How to Stay Safe from Phishing Scammers

As an online tutor on Sherpa, you are part of a community that values security, transparency, and trust. However, cybercriminals constantly evolve their tactics, and phishing scams are a prevalent threat in today’s digital landscape.

These scams often aim to steal sensitive information, such as bank details, or compromise your online accounts - not just on Sherpa.

Here we offer essential guidance to help you recognise and avoid phishing attempts. It includes practical advice on identifying and reporting scams, maintaining security, and understanding Sherpa’s policies regarding tutor communication.

What is Phishing?

Phishing is the act of sending fraudulent messages designed to trick you into revealing sensitive information or clicking harmful links. These messages often look like they come from legitimate sources, but they’re crafted to deceive. Unfortunately, they are relatively common due to their ease of mass distribution.

Phishing works by sending to a large volume of people, hoping a small fraction will take the bait. Hence the name! They likely only need a few people caught at a bad time or unaware of the dangers to succeed in their goals.

Their end goal is usually to access money and quickly transfer it to their accounts. They can also aim to gather personal information, committing identity fraud so they can find more funds or online accounts to gain access to more potential victims.

Sherpa’s Policies: What You Need to Know

Phishing attempts on Sherpa are more likely to target tutors directly. Fake student accounts may pose as potential clients, Sherpa staff or look like a system notifications and request sensitive information, such as bank details, under the guise of account verification or issues with processing payments.

It’s crucial to understand that these are scams, not official communication from Sherpa. Using available public information, scammers can closely imitate our usual correspondence and email addresses linked to our platform and staff.

Sherpa is committed to safeguarding your information and ensuring clear communication. Here are some critical points about our policies:

1. We Will NEVER Ask for Your Bank Details or Passwords

Sherpa will never request that you confirm your password or bank details through email, platform messages, over the phone or via text message. All financial details and transactions on Sherpa are handled securely via our industry-leading payment provider, Stripe.

2. We DO NOT Use the Messages Page for Administrative Contact

If Sherpa needs to contact you regarding your account, we will do so through our verified support channels, such as:

• Live Chat on our website (only from the bottom right corner)
• Our official support email domain (eg. Joe@sherpa-online.com)
• Our phone line: +441628 337 590
• Our SMS text number: +447830 356 842

3. Phishing Should Be REPORTED & IGNORED!

The safest thing to do is ignore suspicious messages. As the name suggests, phishing attempts only succeed if you ‘bite’ and engage with the perpetrator. This could be through clicking a link, downloading a file, or responding to provide personal information to them over a phone call, text or email. In some cases, scammers can also convince you to buy something for them, like a gift card, and send it to them under the guise of someone you trust.

If you’re ever in doubt about a request, reach out to us through previously verified methods to confirm the legitimacy of any communication. You can report platform messages by clicking "Report Conversation" in the conversation page sidebar.

It’s important to note that phishing attempts do not indicate a compromise of Sherpa’s systems or your data. Any specific data scammers may know about you can either be sourced from other data breaches online or found in public directories eg. emails, phone numbers, addresses and in rare cases some banking details. All of which can be leveraged to impersonate a position of trust.

How to Recognise Phishing Attempts

Phishing attempts often share common traits that you can learn to identify. Be on the lookout for:

1. Too Good to Be True Offers: Promises of unexpected rewards, prizes, or money often aim to lure victims. Be sceptical of messages claiming you've won a contest or payment you weren't expecting.
2. Suspicious Links or Files: Emails and messages may contain links leading to fake websites designed to harvest your information. Before clicking any link, hover over it to check the URL. If it's from a new contact, looks unusual or doesn’t match Sherpa’s domain (sherpa-online.com/), do not click. We often use a website called "tally.com" for collecting feedback and our email provider displays links from "sendgrid.com".
3. Urgent or Threatening Language: Phishing emails often create a sense of urgency, claiming that your account will be deactivated or your payments will be withheld unless you act immediately. This is solely to coerce you into immediate action before resorting to reason.
4. Requests for Sensitive Information: Legitimate organisations, including Sherpa, will never ask for sensitive details like bank account numbers, passwords, or payment information in full.
5. Generic Greetings and Grammar Errors: Be cautious of emails that don’t address you by name or contain grammatical errors. These are common signs of fraudulent communication.
6. Unknown Senders: Emails from new, unknown or unexpected senders should be treated with caution. Always verify the sender’s identity without engaging directly with them to ensure it’s from a legitimate source.
7. Different Contact Information: Scammers can often find and use the name of a family member, friend, colleague or superior and create addresses that look legitimate but have small differences, like "sherpa-support@secure.com" instead of "@sherpa-online.com." You can use existing verified channels with the person to confirm if the contact is legitimate.
8. Unexpected Communication Methods: If you usually receive only emails from a company and they call you or send you a text, do not respond or provide any sensitive information.
9. Mismatched Branding: Check for inconsistencies in the message's branding, such as outdated logos, incorrect colour schemes, or formatting issues that don’t match the company’s usual communications.

