A man looks at a computer screen. Contact us immediately if you feel you are a phishing scam victim

Phishing: how to avoid this cyber attack

What is phishing?

Phishing is an email-based fraud, and is a form of social engineering. Fraudsters attempt to manipulate the victim to divulge passwords or sensitive information that will allow them to steal money.

How does phishing happen?

A phishing attack involves a fraudster, posing as a legitimate source, sending emails that aim to trick people into divulging sensitive information or transferring money into other accounts. The emails typically contain a link to a fake website, which will request that you enter financial information, passwords or other sensitive information.

Alternatively, emails may contain an attachment in the form of a document, form or notification. Equally, the email may be designed to contain and deliver malware via an attachment or a link. If the link is clicked or the attachment opened, the criminal will be able to gain access to your system.

Be more like Derek – an office legend

Derek has become an office legend simply by spotting scams and, in turn, saving his company big money. Want to know how he does it? See Derek thwart a fraudster’s attempt at invoice fraud.

How can I prevent a phishing attack? A checklist:
  • Be alert to the style, tone and grammar of emails you receive, especially if the email doesn’t address you by name (e.g. “Dear Sir/Madam”).

  • Never enter any personal or security information on a site accessed through a link in an email.

  • Never click on links or open attachments from senders you are unsure of.

  • On sites that require you to input sensitive information, look for ‘https’ in the website address – the ‘s’ stands for ‘secure’, though be aware that this does not guarantee the website is genuine.

  • Do not assume a sender is genuine because they know information about you / your company or the email address looks familiar – fraudsters are skilled in collecting enough information and can spoof email addresses to make them appear to be from a genuine contact, including someone from your own organisation.

  • Remember that your bank may ask you for some information, but will never ask for your full password or PIN, provide you with details to make a payment, or request that you grant them access to your systems or PC.

  • If you receive a suspicious email purporting to be from Barclays, forward it to internetsecurity@barclays.co.uk then delete it straight away

  • Make all staff aware of this type of fraud, particularly those that make payments.

A phishing case study

Employees of a client received an email appearing to be from their employer asking them to log into their 'secure portal' in order to find out what their annual bonus figure would be.

The email contained a link leading to a fake portal which looked like the genuine one, which duped employees into thinking they were logging on securely. Fraudsters were able to capture the log in credentials of each employee who entered them on the fake portal.

Following this, the fraudsters were able to use these details to log in to the genuine secure portal, and change the employee's bank details, so that earnings were paid into the fraudster's account and transferred away. 

What to do if you suspect you’ve received a suspicious email

If you believe you may have fallen victim to a phishing scam, contact us immediately. Our team will try to recover the money from the fraudster’s bank account. The quicker you alert your bank, the greater the chance of recovering the funds.

Report it to ActionFraud – the police’s national fraud and cyber crime reporting centre. Even if you’ve not suffered any financial loss, this will allow the police to analyse trends and help them to prevent fraudsters exploiting other companies. You can file a report via their website at www.actionfraud.police.uk^.

If you receive a suspicious email that appears to be from Barclays, please forward it to internetsecurity@barclays.co.uk and then delete it from your email account immediately.

If you are concerned that your organisation is being impersonated following a phishing attack, you can also take the following action:

  • Warn your suppliers/clients that you are being impersonated, and encourage them to verify any correspondence or contact they receive using the number they have on file
  • Check whether there has been any unusual activity or companies registered using your business/directors name/s at Companies House.
  • Consider registering for Protected Online Filing (PROOF)^
  • Sign up to the CIFAS Protective Registration service to help protect your personal ID.

If you have any queries, please speak to your Relationship Director.

If you fall victim to fraud on your Barclays payment channels, call the Online Fraud Helpdesk immediately on: 0330 156 0155*

Fraudulent attacks, even if unsuccessful, should be reported to Action Fraud by calling 0300 123 2040.

Where to next

Fraud Protection

Fraud Protection

Head back to our dedicated hub for the latest fraud trends and useful resources to help protect your business from cyber criminals.


Vishing and Smishing

What are vishing and smishing? These involve fraudsters making phone calls or sending texts to steal information. Find out how to spot them and protect your organisation.

Latest insights