Phishing workshop notes

    These are some notes related to my phishing workshop at the Milton Keynes Cryptoparty on 1 November.
    Cryptoparty logo

    Phishing handout

    This is the phishing handout I created for the workshop. You can also download a prettier version as a Google Document.

    What is phishing?

    A cyber-attack on your brain. It's a malicious message designed to fool you into handing over your credentials by directing you to a look-alike website.

    How it works

    Phishing attacks often pretend to be:

    • Urgent technical support
    • Important message from your bank, credit card, HMRC
    • Lottery winning
    • "Your account is in violation"

    They're designed to make you panic and act quickly, without thinking.

    The link in the email will take you to a spoof site, where you enter your account details and password. The scammer then steals your money or your identity.

    Spear phishing is worse, as the message may contain your name and email address. It may also appear to come from a friend.

    How to spot a suspicious web address (URL)

    Hostnames are like snail mail addresses: most specific first. You need to read them right to left.

    How to read a URL

    Spoof sites can put a genuine-looking URL at the front

    A suspicious URL

    Beware look-alike mis-spellings

    Can you tell the difference between , , and ?

    The first one is the genuine The second one is , using a capital I instead of a lower-case l. The third uses a Cyrillic (Russian) a instead of a Latin alphabet a.

    How to defeat phishing

    Think critically: expect messages to be attacks
    Legitimate sites won't ask for credentials via email. If you're not expecting a message, think more. Look for bad spelling and grammar, images that are off, and so on.

    You're not too small to be a target
    Cyber-criminals like going for individuals and small businesses: they often have less security than large companies. Cybercrime is often about volume of attacks and hoping some get lucky.

    Check the web address (URL)
    Look for the first / character in the middle address. The text immediately to the left is the domain. Don't start with the https:// . If the address has an @ character or lots of numbers in it, be suspicious.

    Some phishing sites will turn off the address bar. That alone should make you very suspicious.

    Use a spam filter
    They will block a lot of phishing email.

    Use a password manager
    It won't suggest a password if you're not at the genuine site.

    Use a different password for each site. Change passwords if you think you've been a victim.

    Turn on two-factor authentication
    Even if you hand over your password, it may not trigger the second factor.

    If you're suspicious, change your password.

    Don't view images in email. Be wary of links.
    Some phishing emails use scripts embedded in rich-text messages to make attacks harder to spot.

    Links will often go to look-alike sites. Go to the site directly (browser history will help).

    Downloading images tells spammers the message has been read.

    Use site-specific email addresses
    In Gmail and Outlook, use a plus sign after your address: or . All these messages will still go into your main inbox. Use a different tag for each site.

    Then, when you get an email to that says it's from your bank, you know it's almost certainly a phishing attack.

    (You can set up filtering rules for these addresses, if one address gets a lot of spam.)

    Phising quizzes

    How good are you at spotting phishing emails? A fun way to find out is to try some online quizzes. Here's a couple I found that are quite fun. is a great site for all things phishing. Well worth a look around.

    The Centre for the Protection of National Infrastructure has the downloadable quiz I used on the night.

    The National Cyber Security Centre has some good advice for people looking to improve their organisation's anti-phishing resilience.


    The development of this work was supported by the Institute of Coding at the Open University.

    Cover image by unsplash-logoLance Anderson

    Neil Smith

    Read more posts by this author.