Andy Jackson, Head of Communications for the United Reformed Church, recently shared news about a phishing attempt from someone claiming to be John Bradbury, the General Secretary of the URC. These emails had been seen before at Church House but this attempt had been sent to others in the wider Church.
Now that these emails seem to be using the names of Synod staff too, Andy shares some tips about how to tell that’s an attempt at fraud and what’s genuine.
A phishing email is an attempt by criminals to use someone else’s details or website design to trick people into parting with money. For example, you might get an email from a person known to you, but from a different email account, an email from a supplier such as Amazon, or one from a payment platform, e.g. PayPal. I’ve had all of these in one form or another.
These emails will try and get you to part with money or personal information that will be sold to those trying to get money.
And it’s not just emails – text messages, social media and phones can also be used. Recently, I had an automated voice message at the office saying that our internet service was being stopped. It wasn’t because the message came from the wrong provider.
But they sound and look genuine.
Emails will be sent to millions of people asking for information such as bank details or containing links to websites intent on getting information from you.
Some phishing emails may contain viruses disguised as attachments which activate if opened. A few years ago, a colleague at Christian Aid forwarded me such an email without realising the attachment contained a virus, and because it came from her, I opened it. I had to spend the rest of my day restoring my computer and files.
What steps can I take?
Information from your social media accounts – Facebook, Twitter, Instagram – leave a digital footprint that can be exploited by criminals. Publicly available information about you makes their phishing emails appear convincing. Check your privacy settings and think about what you post, and who can see them (Facebook posts could potentially be seen by everyone on Facebook unless you tell them to only share your posts with Friends).
Also, be aware is said about you online as this can also reveal information that can be used to target you.
If you have received an email which you’re not quite sure about, forward it to the government’s National Cyber Security Centre’s suspicious Email Reporting Service – email@example.com
What to do I do if I’ve already clicked a link?
Don’t panic and don’t worry. Open your antivirus software and run a full scan, and follow any instructions given (for example, deleting files that contain a virus).
If you’ve been tricked into providing your password, you should change your passwords on all your other accounts, as soon as possible.
And if you have lost money, you need to report it as a crime to Action Fraud. www.actionfraud.police.uk.
What are the signs?
Spotting a phishing email can be very difficult.
Is the email addressed to you by name or does it use a generic title such as ‘valued customer’, or ‘friend’ or ‘colleague’? This can be a sign that the sender does not know you.
Is it an official-looking email with logos and graphics, and is the design and quality what you’d expect or have received from that company before?
Does the email contain an urgent action? Is it asking you to do something in the next day, or contains a link that you must click on immediately?
Look at the sender’s name and email address. Sometimes there are words inserted to make it look like an email from a company or supplier – instead of firstname.lastname@example.org it could be email@example.com which is a totally different website. Just because it has the name of a company or organisation in the email address doesn’t mean it’s genuine.
Or in the case of the phishing scam involving John Bradbury, the email was not the @urc.org.uk email address, but a gmail.com address. Is it likely that a known person in an organisation would use a free email account for official business? You can always check on the URC website for the email addresses of staff.
Does it sound legitimate? Is the email offer too good be true – e.g. designer trainers for £10, free films when you use this code or click on this link, or a free subscription to Reform?
Banks and other official senders of emails don’t ask for personal information and haven’t done for years so is the email is asking for that, it is probably a scam. Call the bank to check if you’re unsure.
If you have received an email which you’re not quite sure about, forward it to the NCSC’s suspicious Email Reporting Service: firstname.lastname@example.org