The Phishing threat following data breaches

Created:  18 Nov 2016
Updated:  18 Nov 2016
The issue, impact and mitigation of phishing following data breaches.

Key Points

  • Recent reporting of data breaches affecting customers in the UK reminds us of the threat from phishing
  • Data from breaches is often sold to criminal groups who use the details to craft phishing emails
  • Members of the public who believe their details may have been stolen should be extra vigilant of emails asking them to provide personal details, including credentials and passwords.


This report draws on open source information, as well as information derived from industry sources.  It sets out an assessment of cyber threat along with customer advice. The events reported have not been independently corroborated; however the widespread open source coverage and industry reports provide a basis for this assessment.


1. Phishing attacks are one of the most prolific and effective forms of cyber attacks as criminals exploit data breaches, current affairs, seasonal events and social media to craft seemingly personal and legitimate emails.

2. Recent reporting of data breaches highlight the need for individuals who believe their data may be comprised to remain vigilant to phishing emails.

3. Data breaches are a recurrent theme in cyber security and are often not discovered or reported until long after the initial breach. Therefore even individuals who may not have been affected by the breaches reported this week should be vigilant to the threat of phishing attacks.  

4. Some examples might include:

  • An email claiming to be from a bank requesting you log in to verify your account due to fraudulent activity that has taken place; a link provided will direct to a website that looks similar to the genuine site which stores your genuine details once inputted.
  • An email stating that you have been charged for a service you didn’t use, with an attached document that is supposed to be an invoice; upon opening the attachment malicious code then installs on the computer without the user’s knowledge.


5. It is highly likely that victims of a data breach will receive targeted phishing emails using stolen personal information to make the email seem legitimate.

6. It is likely that customers of an organisation which has suffered a data breach may be targeted with phishing emails, regardless of whether their details have been compromised. This is because criminals take advantage of events in the news and so may target any customers of a breached organisation with phishing emails using a subject line regarding the breach.

7. It is highly likely that attackers are seeking financial gain. This could be through direct means such as tricking victims into sending money or downloading malware designed to steal financial credentials. Alternatively they could seek to monetize the attack indirectly, by stealing information which is then sold on and could be used to facilitate further attacks.


8. A phishing email will typically contain a malicious attachment or a link to a malicious website. As well as awareness, the best defence is to make sure that your devices and software are kept up to date. We recommend the following guidance:

9. Whilst phishing emails are designed to be difficult to spot, there are some checks which users can employ in order to identify the less sophisticated campaigns:

  • Sender. Were you expecting this email? Not recognising the sender isn’t necessarily cause for concern but look carefully at the sender’s name – does it sound legitimate, or is it trying to mimic something you are familiar with?
  • Subject line. Often alarmist, hoping to scare the reader into an action without much thought. May use excessive punctuation.
  • Logo. The logo may be of a low quality if the attacker has simply cut and pasted from a website. Is it even a genuine company?
  • Dear You. Be wary of emails that refer to you by generic names, or in a way you find unusual, such as the first part of your email address. Don’t forget though, your actual name may be inferred by your email address.
  • The body. Look out for bad grammar or spelling errors but bear in mind modern phishing looks a lot better than it used to. Many phishing campaigns originate from non-English speaking countries but are written in English in order to target a wider global audience, so word choice may be odd or sound disjointed.
  • The hyperlink/attachment. The whole email is designed to impress on you the importance of clicking this link or attachment right now. Even if the link looks genuine, hover the mouse over it to reveal the true link. It may provide a clue that this is not a genuine email. If you are still unsure, do not click the link – just open a webpage and log onto your account via the normal method. If it appears to be from a trusted source, consider phoning the company’s customer service, but never follow the email’s instructions. Be aware that some companies operate policies stating they will never include links in emails and will never ask for personal information. Again, if in doubt, open a browser and check – and do not open attachments.
  • Signature block. The signature block may be a generic design or a copy from the real company.


Was this guidance helpful?

We need your feedback to improve this content.

Yes No