Best Practices to Stay Secure on Sherpa

Should tutor accounts be compromised through phishing scams outside the Sherpa platform, their students could be at risk of being targeted using the tutor's account and identity. 



Here are some actionable steps you can take to protect yourself and others from potential phishing scams:

1. Verify Before You Click

• If you receive a suspicious email claiming to be from Sherpa, verify its authenticity by contacting us through official channels.
• Do not click on links or download attachments unless you are sure they are legitimate and know the sender well.
• Do not ever feel pressured into engaging further with someone or something they have sent you. Always act on the premise that it is better to be safe than sorry.

2. Be Cautious with Notifications

• Email notifications regarding a message from potential students could include a suspicious link in the message quoted in that email. 
• If a notification email seems suspicious, log in to your Sherpa account directly to verify its authenticity.
• Report any suspicious emails or notifcations to us directly.

3. Secure Your Devices & Browse Safely

• Keep your devices updated with the latest security patches and antivirus software.
• Avoid accessing your Sherpa account or other sensitive information on public or unsecured Wi-Fi networks. These often don’t support safe browsing on sites with built-in security (eg. starting with https://)
• Should your browser warn you that the site you are navigating to can't be done securely, do not bypass this warning. Check the web address you are accessing and ensure you are on a trusted WiFi/internet connection.

4. Enable Two-Factor Authentication (2FA)

• If available, use 2FA on all accounts to add an extra layer of security. This ensures that even if your password is compromised, your account remains protected.

5. Regularly Update Your Passwords

• Use strong, unique passwords for each of your online accounts and change them regularly. 
• Avoid using easily guessed information, such as your name or birthdate that may be easily found elsewhere online. This also applies to including the website name in your password.

Sherpa’s Commitment to Your Security

At Sherpa, we take your security seriously. Beyond addressing phishing incidents, we are continually enhancing our systems to protect against evolving threats. Here are a few ways we’re keeping you safe:

• Secure Payments with Stripe: Your financial information is encrypted and managed by an industry-leading payment provider.
• Regular Security Audits: We conduct routine checks to identify vulnerabilities and strengthen our defences.
• Email & Phone Verification on Signup: This ensures a real phone number and email address are used when signing up to Sherpa.
• Captcha Verification on Signup: This prevents programs automating the signup process to operate at scale.
• Automatic Spam and Phishing Filters for New Messages: This will detect phishing attempts, hide the messages and temporarily disable the user and notify our team to review.
• Community Updates: We ensure that all tutors are informed about potential risks and best practices. We will promptly deal with suspected phishing attempts and contact all of those involved to mitigate any risk.

Resources for Further Learning

To stay informed about cybersecurity threats and prevention, consider exploring these resources:

• Your Banking Provider: If you get scammed online, contact your bank as soon as you realise so they can freeze your account. They can potentially refund money that has been scammed depending on their policy, how it happened and how quickly it was reported. They should have documentation on what number to contact after a scam.
• National Cyber Security Centre (NCSC): Offers tips on staying secure online.
• Action Fraud UK: The UK's national reporting centre for fraud and cybercrime, providing information on how to report phishing scams and access advice.
• Sherpa Help Centre: Your go-to for updates, resources and assistance.

Final Thoughts

Phishing scams can be unsettling to experience, but with the right knowledge and practices, you can protect yourself effectively.

Unfortunately, online phishing is something you are almost certainly going to come across at some point in your life - so it is essential to be well-informed. By staying vigilant, you contribute to a safer community for everyone on Sherpa and the online environment in general.