the number on the back of your Mettle card.
