What is a phishing attack and how does it work?

Send us a message

Give us a call to start making your technology easier and more enjoyable.

0800 160 1111


Phishing isn’t unfortunately a bad spelling of a relaxing day spent by the water catching fish for your dinner. Rather it is an online scam where criminals try to impersonate a legitimate company or business and try to steal personal information via email or text message.

The phishing attack or scam works by being able to convince a person that the email is legitimately from the company they are pretending to be and getting the person to click on a link and input personal details that the criminals can then use to access bank accounts or login to websites and extract further details.

The 5 most common types of phishing:

1. Email phishing

As mentioned above, the criminal will often send an email that looks just like it has come from a legitimate business, however the domain will not be the official domain, so an email from HMRC might have come from TaxRefund@HMRCGOV.CO.UK which looks quite convincing at a quick glance, but is definitely not a .gov.uk domain.

Email phishing

Reference: Welivesecurity.com


Top tip:

You should always remember to look at the sender’s address and compare it to the real domain of the company, and never click a link or download attachments if you are not sure.


2. Spear phishing

As the name implies, this technique is more targeted, with the criminals going after specific individuals because they already have some personal information such as, their name, job title and email address. With this information the criminal can pretend to be someone the recipient knows and send a malicious attachment that then allows the criminal to gain further information.
Top Tip: Frequently update your software: If your software provider notifies you that there is a new update, do it right away. The majority of software updates include security improvements that should help to protect you from common attacks. Where possible, enable automatic software updates.

3. Whaling

These attacks are specifically aimed at senior employees, and whilst no fake links or URL’s are used, the aim is still the same. A common whaling technique might involve fake tax returns, that if returned provides the criminal with a lot of sensitive personal information.


4. Angler phishing

A social media variant where the criminals pretend to be someone else and clone posts or tweets or send direct messages and attach fake URL’s. When the person clicks through malware is installed onto their device, or again they might divulge sensitive information.

Here’s an example of how angler phishing may work:


Angler phishing

Top tip:

Things that can appear genuine such as a quiz on Facebook or Twitter might actually be criminals trying to find out details about you. Often as part of the quiz they might ask seemingly normal questions like ‘favourite sports team’ ‘first pet’s name’ or ‘mother’s maiden name’. These are often used by companies as a security question when resetting a password.

5. Smishing and vishing

Sound very strange, but they are simply a method where telephones and smartphones replace emails and social media. Smishing takes place when criminals send malicious text messages in the same form as an email that may contain a fake link. Vishing involves a phone conversation where the criminal may try to convince the victim to give up payment details, or more commonly get them to gain access to a computer by asking them to go to a specific URL in order to ‘help’ a problem that was never there.

All these types of phishing can attack individuals while at work or at home on any device compromising sensitive company information and making businesses vulnerable to further attacks. It is a good idea to ensure that all employees are aware of these types of attacks to minimise the chance of someone falling for one and making sure that all technological barriers such as spam filters are in place and up to date.

At Windsor Telecom we’re passionate about taking the worry of security away from our customers and by handling all their IT security concerns through tailored managed IT solutions. We use premium email security software to ensure that all communications are safeguarded. Our in-house team will proactively monitor your systems to protect you from any emerging scams or attacks and intercept them before they can cause damage. We even simulate a breach of security to understand the level of phishing awareness from your employees and create further awareness of the risk within your business. If this sounds of interest, please get in contact with us.