That should always be your first thought whenever you open any email or text message. Whether you think it’s from a site, or even a person, you trust, count to 3 and ask yourself the following questions:
- Was I expecting this email/message?
- Why is it asking me to click on a link? Does it seem reasonable?
- Does the link look genuine?
- Is there another way I can see what the company or person is trying to send me?
Phishing, or social engineering as it’s now called, has been around for 20 years or so. Scams started out as being pretty blatant – emails from people you’ve never heard of before, often supposedly a member of an overseas royal family who desperately needs some money wired to them to get them out of a sticky situation, and who will reward you handsomely if you do so.
Although those scams still exist, criminals are much more subtle and sophisticated in 2019. They can make emails look very much like they have come, for example, from your own bank or credit card company for a start. They use the logos and fonts you would expect to see; they address you by your formal title, just like a bank would. They include telephone numbers you recognise, and they might even refer to someone you know by name in the body of the message.
Some messages also include information that is personal to you. They might quote your car’s license plate or registration number, or a shop or company that you recently bought something from – the latter one is particularly true if you’ve recently bought something online. Little things, like quoting your post/zip code, or your date of birth can all make the message seem legitimate.
The problem is, with so many hacks and other unauthorised leaks of personal data going on in the background, out of our control, criminals are more likely than ever to have your date of birth, home address, Social Security or National Insurance number … all the things that, not so long ago, only you and a very few select other companies and government organisations used to know.
So let’s look at those questions we asked above in a bit more detail to see if it could help you avoid falling into the criminals’ trap…
Was I expecting this email/message?
This is a tricky one.
If you’ve received a message out-of-the-blue from a friend asking you to click on a link that seems to have no relevance to anything you’ve been talking about, it might be best just to message (separately, not by “replying”) or call them to check they actually sent it.
Receiving messages from financial institutions or other businesses is a more difficult one to work out. There are more obvious examples like if you usually get your monthly bank or utility statement by email, and you’ve already had one for the month at the time you’d normally expect it, and a second one arrives unexpectedly, you should treat that second one with suspicion.
Why is it asking me to click on a link? Does it seem reasonable?
If your “friend” has sent you a message to talk about something, would they naturally include a link in that message in order to start or continue a conversation?
If a “trusted” company sends you a message with a link, it’ll normaily say why they need you to click on it. Does that reason sound genuine or, without even clicking on it, does it seem like an odd way to ask you to do something, or is it an unusual thing for them to ask you to do? If your gut feeling gives you any sense that this is unusual or worrying, then don’t click on the link and contact the genuine company to ask about the email by using contact details you have already used before or by opening a browser and looking up their genuine contact details.
Does the link look genuine?
Although this is by no means fool-proof, you can tell a lot about a link just by hovering your mouse over it, without clicking at all. (This does not work so easily on devices that don’t use a mouse though.)
For example, look at the following two links:
Those two links will open up a new tab and take you to exactly the same place (sadly in the case of the second link!) – it’s safe to click on them as they’ll only take you to the “Glossary” page on this site. If you roll-over each of them with a mouse without clicking, you’ll be able to see the web address that the link will take you to (you might need to look at the bottom of your browser window) – and you’ll see they’re identical.
This is just to show that links can be made to look and say anything.
Try rolling-over this link to see where it might take you …
That would not be a link you would then click on I hope …
The point is, there is a certain amount of investigation you can do just to sense-check whether a link is genuine or not. It’s not fool-proof but, in general terms, genuine businesses with genuine reasons to contact you will tend to use web addresses that are well-known and, conversely, criminals will hide unknown or randomly-generated web address behind links and logos that are made-up to look genuine.
However, please do not rely on this brief investigation alone to make a decision as to whether to trust a link or not. Plenty of fraudulent web addresses will contain the name of the genuine company they are pretending to link to.
Is there another way I can see what the company or person is trying to send me?
At the end of the day, this is what I think of first for every link I am sent in a message.
For example, if my bank appears to have sent me a message asking me to click on a link, I will open up a browser window, type-in the web address I know I can trust for the bank (or look it up on a search engine) and then log-in from there.
So many online bank accounts now use in-house secure messaging, which means you would see any genuine message there – not just via email or SMS.
If it’s an online store telling me to log-in to get a great deal on a set of golf clubs, again I’d open a separate browser window and type the name of the site in and navigate to the golf clubs via the public site to see if they’re on offer.
The best advice is “Don’t click on links in emails or messages” – if you start from that point, you will drastically reduce the risk of giving away your personal details to a criminal or clicking onto a site that drops some nasty malware onto your device.