Jump to content Jump to navigation

Phishing explained

Phishing is a type of identity theft. Online criminals use a fake website to lure people into typing in their user name and password or other security details.


Phishing usually happens in two steps:


A fake email
Scammers send an email out to thousands – maybe even millions – of people. It’s designed to look like it's from a major bank or other large organisation. It uses their logo and font.


The email doesn’t just go to that organisation’s customers. But because it goes to so many people, the criminals know a lot of them will be customers.


The email starts ‘Dear customer’. It says all customers need to confirm their details at the organisation’s website. Then there's a link to click on.


A website
Anyone who clicks on the link in the email goes to a website. It looks just like the organisation’s real site. But it isn't.


The site has an online form for people to type in their details. It'll ask for some general information, and then more private things. Like username and password, bank account details or PIN.


There are lots of different ways of phishing. But they’ll have one thing in common. Anyone unlucky enough to be fooled is likely to end up with a stolen identity or an empty bank account.


How can you spot phishing emails?

They’re not always hard to spot. If you think you've been sent one, look for things like this:


Spelling mistakes and inconsistencies

Scammers behind most phishing attempts often don't have a good grasp of English. So look for spelling mistakes. And check the 'from' address on emails. If it's not from the company named in the email, be suspicious.


A sense of urgency

Sometimes you'll be asked to take action straight away because 'your account will be suspended'.


A generic ‘dear customer’

Emails that don’t use your actual name suggest whoever's behind them has no idea who you are.


Suspect web links

Look for extra letters, numbers and substitutions. The web address might only be different from the legitimate one by a few characters. But it still means you'll be going to a completely different site. For example, the letter 'O' might be replaced with a zero.


Requests for personal information

Think carefully. Would the organisation ask for this in an email?


If you’re in any doubt about where an email's come from, don't do what it asks. If you’re not sure, check with the company involved to see if they really sent it.


Anti-phishing software

Spotting phishing attempts isn't just down to you. Some security software has phishing detection built in.


McAfee Security for O2 Home Broadband filters emails it thinks aren’t genuine. It also has a section called McAfee SiteAdvisor, which tells you whether or not you can trust a website.


How to report a phishing email

It is important that we see examples of phishing emails so we can investigate. Where appropriate we'll take action and close bogus websites down.


Simply create a new email, type 'Phishing' in the subject field, attach the suspicious email and send to phishing@o2.com. Please do not send us any confidential information such as your account details, PINs or passwords by email.