What Is Phishing? A Practical Guide for Website Owners

Phishing is one of the most common methods cybercriminals use to steal passwords, financial details and personal data. Most attacks are untargeted, sent in bulk to millions of addresses in the hope that a small percentage will respond. Targeted attacks against specific businesses and individuals, known as spear phishing, are covered later in this post.

The goal is always the same: convince you that you are communicating with a trusted source, then get you to act on that belief.

How phishing works

Phishing takes many forms, from crude mass emails to sophisticated cloned websites and phone number spoofing. Spoofing is the practice of faking a sender address or caller ID to make a message appear to come from a legitimate source. Because of this range, any communication asking for personal information deserves careful scrutiny.

Email remains the most common delivery method. Phishing emails aim to convince the recipient to enter personal information, confirm account credentials or download malware. The volume of emails sent means that even a tiny success rate produces thousands of victims. Most phishing emails are caught by spam filters before reaching your inbox, but enough get through to make the threat real.

That is why checking website addresses and email headers matters. Treat any message asking for passwords or sensitive data with suspicion, regardless of how legitimate it looks.

Preventing phishing attacks

Understanding what a phisher wants is the starting point for defending against them. The goal is to threaten or reassure you into handing over your information, your money or your identity. Preparation is the most effective counter.

Fortune favours the prepared mind.
Louis Pasteur

Deploying software updates promptly could have prevented some of the biggest cyberattacks on record. In early 2017, the NHS suffered an attack it was vastly unprepared for. The WannaCry ransomware infected devices across the organisation, blocking staff from accessing patient records and carrying out normal operations. Although WannaCry was not a targeted phishing incident, malware of this type is most commonly distributed through phishing emails.

A layered approach to protection works better than relying on any single measure. No one tool covers every angle, so combining technical controls with good habits gives you far stronger coverage. The following steps address the most common attack vectors.

Set up SPF and DKIM records for your domain, and add a DMARC record for additional protection against email spoofing.
Route all email traffic through a spam filtering system that labels or discards phishing attempts before they reach recipients.
Educate yourself, your staff and anyone else who uses your systems about what phishing looks like.
Keep devices updated to protect against known vulnerabilities that malware exploits.
Use an authenticator app for two-factor authentication rather than SMS, which is more vulnerable to interception.

A system is only as strong as its weakest point. The best spam filter in the world will not protect you if your password is weak or you are not paying attention to what you click.

Identifying a phishing message

Being able to recognise a phishing attempt before you engage with it is the most reliable form of protection. Attackers rely on urgency, so messages that pressure you to act immediately are a common warning sign.

Example phishing email claiming a user's disk space is critically low, with a prompt to act immediately — An example phishing email using urgency to prompt action.

We have intercepted phishing messages claiming to be from cPanel, telling recipients that their disk space is critically low and that they must act immediately. At Unlimited, we do not apply disk quotas and will never contact you in this way.

These emails direct you to click a link leading to a cloned website, where you are prompted to enter your login credentials. The emails are not sent from our domain. If you receive a message like this and are unsure whether it is genuine, contact our support team before clicking anything.

Campaigns like this are not targeted at specific individuals. They are sent to generic addresses such as info@yourdomain.tld in bulk. The only URL that will ever be used alongside your Unlimited login credentials is:

https://www.unlimitedwebhosting.co.uk/client/login

Spotting fake URLs

Even when you are being careful, some attacks are designed to fool a quick glance. In targeted attacks, fake websites are sometimes set up using a homographic attack, where the URL looks identical to a legitimate address but contains substitute characters.

For example, these two URLs are designed to resemble ours but would lead to malicious websites:

https://unlimitedwebh໐sting.co.uk/client/login

https://⋃nlimitedwebhosting.co.uk/client/login

Browser address bar showing a punycode URL that visually resembles a legitimate domain — How punycode characters can make a fake URL look genuine in the address bar.

Nominet, which controls .uk domains including .co.uk, .org.uk and .gov.uk, has restricted which substitute characters can appear in domain names, which limits this type of attack for UK-registered domains. Always check the full URL in your browser’s address bar before entering any credentials.

Spear phishing: targeted attacks

Spear phishing is a more targeted form of the attack. Rather than sending generic messages in bulk, attackers use publicly available information to tailor emails to a specific person or organisation. This makes the message harder to dismiss as obvious spam.

Example spear phishing email using minimal content and a sense of urgency to prompt a reply — A spear phishing example: minimal content, high urgency, designed to prompt a reply from a personal device.

The example above shows how a spear phishing email can evade detection by containing very little content while still creating pressure to respond. By prompting the victim to reply from their personal device, the attacker bypasses workplace security measures entirely. There are many variations on this approach, but the underlying tactic is the same: use just enough personalisation to appear credible.

What to do if you are targeted

Phishing happens in stages. The first is the message itself. If you receive a suspicious email or attachment through our service, report it to us. You can also report phishing emails directly to the NCSC.

Do not click links in suspicious messages or enter any personal information on sites you reached through an unsolicited email. If you have already clicked a link or downloaded an attachment, act quickly. Secure any affected devices and accounts with privileged access, and consider contacting an information security professional to check for malware.

If you have entered financial details into a malicious site or lost money to a phishing scam, report it to Action Fraud as soon as possible.

Phishing attacks are not going away, and the techniques used are becoming harder to detect. Staying informed, keeping software current and treating unexpected requests for credentials with suspicion are the most reliable defences available.

If you are looking for hosting with security built into the infrastructure, take a look at our secure hosting options.

If you receive a suspicious message that appears to come from Unlimited, or you are unsure whether a communication is genuine, get in touch with our team before taking any action.