Spot phishing emails
You’ll need
- Copies of the phishing email examples
Before you begin
- Use the safety checklist to help you plan and risk assess your activity. There's also more guidance to help you carry out your risk assessment, including examples.
- Make sure all young people and adults involved in the activity know how to take part safely.
- Make sure you’ll have enough adult helpers. You may need some parents and carers to help.
Planning and setting up this activity
- If unsure about cyber security knowledge, you can use the National Cyber Security Centre (NCSC) resources and improve your skills before running the activity.
- Have a printed or written copy of the example emails for each team.
- Alternatively, you could create your own emails.
- Use a strong and different password for your email: Combining 3 random words that each mean something to you is a great way to create a password that is easy to remember but hard to crack. You should use a different password for each of your accounts, particularly your email account.
- Consider using a Password Manager: A password manager can store all your passwords securely, so you don’t have to worry about remembering them, helping you to use strong, separate passwords for all your important accounts.
- Enable Two-Step Verification (2SV): Aim to use Two-Step Verification (2SV) wherever possible. This can involve entering a code that’s sent to your phone or email, as well as your password. It’s often also known as Two-Factor Authentication or Multi-Factor Authentication (MFA).
- Keep software regularly updated: Regularly update your operating system, apps and antivirus software to protect against the latest threats. Cybercriminals, often known as hackers, make use of and benefit from weaknesses in outdated software to steal information.
- Look out for phishing and scams: For emails, messages or texts, always avoid using suspicious links or downloading attachments from unknown sources. Phishing emails, messages and texts often look legitimate, but their aim is to steal your information. They often use suspicious URL’s or email addresses, use bad spelling and have bad formatting.
- Back up data regularly: Always back up your most important files stored in a secure location, such as on an external hard drive or in cloud storage. This helps to protect you from data loss if there’s malicious software (such as viruses, worms, spyware) or hardware failures.
- Educate others: Make sure you stay informed about the latest cybersecurity threats and how to protect yourselves from them. It's always good to tell your friends, family and loved ones about them too.
- It’s important to check what information we may unknowingly be giving to criminals. Criminals use publicly available information about you to make their phishing emails appear convincing. It’s important to regularly review your privacy settings and think about what you post. Be aware what your friends, family and colleagues say about you online, as this can also reveal information that can be used to target you too.
- If you’ve received an email that you’re not quite sure about, forward it to the NCSC's suspicious Email Reporting Service (SERS): report@phishing.gov.uk.
- If you’ve received a text that you’re not quite sure about, forward suspicious text messages to 7726 for free.
- If you've been tricked into providing your password, you should change your passwords on any of your accounts which use the same password.
- Contact Action Fraud if you think you’ve lost money or been hacked because of an online scam or fraud and you’re in England or Wales. You can report it online or call 0300 123 2040. If you’re in Scotland and you’ve lost money because of an online scam or fraud, you can report the crime to Police Scotland.
Running this activity
- Gather everyone together and ask the young people if they have heard of phishing. It's pronounced like fishing. Phishing is when criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.
- Discuss if anyone has, or the people they live with have, ever had these types of texts, calls and emails, and why it’s important to be able to recognise phishing attempts.
- Ask everyone to get into small groups and give each group a copy of the emails. Each group needs a full set each.
- Each group should work together to cut out and put the emails into two piles, which are phishing attempts and non-phishing attempts.
- Next, they should go through and highlight or circle the red flags that make them think they are phishing emails. They could also do this to show what makes them think the non-phishing emails are genuine.
- Now, ask if anyone knows, or can guess, any of the common signs of phishing emails. They are:
- Urgency: The email tells you to act quickly. For example, it may say 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately'.
- Emotion: Does the message make you panic, fearful, hopeful or curious? The email may have details of heavily discounted concert ticket only offered for a limited time, or make you think something bad will happen if you don’t respond to the email.
- Suspicious sender: The email comes from an unusual or unknown email address. It might also be mimicking a well-known brand, but with spelling mistakes, casual language or a suspicious email you haven’t seen before from that brand.
