Guidance for Organisations on Phishing and Social Engineering Attacks

One way in which the risks regarding security of personal data can arise is through what are known as ‘phishing’ or ‘social engineering’ attacks. These attacks can take many forms, such as ‘email spoofing’ (where cloned or similar looking email addresses or names are used) and misdirecting users to enter sensitive information into a fake website (which looks very much like the legitimate one), or download harmless looking but malicious software (often disguised as email attachments).

This guidance aims to assist controllers in avoiding, and training their staff to avoid, risks to the security and integrity of the personal data they process, through tips on how to spot such attacks, suggested approaches to mitigating the risk of such attacks, and recommendations on how to increase organisational security against these types of attacks.

Guidance for Organisations on Phishing and Social Engineering Attacks - Full Guidance Note