Phishing is a type of manipulation attack often used to steal user data. This can include personal information about you or a colleague, login credentials or payment details. Find out more about how it works and how you can protect yourself.

1. Attackers will try to target you.

Your data is a valuable commodity to an attacker. You might not think you have anything that someone else would want, but you'd be surprised. First of all, it's a numbers game in many instances - your details will have found their way into a giant database of email addresses and the attacker will just flood all of them. Secondly, information has value. It's its own currency. So, you might have information that can help build further attacks, or you might have personal data that has its own value. Just because you can’t think of a reason, doesn’t mean an attacker can’t think of a reason.

2. An attack is only successful if it convinces you to take a certain action.

So, what are you being asked to do? Does it feel like you are being pointed in a very specific direction? Does there seem to be a lot of emphasis on you quickly clicking on this link to sort out a pressing problem? Are you being pressed to respond to a question? Is there a sense of urgency, or pressure with this message? These are the instances where it pays to take a moment to regroup and just think about what might be happening.

3. Are you confident you know where this message came from?

This is something we don't consider for a large proportion of the mail we receive daily. Your manager emailing you from a web mail account would be cause for a second look. A colleague within your company sending an email that is flagged as 'External' would be something to double check. Is the domain completely unexpected for the company sending it? These could be red flags - don't ignore them and take a couple of moments to get the email verified.

4. Are you sure where your information has gone?

Sometimes it's easy to get caught up and reply to an email that didn't feel quite right; or click through and enter your login for something that you were sure should have been single sign on… and reflect a moment later that it might not have been the right thing to do. Don't ignore it if this happens, it’s important to let your security teams know so they can help. Which brings us on to…

5. Know what to do if you do fall foul of phishing.

If you are suspicious of something, you should report it. Suspicious Email Reporting Service(SERS) at offers an automated service for you to flag what you think to be a suspicious email and prevent others from falling victim to these scams. If you’ve already responded to a suspicious message and have been tricked into providing your banking details, contact your bank and let them know. Your banks, service providers and online messaging providers all have their own dedicated reporting channels to contact them on. Additionally, you can let Action Fraud know if you are the victim of online fraud. We also have information here that you can refer to: