It’s likely you’ve seen emails from supposed delivery companies with subjects such as “Your package requires a shipping fee - pay this now”. The email contains a link to what appears to be their genuine website. The email and/or website asks for your personal and financial details. In fact, the email could be a phishing scam.
Phishing is a method used by fraudsters to obtain sensitive or personal information such as passwords, bank or card details, which can then be used to access existing accounts or to steal identities, potentially resulting in financial loss.
This stolen information can also be used to facilitate other types of scams, such as impersonation scams. But, the fraudsters, who often operate in criminal gangs, don’t always rely on you entering your personal data - phishing emails could also include links that trick people into downloading malware onto their computers or phones.
Starling is signed up to the Take Five Charter and is committed to keeping your money and personal information safe. The campaign encourages you to ‘take five minutes’ to consider if communications are genuine. The top red flags for suspicious activity are:
1. Email sender
- Fraudsters can make emails appear to be from an existing and trusted contact. This is called spoofing.
- Misspellings can make a suspect domain look ALMOST like the real one. Check for extra letters, extra full stops or dashes (“-”). For example, “customersupport@yoursecurebank.com” VS “customersupport@yoursecurbank.com”.
- If in doubt, contact the individual or company by phoning back on a trusted phone number (one you’ve spoken to them on before or found directly on their website) to ensure the email really was sent by them.
2. “Date:” “Subject:” “To:” The Magic Trio
- Date: Check the time you received the email. Does it make sense for it to be timed at 3am?
- Subject: Check if the title contains catchy words or a sense of urgency like “urgent”, “action needed” or “account suspended”. Never respond to pressure.
- To: Check if you were cc’d in an email with people you don’t personally know.
3. Attachment
- Opening an unexpected attachment may install malware, such as viruses, spyware or ransomware, on your device. This could enable a fraudster to harvest your sensitive information or remotely access your device without your consent or knowledge.
- Check the attachment name, file icon and file type for any discrepancies.
- Avoid enabling Macros on Microsoft files if you were not expecting them.
4. Hyperlink: Don’t click it, check it first!
The email you received from “Your Super Bank” includes a link. What should you check to ensure it’s genuine?
Punctuation: Watch out for punctuation in the links. If you clicked on https://your.super.bank.com, it would take you to the website your[.]super[.]bank[.]com and not the one you probably wanted, yoursuperbank.com
Spelling errors: Always pay attention to the spelling - y0ursuperbank.com or yorsuperbank.com
Link shortener: Fraudsters may take advantage of URL shorteners to disguise malicious domains. Watch out for URLs that look like this, https://bit.ly/xx-yy-zz
5. Body content
- By using email templates fraudsters usually aim to engage with the highest number of victims in the shortest time. These sometimes contain flaws, so always check for grammar and spelling errors. Another tip is to check the email signature (a block of text automatically added to the bottom of an email) for any discrepancies between that and the sender details i.e name, email address.
6. Landing page - not too late
- Whether you’ve been asked to login via a specific link to change your password, or you’re about to reply with your personal information, stop and think again. If in doubt, verify the request by contacting the sender on a trusted phone number (one you’ve spoken to them on before or found on their website).
- If you’ve already clicked the link and you have been redirected to a convincing landing page check the browsing bar. Is that the domain you were supposed to be in?
7. Mobile
- Some red flags might be more difficult to spot when you’re reviewing the email on your mobile. For example, you’ll only see the display name of the sender (e.g. Amazon) but the actual email address is hidden (e.g. thisismalicious@amazon-not-really-legit.com).
- Tap on the display name of the sender to get more information about the email address.
- Landing pages are more difficult to spot as address bars (the URL bar) are too small to display the whole URL at once, check it in its entirety by long holding on it (avoiding tapping on it).
If you don’t know the sender and you spot a red flag, you can report the message to the Suspicious Email Reporting Service at report@phishing.gov.uk. If the email is impersonating a legitimate company you can also report it to their phishing abuse mailbox, which can normally be found on the organisation’s website.
Starling will never request personal or financial information by email. If you receive an email that impersonates Starling Bank please report it to reportphishing@starlingbank.com.
Visit our friends at Take Five or the National Cyber Security Centre for more advice on how to protect yourself from fraud.