What is phishing?

Phishing is when attackers (cyber criminals) target individuals or organisations by email, telephone or text message posing as a legitimate source and attempt to entice individuals into clicking on an untrustworthy link or into providing sensitive data for example passwords, banking details or other sensitive information.

Types of phishing

These are the most common types of phishing attacks used by cyber criminals.

  • This is when an attacker uses a fake domain or email address that imitates an authentic organisation. The email often includes a link to a site which appears genuine.

  • Similar to email phishing the attacker sends a text message imitating an organisation.

  • Involves a telephone conversation where the attacker attempts to convince the recipient of the call to provide personal or sensitive information.

  • This is a targeted scam directed at specific individuals or organisation. Often the intention is to lead the recipient to a false website or contain attachments that could lead to malware or ransomware being installed on the computer or network.

Top tips to spot phishing

Phishing attacks have become increasingly sophisticated and it isn’t always clear whether or not the email, telephone call or text message is genuine. Email filtering services attempt to send phishing emails to spam or junk folders, however to ensure genuine emails are received it isn’t always possible to filter out all phishing attempts.  To help spot a phishing attempt here are a few top tips.

  • Check the email address of any emails, often there can be telling signs if the email isn’t genuine. Attackers will often mask the true domain so it’s wise to check.

  • Who is the email addressed to? For example is it addressing you by your name or by something generic such as ‘customer’?

  • Look out for spelling errors or poor grammar that may raise doubts about the authenticity of the message.   

  • Avoid opening any suspicious attachments.

  • Often phishing attacks will seek to request action immediately - take the time to read any emails or messages thoroughly and consider their legitimacy before taking action.

If you are confident that a message is part of a phishing attack, simply ignore and delete it. If you are unsure, visit the official website of the company the message is claiming to be from and contact them directly. Do not click on any links or use the contact details in the message until you have verified its authenticity.

Understand phishing

Our phishing training module will help you understand what phishing is and how it works, how you can identify phishing emails, different techniques of phishing and what you can do to protect yourself and your organisation.

How multi-factor authentication helps to combat phishing

Multi-factor authentication (MFA) provides user accounts with an additional layer of protection from cyber criminals. MFA or two-factor authentication (2FA) requires a user to provide secondary information to gain access to an online account.

The additional security of MFA provides enhanced protection for user accounts, particularly from phishing attacks. Cyber criminals may launch a phishing attack to try and steal a user’s password or credentials which can give them access to their account. By using MFA it is unlikely that a cyber criminal will have access to the second authentication factor (for example, your smartphone) and therefore the account is prevented from compromise.

A number of MFA methods can be used including one time passwords (OTPs) sent to a different device, fingerprints, or other biometric factors. Secure networks also provide a second authentication factor when accessing online accounts.

Due to the potentially sensitive data non-learner account holders for example, staff, governors and all other stakeholders (but not learners) have access to via their Hwb account, MFA must be turned on for these users. Find out how to turn on MFA for users in your school or organisation.

How to report phishing  

The National Cyber Security Centre (NCSC) is a UK government organisation that has the power to investigate and take down scam email addresses and websites.

By reporting phishing attempts, you can:

  • reduce the amount of scam communications you receive
  • make yourself a harder target for scammers
  • protect others from cyber crime online

Reporting phishing to the NCSC is quick and free -

Further Information