Weekly Cyber Special: Salty catphish

Updated: Jun 7

It was National Fish and Chip Day on Friday and as much as we love haddock, we’re here to discuss a different type of slippery customer – cyber criminals and their phishing scams (no, that’s not a typo).


Cyber criminals are hooked on the method of phishing, which sees individuals being contacted by email, telephone or text message by someone posing to be from a legitimate organisation (sometimes even as colleague at the business they work for). The idea is to lure them into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.


Sometimes a technique with a more targeted approach called spear phishing is used by hackers to gather personal information that is available publicly on the likes of social media platforms, company websites, or even online news stories.


According to the Cyber Security Breaches Survey 2021, phishing attacks are in fact now commonly considered to be the most disruptive types of violation to an organisation, with 62% of businesses reporting this to be the case.



How to catch a phish


Below is a list of key words and phrases that cybercriminals often use in emails when targeting their potential victims.


Urgency. “You must do this now” – here the attacker is trying to induce panic so that you don’t question the action being asked of you.


Authority. Messages appear to come from a boss, colleague or company you engage with regularly.


Mimicry. Attackers send messages that exploit your daily habits such as “please review your calendar entry. Click here.”


Curiosity. Enticing you with something like “breaking news”.


What should I do if I reel in a phish?


· Think before you click


· Verify the communication without replying to the message, instead call the person who apparently sent it directly and don’t use the information in the email or text message


· Seek advice from an external party


What can I do to protect my business?


· Staff training – ensure they know about phishing and the tactics used. Consider getting your staff to craft a phishing email so they really think about what would make them act


· Know what information exists about you and your business that would make a phish appear more genuine

· Consider your technical defence by implementing DMARC, SPF, DKIM, TLS. To read the NCSC guidance about these terms and how you can implement them click on the links below:


For SMEs: Phishing attacks: defending your organisation - NCSC.GOV.UK


For IT managers: Email security and anti-spoofing - NCSC.GOV.UK


DMARC (Domain-based Message Authentication, Reporting and Conformance) is a system which helps confirm the sender’s identity


SPF (Sender Policy Framework) allows you to publish IP addresses which should be trusted for your domain


DKIM (Domain Keys Identified Mail) allows you to cryptographically sign emails you send to show it’s from your domain


TLS (Transport Layer Security) ensures your system is capable of sending and receiving email using TLS.


The Cyber Resilience Centre for Wales offers closed, half-day security awareness training for staff as a business starter membership bolt-on and is also available as a standalone service.


Alternatively, our student services options include bespoke corporate and individual internet investigations to understand what could be used in spear phishing.





The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.