In the article about phishing we explained the theory. Now let us break down the specific messages that really land in people’s inboxes. Attackers keep changing them, but the principle is always the same: trigger an emotion (fear, curiosity, greed) and make you click before you think. Once you recognise these patterns, you will rarely fall for them.

“Your parcel is waiting for delivery”

The most widespread scam of recent years. An SMS or e-mail arrives in the name of the post office or a courier (post, Packeta, GLS, DHL): the parcel is supposedly stuck and you need to pay a small fee (say two euros) or confirm your address. The link leads to a fake page where you enter your card details. Those “few euros” are merely a pretext to make you reveal your card number.

How to spot it: you are not expecting any parcel, or you never pay a surcharge on an ordinary delivery through a link in an SMS. The post office never chases you for a surcharge by link.

“We have detected an unauthorised login to your account”

A fake message from the “bank” or a payment service: your account is supposedly at risk, your card has been blocked, you need to log in and verify your identity. The link leads to a page that looks like internet banking, but the password you type goes to the attacker.

How to spot it: a bank will never ask you to log in through a link in a message. Always go to your bank manually, through the app or an address you type yourself.

“Congratulations, you have won an iPhone”

A play on greed and curiosity. You have won a phone or a voucher, or an “admirer” or a “lawyer about an inheritance” is writing to you. To claim the prize you are asked to pay a fee or fill in personal details.

How to spot it: you cannot win a competition you never entered. No legitimate prize requires you to pay something first.

“Your account will be closed”

A message in the name of Microsoft, Google, Facebook or Netflix saying your account or subscription will expire or be cancelled unless you confirm your details right away. The goal is again a fake login page and your password.

How to spot it: an urgent deadline and the threat of cancellation. Log into the service yourself, not through the link, and you will see there is no problem.

One rule that applies to all of them

Attackers count on you acting fast. A single habit will protect you from the vast majority of scams:

Never log in or pay through a link in a message. Go to the website or app yourself.

Add two-factor authentication on your important accounts. Even if the attacker gets your password, without the second step they cannot get in. These tricks are a form of social engineering, that is manipulation rather than hacking, so the best defence is you yourself.

When you are not sure

If a suspicious message arrives and you cannot tell whether it is genuine, do not open or fill in anything and ask instead. We will gladly advise you, assess the message, and if you have already entered your details, we will help secure your device and accounts and limit the damage.