Before you click that link, always think! 

A total of £580 million was stolen through phishing scams in just the first half of 2023. Keep reading to learn how to avoid falling prey to them.  

What is phishing? 

Phishing is a cyber security scam where criminals and bad actors send scam emails, texts, calls or instant messages with the idea of manipulating the recipient or tricking users into making security mistakes and giving away sensitive information.  
This could be: 

• clicking on a link to a malicious website  
• downloading harmful software 
• revealing personal or financial information 

What should I look out for? 

Thankfully, there are things you can look out for in any email you receive. Here are a few rules of thumb to keep in mind: 

1. Never click links or download attachments from an unexpected email, even if you know the sender. It’s always worth taking the safer path and searching on a trusted search engine for the website, or using an existing bookmark to get to the webpage. 

2. Scammers often play on your emotions by creating a false urgency to make you click on their link. This can look like a deadline; “your account is closing in 12 hours”. Take a moment, check the email is valid before deciding to click a link and submit any credentials. If possible, go directly to the website and log in. 

3. Verify unusual requests by contacting the sender through a different method. Emails may ask for an urgent payment and may even be presented as coming from someone within your company. Call using a previously confirmed number or send an instant message to ask them to confirm the request. 

4. Check the sender’s email address, not just the name as it displays in your email. Look for slight misspellings. For example, you might be expecting emails to come from [email protected], but when you look more closely you realise there is a typo or missing letter (such as someone@micosoft.com). In this instance, be aware this isn't their official domain.

What can I do now to protect myself? 

Enable multi-factor authentication (MFA) on all your accounts – this is where you're required to provide additional information, such as a code or a fingerprint, before signing in. You may already be required to do this in your place of work, for example. 

Your email accounts, both personal and professional, as well as your banking, should take priority. Multi-factor authentication adds a layer of protection, meaning that even if an attacker has your password, they still can't access your account. 

What should I do if I suspect phishing? 

Report, report, report! Your organisation’s email may have a “report phishing” button on the toolbar of your email app. Otherwise, you can forward the email to your IT department or security team and explain that you suspect phishing activity. 

It’s always worth reporting a possible scam, as this helps fight against phishing on a large scale. According to The National Cyber Security Centre, as of December 2024, they had received 38 million reported scams which resulted in 205,000 scams being removed from across 372,732 URLs. 

What if I’ve already clicked on a suspicious link? 

It’s ok to make mistakes. If you’ve clicked on a link which you aren’t sure is safe, you can still report the email, and mention to your IT department that you’ve clicked on the link. It’s always better to report a possible breach early on. Your IT department will be able to advise on next steps. 

Financial damage from phishing attempts is slowly going down, thanks to more advanced security systems and greater awareness. Things are looking up in the fight against phishing, although we can’t let up just yet. Cyber-criminals will continue to make their attacks more and more sophisticated, which means you need to keep your eye out and stay aware! 

To learn more about essential digital skills and access further resources, visit our No One Left Offline homepage.