Avoid: a) contact; b) phishing.

It is impossible to ascertain at first look whether a phishing email is genuine or not.

I was thinking about not posting this week, as many, many of us have rather a lot on our minds at the moment. Like the rest of the UK, our household is in lock-down, and I’m trying to juggle work with the (actually very limited) demands of my two children, alongside my wife. So far, our broadband is holding out, and I’ve worked from home long enough that I’ve managed to get the rest of the family’s remote access issues sorted so far.

But I decided that I wanted to post, because I wanted to issue a warning, in case you’ve missed it elsewhere: watch out for phishing emails.

I try to keep these articles relevant to people who aren’t IT professionals: “technically credible, but something you could show to your parents or your manager”. Given how many parents (not to mention grandparents and, scarily, managers) seem to be going online for pretty much the first time, here’s my first definition of phishing emails[1].

“A phishing email is one which pretends to be from a person or company you trust, trying to get personal details such as logins or bank information, or to install malicious software on your device.”

Here’s my second definition, particularly relevant now.

“A phishing email is one sent by low-lives who are attempting to scam vulnerable, scared people for their own personal gain.”

Many phishing emails look exactly the same as a normal email from the relevant party. To be clear, it is impossible for anyone, even an expert, to ascertain at first look whether a polished and sophisticated phishing email is genuine or not. There are ways to tell, if you’re an expert, by looking in more detail at the actual details of the email, but most people will not be able to tell. I have nearly been caught over the past week, as have one of my kids and my wife. Two that have come round recently were particularly impressive: one from Netflix, and one for the TV licensing authority in the UK. Luckily, I’ve trained my family well, and they knew what to do, which is this:

NEVER CLICK ON ANY LINKS IN AN EMAIL.

There. That’s all you need to do. If you get an email which is asking you to click on a link, a graphic or a picture, don’t do it. Instead, go to the website of the actual company or organisation, or contact the individual who allegedly sent it to you. You should easily be able to work out whether your credit card has been declined, your email account has been suspended, you need to pay extra tax within the next 24 hours (hint: you don’t), your friend is stuck in Tenerife or you have used up all of your phone data. If in doubt, stay calm, don’t panic, and contact a more expert friend[2], and get them to help.

To be clear, it’s easy to get it wrong. I work in IT security, and I’ve been caught in the past: see my article I got phished this week: what did I do? This will also tell you (or your designated expert) what to do in the event that you do click on the link.

And, of course, keep safe.


1 – the word “phishing” is derived from “fishing”, as the emails are “fishing” for your details. The “ph” is a standard geek affectation.

2 – often, but not always, son or daughter, grandson or granddaughter[3].

3 – or one of the people whose manager you are, of course.

Author: Mike Bursell

Long-time Open Source and Linux bod, distributed systems security, etc.. Now employed by Red Hat. マイク・バーゼル: オープンソースとLinuxに長く従事。他にも分散セキュリティシステムなども手がける。現在Red Hatのチーフセキュリティアーキテクト

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s