- Asks for personal or payment information: An email could say that “payment information is invalid” or “personal information is inaccurate” and it must be resent by replying to the message or via a link in the email. Sometimes it is obvious that you have not purchased anything, but cyber attackers are getting more savvy and the email may come from what seems like ticket provider, for some tickets you have already purchased. This happens with official sources as well, like your bank. Your bank (or other official sources) should never ask you to supply personal information by email. Check and call them directly, do not reply or click on links in the emails
- Links and attachments: The email includes suspicious, unexpected links or attachments, such as an invoice for payment.
- Lots of errors: The message or email address may contain lots of spelling mistakes and/or uses incorrect grammar. Some may create official-looking emails by including logos and graphics, but the design and quality is poor, out of date or not quite as you’d expect.
- Unexpected prizes or unbelievable offers: If it sounds too good to be true, it probably is. It's very unlikely that someone will offer you designer shoes for £10, discounted headphones, or codes to access films for free. Some other examples are winning a brand-new iPhone (especially when you didn’t enter a competition), receiving a government refund or submitting personal information to get a free £750 voucher.
- Make sure that the group have been told or have guessed all the signs of phishing. For younger groups, you could write out or print out, then hide each of the different bullet points around the space for people to find in a treasure hunt, then gather back together and have people read them out.
- Now, let the groups review their two piles. Are there any signs of phishing that they’ve missed, or do they want to swap any of the emails into their other pile?
- When everyone’s finished, gather back together as a big group and see what answers everyone had. Did everyone get the same answers?
- You could ask anyone who is happy and comfortable to to explain why they identified certain emails as phishing.
Let us know how it went:
Our supporter, the National Cyber Security Centre (NCSC), is keen to know how much you have learned about cyber security. If you’re happy to take part in their review, please ask your group these questions and send their answers to the NCSC using our Microsoft form.
You’re going to read out a set of statements and everyone must decide if they Agree, Disagree or are Unsure. You could do this in lots of ways. You could use a thumbs up, thumbs down and thumbs in the middle. You could go round in a circle and ask people to say their answer, or you could set up three labelled areas for people to move between to show their answer. You will then report what the majority of the group answered.
You may wish to run this before and after the activity to see what people have learned during the session.
Reflection
This activity was all about recognising phishing attempts. Has anyone ever had these phishing emails or texts before? What did you do? What would you do now? What’s one thing you’ve learned that you’d tell someone else?
Can you remember the common signs of phishing emails? Was there anything that you didn’t expect? There can be lots of signs of phishing and they can sometimes be convincing or be different to what you’ve seen before. Who do you think is most likely to be caught be emails like this and why?
What should you do if you receive an email that seems suspicious? If you’ve received an email that you’re not quite sure about, forward it to the NCSC's suspicious Email Reporting Service (SERS): report@phishing.gov.uk. If you’ve received a text that you’re not quite sure about, forward suspicious text messages to 7726 for free.
Does anyone have any other tips for staying safe online?
Safety
All activities must be safely managed. You must complete a thorough risk assessment and take appropriate steps to reduce risk. Use the safety checklist to help you plan and risk assess your activity. Always get approval for the activity, and have suitable supervision and an InTouch process.
- To make this activity easier, you could discuss the emails together as a group.
- To make this activity harder, you could ask the young people to create their own phishing email. You should encourage them to use some of the red flags they learned about. They should be creative and make their email as convincing as possible while including common signs of phishing. They can then swap their email with another group and see if they can spot all the phishing signs.
- People who struggle with making choices could find all the options a bit overwhelming, so they might need extra support or to work with a young leader/volunteer.
All Scout activities should be inclusive and accessible.
If you enjoyed this activity, check out our others on cyber security or encourage the young people to check out the fun resources from the National Cyber Security Centre such as Cyber Sprinters - the award-winning interactive online security resources for 7-11 year olds. Or Cyber Navigators - all about how to stay secure online, it's an interactive online security resources for 11–14 year olds.