Today’s takeaway special: Phish

It may be National Fish and Chip Day this Friday (4 June) and while we love haddock, we’re here to discuss a different type of slippery customer – cyber criminals and their phishing scams (no, that’s not a typo).


Cyber criminals are hooked on the method of phishing, where individuals are contacted by email, telephone or text message by someone posing as a legitimate organisation to lure them into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.


And for the more targeted approach, spear phishing is also a technique used by hackers to gather personal information that is available publicly from social media platforms, company websites or even news stories.


Phishing attacks are in fact now commonly considered to be the most disruptive types of violation that organisations face according to the Cyber Security Breaches Survey 2021, with 62% of businesses reporting this to be the case.


So how can you catch a phish?


Below is a list of key tactics that cybercriminals use in emails when targeting their potential victims.


  • Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you

  • Authority – messages appearing to come from a boss, colleague or company you engage with regularly

  • Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”

  • Curiosity – enticing you with something like “breaking news”


What should I do if I reel in a phish?

  • Think before you click

  • Verify the communication without replying to the message such as call the person who sent directly and don’t use the information in the email or text message

  • Seek advice from an external party


What can I do to protect my business?

  • Staff training – ensure they know about phishing and the tactics used – consider getting your staff to craft a phishing email so they really think about what would make them act

  • Know what information exists about you and your business that would make a phish appear more genuine

  • Consider your technical defence by implementing DMARC, SPF, DKIM, TLS. To read the NCSC guidance about these terms and how you can implement them click on the links below:

o For SMEs: Phishing attacks: defending your organisation - NCSC.GOV.UK

o For IT managers: Email security and anti-spoofing - NCSC.GOV.UK

o DMARC (Domain-based Message Authentication, Reporting and Conformance) is a system which helps confirm the sender’s identity

o SPF (Sender Policy Framework) allows you to publish IP addresses which should be trusted for your domain

o DKIM (Domain Keys Identified Mail) allows you to cryptographically sign emails you send to show it’s from your domain

o TLS (Transport Layer Security) ensures your system is capable of sending and receiving email using TLS


For those keen to learn more, the Eastern Cyber Resilience Centre business starter membership offers a bolt on option of a closed half day staff awareness session which can also be accessed as a stand-alone service.


Alternatively, our student services provides bespoke corporate and individual internet investigations to understand what could be used in spear phishing.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.