Phishing, vishing and smishing
What they are, how to spot the signs and how to stay safe
Phishing Vishing and Smishing are all plays on the word ‘fishing.’ Fraudsters ‘fish’ for potential victims by sending emails, social media messages or text messages or making phone calls with urgent messages in the hope of persuading someone to visit the bogus website.
This type of fraud refers to when criminals persuade victims to hand over personal details or transfer money, over the telephone. They can use several methods to try and trick you.
- Information: the criminals already have your name, address, phone number, bank details - essentially the kind of information you would expect a genuine caller to have
- Urgency: You are made to believe your money is in danger and have to act quickly - fear often leads people into acting without thinking
- Phone spoofing: The phone number appears as if it's coming from somewhere else, so when you pick up the phone you already believe the caller because the number is convincing
- Holding the line: In some cases, the criminals can hold your telephone line, so if you hang up to call back the bank, you can get put straight back to the fraudsters
- Atmosphere: You hear a lot of background noise so it sounds like a call centre rather than a guy in a basement - they either do have a call centre, or are playing a sound effects CD.
Don't ever give personal information like banking or credit cards over the phone to someone who has called you. If you get a call, hang up, and ring the number on the back of your credit card using a different phone from the one they called you on.
Phishing emails can look very convincing, copying branding and 'spoofing' email addresses to make them look genuine.
- Hover your mouse over the link and the URL details will come up and will show if it's valid, or taking you somewhere unrecognizable
- If in doubt, don't click on the link
- If an email looks genuine then contact the sender through their official website
- Never using telephone numbers or links provided in the email
'Smishing' is SMS phishing where text messages are sent trying to encourage people to pay money out or click on suspicious links.
Sometimes attackers try to get victims on the phone by sending a text message asking them to call a number, so they can try to persuade them further.
Banks often text their customers for a variety of reasons. To respond to a message, call the bank using a number from a bank statement or a verified source, not from the text message.
Action Fraud has this advice about protecting yourself from phishing, vishing and smishing:
- Don’t assume anyone who’s sent you an email or text message – or has called your phone or left you a voicemail message – is who they say they are.
- If a phone call or voicemail, email or text message asks you to make a payment, log in to an online account or offers you a deal, be cautious. Don't give away any other sensitive information by clicking on a link and visiting a website. If you get a call from someone who claims to be from your bank, don't give away persoanal details.
- Make sure your spam filter is on your emails. If you find a suspicious email, mark it as spam and delete it to keep out similar emails in future.
- If in doubt, check it’s genuine by asking the company itself. Never call numbers or follow links provided in suspicious emails; find the official website or customer support number using a separate browser and search engine.
Spot the signs:
- If they know your email address but not your name, it’ll begin with something like ‘To our valued customer’, or ‘Dear...’ followed by your email address
- Their spelling, grammar, graphic design or image quality is poor quality. They may use odd ‘spe11lings’ or ‘cApiTals’ in the email subject to fool your spam filter
- The website or email address doesn’t look right; authentic website addresses are usually short and don’t use irrelevant words or phrases. Businesses and organisations don’t use web-based addresses such as Gmail or Yahoo.
- Money’s been taken from your account, or there are withdrawals or purchases on your bank statement that you don’t remember making
Phishing, vishing and smishing are done in many different ways. In the end, the aim is always to trick you into thinking you’re giving up personal information or making payments with someone you can trust, such as your bank, a government agency or a business or brand name.
- Report it to Action Fraud: https://www.actionfraud.police.uk/report-a-fraud/how-to-report-a-fraudonline or on 0300 123 2040.