Watch out for phishing emails - they might ruin your Christmas!
Andrew Davidson
IT Audit Senior Manager
27 November 2023
“WARNING – Your Amazon account was used from an unknown device to purchase a £200 gift voucher. Click here to review or amend this transaction.”
“Congratulations, you’ve won a £50 Tesco voucher. Click here to log into your Tesco Bank account.”
“Here’s a receipt showing your successful purchase of a year’s subscription to Netflix.”
“We’ve detected unusual activity in your bank account, please click here to log in.”
“We’ve suspended your PayPal account due to unusual activity. Click here to log in and check your transactions.”
Do you recognise any of these? You might already have seen something similar in your inbox.
As the Christmas season approaches, we are inundated with special offers and gift vouchers from retailers. With more of us shopping online this year due to the unusual circumstances we find ourselves in, you may find yourself receiving even more of these offers than in previous years.
While a lot of these seem tempting, it’s important to remember that Christmas is also a busy time for cyber criminals hoping to catch you out with cleverly disguised phishing emails.
Often, their aim is to capture your log in details for cloud services such as Amazon – giving them the ability to order goods, as you pick up the cost! Even worse, cyber criminals have been known to install keyboard logging software onto your laptop, discovering passwords to your online banking.
Phishing emails
The key to a successful phishing attack is when the email appears to come from somewhere you trust, often adding an element of threat or urgency. There is always a strong call to action. A very common phishing scam is a fake email from Amazon or Apple giving a “receipt” for an extravagant purchase. We instantly recognise the Amazon or Apple branding and inherently give emails with pictures like these a strong element of our trust. Add to that the threat that someone has already accessed your account to make an expensive purchase, many of us would reach for the “click here to log in to your account” button without taking a moment to think.
Now, to avoid any doubt in your mind, emails from banks or online retailers (such as Apple or Amazon) never - and I mean NEVER - contain a handy link to allow you to log into your account. If the email says anything like “click here to verify” or “click here to log in” then it’s fake.
Clicking on these links will more often than not take you to a website that looks exactly the same as the genuine website with two key differences. Firstly, the web address will be wrong. Some of the more sophisticated attempts will have a close approximation such as www.amazonuk.co.uk or even app1e.com where you might not notice a difference from the genuine address at a glance. Secondly, when you log in, all that will happen is that your details will be passed to the hacker. You might even be automatically re-directed to the genuine site with the message “you entered your password incorrectly – please try again” and so you’ll be none the wiser for the subterfuge. As mentioned before, this now allows them to log on as you and make purchases at your expense.
Phishing texts
Recent global events have led to more people shopping from home, which has led to more frequent home deliveries, which in turn has led to more interest from scammers in how to take advantage of home shoppers.
One such technique is to send out text messages to thousands of mobile numbers to inform them that a package couldn’t be delivered and they just need to click a link to arrange re-delivery. Clicking on the link can take you and your smart phone to a website, similar to those noted above in relation to email phishing. Once you’ve handed over your bank details, they can pretty much use it to grab as much cash as they think they can get away with before the bank blocks it.
Again, if a text message comes through from a delivery service, check the number where the number has originated from by typing it into a search engine. Often these numbers have been reported already and you can avoid the scam (block the number and report it where possible). Alternatively, go to the delivery website and contact them direct to confirm details. NEVER use the number provided in the text message without checking it first.
How to protect yourself from the cyber grinches!
Many of the vulnerabilities which criminals use to compromise your device can be fixed by making sure you have installed the latest operating system patches. So, get running those updates to make sure your device is up to date! Also, backing up your files routinely, in case of Ransomware, and ensuring that your anti-virus software is up to date will help protect you.
If you are ever you are in doubt about an e-mail look out for the following tell-tale signs:
- Don’t trust the display name on emails (it is relatively easy to amend this to one that looks valid).
- Hover the mouse over any links in the email to see where they direct you. When in doubt, Google the company and log into the genuine site rather than via any link in the email.
- Check for spelling mistakes. English is not always the first language of the hacker.
- Does it mention you by name or are you “Valued Customer”?
- Legitimate banks NEVER ask for credentials over email.
- Beware of urgent or threatening language. The sense of urgency can put people into a panic and they are more likely to react than think. Stop, and ask a colleague, friend or family member what they think before acting.
- Does the email include credentials such as addresses, phone numbers and postal contact details? All banks and retailers include this.
- Don’t open attachments from anyone unless you were expecting it.
The last bit of very simple of advice is that if you are not sure it is valid – delete the email without clicking on links or opening attachments.
Keeping these points in mind can help lead to a happy and phish-free Christmas!
Did you know? Our team provide an IT auditing service to help you test your systems and ensure your staff are up to speed with best practices. If you’re interested to find out more, please get in touch with me.