Global Hydrogen & Fuel Cell Education Programme

Avoiding cyber-scams when working from home

Sharing some security tips given to friends and colleagues by our software/IT team

As you have likely heard, people are taking advantage of the current crisis, and the increase in people working from home, to try and defraud people in new ways online. As well as the usual threat from phishing emails, there are additional risks from us all working from home. This article has an overview of the potential threats, and we are sharing our top tips to help you avoid cyber-scams when working from home.

Think before you click

The main thing to remember is to think before you click on something. If you are in doubt, do ask someone tech-savvy. It is almost always the case that acting rashly and compromising your security creates much more work than checking, so always check if you are in doubt. It also isn’t necessarily easy to spot attempts to compromise your security – sadly smart people are trying to make these attempts look as plausible as possible – so don’t be embarrassed about asking if unsure, even if you think you have made a mistake already. It is always better to know about a potential mistake that might have compromised security.

As always, remember that emails can be spoofed, so they are not necessarily from the address shown. Just because an email says that it is from, for example,, that doesn’t mean it has anything to do with HSBC. In many cases there are ways to determine whether an email is from the organisation it appears to be (by examining SPF/DKIM/DMARC records and email headers for example) so do ask someone tech savvy for help of you think you need to respond.

Who’s calling me?

Phone calls can also spoof the calling number, so be suspicious of anyone calling, even if the number appears to be genuine. You should not be asked for your personal password by a person in any communication channel, and you should not be contacted by anyone asking you to do something with your computer who you do not know. Be suspicious of anyone claiming to be from your ISP or Microsoft etc, even if they can apparently give you information that would seem to verify them (a common technique is to ask you to run a generic looking command, and then to tell you the number that it returns, implying that it is unique to your computer when it is not). You can always call a number on the company’s website to check that they called you.

Attachment issues

Be careful with email attachments. Make sure you trust that the email is from someone you trust before opening attachments. Do not bypass warnings about running executable attachments. Installers for online meetings should not come attached to emails and you must check that links are to the legitimate website (see below for how) before opening them or running the installer.

Be suspicious of links in emails. If you need to enter a password, ideally get to the service you are using via a bookmarked link, or typing the address into your browser, rather than using a link in an email. Check you have not mistyped it if typing it in. Where you do need to use a link in an email, for example to verify your email, make sure that the domain is correct, and you are using HTTPS (see the next paragraph), before entering a password.

Check your connection

To check your connection is encrypted (you are using HTTPS), look for a closed padlock icon in the browser address bar, and https:// (note the s), rather than http:// at the beginning of a URL. Check that the domain is correct. Phishing emails will often use similar domains, or related sounding ones, for example, (currently for sale, but the kind of similar domain that could be used) or (this website seems to be down, but this domain was presumably registered to defraud people). Remember that links can have text that looks like a URL, but actually be to a different URL. Mousing over a link usually shows the URL in a tooltip or status bar, or you can copy the link (by right-clicking on it and selecting Copy link address) and paste it in Notepad to check it. The domain is usually highlighted, and is the last part before the extension, ending at the first “/”, so, for, the domain is, which does not belong to HSBC (at time of writing).

Make yourself secure

Make sure that your home network is secure, by having a secure (long & complicated) WiFi passphrase. Do not use an unsecured WiFi network, a default passphrase that is the same for all customers, or one you choose that is not a strong password. Most routers come with a random unique passphrase, printed on a label on the router, these days. Those are fine to use. Also, do not enable remote access to your router without setting a very strong password to secure it. It is unlikely that remote access to your router is enabled unless you or someone you live with/have lived with has enabled it.

Make sure that your device has all the available updates, is using software that is still being updated by the vendor, is securely configured and you are not using an administrative account for day-to-day work. Ask your organisation’s IT team about their policy, or a tech savvy person for help if you are unsure.

You obviously must not disable security software, or prevent updates from being installed for longer than necessary.

Think before granting permissions to files on Google Drive / Dropbox / or other systems, and only grant access to people who you know need access.

Password reset

Remember that your work account passwords must be strong and unique. It must not be used for anything else, must not be based on a dictionary word, and must contain a combination of upper and lower case letters, numbers and punctuation characters.

Use a password manager to remember your passwords, for example the one built in to your browser or one of the many widely used tools for this, like Bitwarden. Ask your IT team or a tech savvy friend for advice on choosing one. Do not store your passwords electronically except in a password manager. If you write them down, keep the paper you write them on safe (locked up or on your person).

If in doubt, don’t click.

Resources and further information:

•        National Cyber Security Centre’s article on phishing emails

•        National Cyber Security Centre’s online training on the basics

This article has been put together by Arcola Energy’s software and IT team. Find out more about Arcola Energy and the future of hydrogen and fuel cell technologies on our website.