Phishing attacks can be very damaging, not just to the staff member who might share valuable personal data, but also to the school the individual works for, especially if the email is opened and handled on a school provided device.
These notes are aimed to help all members of school staff identify phishing emails and to provide advice about how they should be dealt with.
Spotting Phishing Emails
Cyber criminals go to great lengths to make a phishing email look legitimate. Luckily, there are a number of ways in which you can identify phishing emails, whether you receive them at work or at home.
Don’t forget that scammers will make their emails look as though they have been sent from the organisation they are pretending to be. They will try to replicate the company’s corporate image using the business logo, font, colour scheme and so on. Just because something looks as though it has come from your bank doesn’t mean that it has.
Remember you should never click on a link in, or download any attachments from, an email without checking that it is not a phishing scam.
- The message comes from the wrong domain
It isn’t always easy to see this since most scammers set up their email addresses to display that they have been sent from the organisation they are claiming to be from. Find out how you can display the full address an email has been sent from. If you are using Outlook in a web browser and want to see the address the email has been sent from hover over the sender’s name in your inbox. The full email address of the sender will then be shown. Googlemail works in the same way.The last part of a business email should match the company’s domain name, businesses will not send emails from an address that ends @gmail.com. If you are suspicious check the spelling carefully, it is a common trick for scammers to deliberately misspell a domain to try to trick recipients. If you want to check an organisation’s domain name the best way to do it is to type the company’s name into a search engine.
- You’re asked for personal informationNo business will ever ask you to provide information such as account numbers, username, address or telephone number. Neither will they ask you to update your information through a link in an email.
- The email doesn’t address you personallyBe very suspicious if you are addressed as ‘Dear customer’, ‘Dear user’ or you are referred to by your email address. This is normally a sign that the fraudster doesn’t have all your information.
- The email features poor spelling, grammar or distorted images
You will probably spot these easily. It is extremely unlikely that a genuine organisation will send out an email which hasn’t been carefully vetted and proof read. Any mistakes which you notice should be a red flag for you.
- Strange looking URLs or hyperlinksOften links which have been embedded in an email will look genuine, it is easy to disguise them, but if you hover your cursor over the link the full address will be displayed. If this doesn’t match the address shown in the email you should not click on it.
- The email is an urgent call to actionIf the email asks you to act immediately to prevent your account being frozen, says that a validation check has been failed or tells you that there has been suspicious activity on your account then it is probably a scam. The fraudsters are trying to get you to act without thinking.Although it might be possible you could receive a genuine email regarding account security or purchases, don’t click on any links you receive. It’s better to call the company directly and ask about the email, or log into your account and see if there’s any matching information on your account.
- Something just doesn’t look rightIf you are at all suspicious about an email, even if you can’t pin down what’s making you suspicious, don’t act on it. If something doesn’t look right it probably isn’t and you should only act on it once you have confirmed, using an alternative communication method, that it is safe to do so.We have seen emails where scammers cloned the heads account in a school. Don’t be afraid to check internal emails if you are being asked to share sensitive data or financial information, it is always better to pick up a phone or put your head around a door than to have to deal with the fall-out from becoming a victim of a phishing scam.
Dealing with suspicious emails
If you receive an email which you think is a phishing scam delete it and then get on with your day. If your email client gives you the option to report an email as a phishing scam before deleting it then you should do that.
Never worry about deleting an email which you are uncertain about. In the unlikely event it turns out to be a genuine email which requires action you should expect the sender to contact you again when they do not receive your reply.