Click here to register your interest in signing up to the HMRC MTD ITSA pilot

How to Handle a Phishing Attack

With more of our lives and businesses operating online, it’s becoming increasingly important to protect yourself from malicious attacks and scams.

The number of spam emails quadrupled in 2016, according to IDM Threat Intelligence Index 2017 and email is still the number one delivery method of malware.

One of the most common methods of attacking people is through phishing emails.

What is phishing?

Phishing scams are designed to trick people in handing over usernames and passwords, which can be used to access protected data, networks and systems.

Phishing attacks are becoming increasingly sophisticated, with many fake emails being almost entirely indistinguishable from real ones. Because of this, your approach to security needs to be equally sophisticated.

There are three key elements of a strong anti-phishing policy: detect, prevent, and respond.

Detecting phishing attacks

Unfortunately, there is no way for a business to stop scammers from using their branding on their phishing emails.

There are, however, ways you can detect a scam when it arrives in your inbox.

  • You can hover over any hyperlinks in the email to see the actual hyperlinked address, which may not match. For instance the link may say but actually hyperlinks to a fake address like
  • With web addresses there are two key rules: never log into a non-HTTPs site, and always look for fake addresses that switch letters or contain typos.
  • Emails that contain lots of spelling and grammar mistakes should raise alarm bells. You should, however, be aware that scammers can clone existing emails – which would look identical to professional and authentic emails.
  • Banks and major companies won’t email you to confirm your password, card details or security answers. If you receive an email that asks for personal information, report it.
  • Emails that aren’t relevant to you should be viewed very suspiciously too. For example, receiving an email telling you that you’ve won a competition that you didn’t enter.
  • Always be doubtful when you receive emails that ask you for money, whether that’s for expenses, fees or other costs. Be aware that these requests may come later in the email thread. Even if you have been communicating for some time, you should never consider yourself obliged to hand over money. If you think it’s a scam, cease communications immediately and report the messages.
  • Emails may use tricks, such as free prizes or other rewards, to convince people to hand over money or personal information. Others may use threats, which could be anything from threatening to close your account if personal information is not “confirmed” (given to the scammers), to full-on blackmail.

Make sure you’re familiar with how the DNS naming structure for emails works. The actual domain will be the last part of the email, and any “child” domains will come before it. For example

  • is a child domain of KashFlow, which comes at the end of the DNS name.
  • is a child domain of, which comes at the end of the DNS name.

So if the DNS name ends with any malicious domain, this is the page you will be sent to. It’s a very common scam which often works as people don’t know what to look for.

When you receive a phishing email from a well-known company, or one you interact or work with, these will likely be replicas or completely fake emails from external addresses and not a result of hacking. It can be difficult to spot the difference between replica and real emails though.

If in doubt, contact the company through a different channel to confirm whether the email is authentic or not. You can contact us at the below addresses, using the subject line Phishing Alert.

Preventing phishing attacks from succeeding

Phishing scams are so common that it is essentially a case of when you will be attacked, not if.

With that in mind, it’s important to make sure that you, and all your employees, have proper security training. Make sure everyone in your team is aware of phishing techniques like URL redirects, embedded links and malicious email attachments.

You should do plenty of research on how to detect phishing emails, and make sure everyone in your company knows how to detect a phishing email.

If you want to, you can test your employee’s reaction to phishing emails by sending simulated phishing emails via websites like Phishme, Knowbe4, Phishproof and Phishd.

Training should be regular, and include updates on the latest known scams and phishing techniques. Websites like FraudWatch International list recently validated phishing accounts which can be useful for your general awareness.

Another way to try and prevent phishing attacks from succeeding is to invest in software that can help filter and catch these fake messages.

  • Email security systems can detect phishing emails and prevent them from reaching your inbox. If you receive a phishing email, mark it as junk or spam and train your system to recognise these types of email by itself.
  • Antivirus and endpoint security can potentially block malware before it is downloaded into your system.
  • Introducing Two-Factor Authentication, which requires a second authentication (like a code sent to a mobile phone) for a system to be accessed help diminish the impact of stolen details as the scammer can’t access your system.
  • Browser security can block and scan for malicious webpages, preventing you from entering your data even if you’ve accidentally opened the link.

Responding to phishing attacks

It’s best to handle any emails you’re unsure about cautiously.

If you suffer a security breach, speed is the key to your response. Identify the malicious email and see who has been targeted. If you have a number of employees, you should hold a company-wide review to assess and limit the damage – and also train staff on what mistakes were made so future incidents are prevented.

If you think you’ve opened a malicious link, follow these steps:

  1. Disconnect your device from the internet and any network it is linked to. This’ll reduce the risk of the malware spreading through your system.
  2. Perform a complete scan of your system using your anti-virus software. This can be done offline, so ignore any pop-ups telling you to connect to the internet. If you find any malware, follow the software’s instructions on how to quarantine or remove the malicious files.
  3. Change your details. Often, phishing emails are used to steal personal information like passwords and bank details. If you think you’re at risk, you are best
  4. If you think financial information is at risk, alert your bank that your details may have been stolen so that they can monitor any suspicious activity.

See how IRIS KashFlow works with your business and your books