Online Security

Email and online security — staff guidance

Practical guidelines to help you recognise threats, protect your account, and keep WEA's communications and data safe.

On this page

  1. What is phishing?
  2. How to spot a phishing email
  3. If an email lands in your spam folder
  4. What to do if you receive a suspicious email
  5. Protecting your account
  6. Safe use of devices
  7. Sharing files and sensitive information
  8. If something goes wrong

1. What is phishing?

Phishing is when an attacker sends a deceptive email designed to trick you into clicking a malicious link, downloading malware, or handing over login credentials or sensitive information.

Attackers often impersonate people in authority — senior leaders, IT staff, or well-known organisations — because it makes the email feel legitimate and urgent. At WEA, we are particularly at risk of emails impersonating the Secretary General or other senior figures, since many staff are accustomed to responding quickly to requests from leadership.

Modern phishing emails can be extremely convincing. They may display the correct name, profile photo, and even use language that sounds familiar. The display name is not proof of identity — only the underlying email address is, and that too can sometimes be spoofed.

2. How to spot a phishing email

No single sign is definitive, but the following are common warning indicators:

False urgency

Pressure to act immediately

"Respond now," "This is confidential," "Do not forward." Urgency is a manipulation tactic.

Wrong sender address

Slightly off email address

E.g. [email protected] instead of [email protected]. Always check the actual address, not the display name.

Unusual request

Out-of-character ask

Requests for gift cards, wire transfers, passwords, or sensitive data — even from a known name.

Suspicious links

URLs that don't match

Hover over any link before clicking. If the URL shown doesn't match where it claims to go, do not click.

Poor quality

Grammar or tone issues

Unusual phrasing, spelling errors, or a tone that doesn't match the person it claims to be from.

Unexpected attachments

Files you didn't ask for

Particularly .zip, .exe, .docm files or PDFs from unknown senders. Do not open without verifying.

3. If an email lands in your spam folder — stop

Your email system filters messages for a reason. If an email has been marked as spam, treat it as suspicious by default — even if the sender appears to be a colleague or senior leader.

DO NOT

  • Click on any link or button within it

  • Open any attachments

  • Reply to the email

  • Move it to your inbox without verifying

  • Assume the spam filter made a mistake

INSTEAD

  • Contact the apparent sender via WhatsApp or phone to ask if they sent it.

  • Forward it to James for review before taking any action

  • Report it as phishing in Gmail (three-dot menu → "Report phishing")

  • Delete it if confirmed as spam

4. What to do if you receive a suspicious email

Follow these steps if you are unsure whether an email is genuine:

Do not click anything. Not links, not buttons, not attachments. Even clicking an "unsubscribe" link in a phishing email can confirm your address to attackers.

Check the sender's email address. Click on the sender's name in Gmail to reveal the actual address. Does it match what you would expect? Even one character difference is a red flag.

Verify independently. Contact the apparent sender directly via WhatsApp, a phone call, or a new email you compose yourself (not a reply). Do not use any contact details provided in the suspicious email.

If unsure, forward to James. Forward the email to [email protected] for a second opinion before you do anything else. Do not delay — early review can prevent harm.

Report it in Gmail. Use the three-dot menu on the email → "Report phishing." This helps Google improve filtering for the whole organisation.

5. Protecting your account

Your Google Workspace account is your primary gateway to WEA's data, documents, and communications. Protecting it is essential.

  • Use a strong, unique password. Do not reuse a password from another service. A strong password is long (14+ characters), uses a mix of types, and is not based on personal information. You can use a Password Generator such as this one: https://www.mapletech.co.uk/tools/password-generator/. Ensure that you tick the 'Include Symbols' and 'Include Numbers' checkboxes.

  • Enable two-factor authentication (2FA). This is one of the most effective protections available. Even if your password is compromised, 2FA prevents an attacker from accessing your account. Set this up at myaccount.google.com.

  • Never share your password. Not with colleagues, not with IT support. Legitimate IT support will never ask for your password.

  • Do not use your WEA password anywhere else. If another site you use is breached, attackers will try that password on your work accounts.

  • Log out when finished on shared computers. Never leave a session open on a device you share with others.

  • Be cautious about third-party apps. Do not authorise third-party apps or browser extensions to access your Google account unless you are confident they are legitimate and necessary.

6. Safe use of devices

Many staff access WEA email and documents on personal phones and laptops. If you do so, these principles apply:

  • Keep your device up to date. Software updates regularly include critical security patches. Delaying them leaves known vulnerabilities open.

  • Use a screen lock. Set a PIN, password or biometric lock on any device that has access to WEA systems.

  • Be careful on public Wi-Fi. Avoid accessing WEA accounts on unsecured public networks. If necessary, use a VPN.

  • Do not install software from untrusted sources. Only install apps and extensions from official app stores or trusted developers.

  • Report a lost or stolen device immediately. If a device with WEA access is lost or stolen, contact James immediately so that remote access can be revoked.

7. Sharing files and sensitive information

WEA handles sensitive information — staff details, financial data, partner communications, and data from members in restricted regions. Handle all such information with care.

  • Share Google Drive files via the built-in sharing feature rather than sending files as email attachments. This gives you control over access and allows you to revoke it later.

  • Verify requests before sharing sensitive data. If you receive an unusual request to forward a document or provide information — even from a colleague — verify it via a separate channel first.

  • Do not email sensitive data to personal addresses. If you need to share something with a colleague, use their WEA email address, not a personal Gmail or Hotmail account.

  • Do not store WEA data on personal cloud storage (personal Google Drive, Dropbox, iCloud, etc.). Use WEA's Google Workspace Drive only.

  • Be especially careful with data from sensitive regions. Information about colleagues, partners, or church leaders in countries where Christianity is restricted must be handled with extra care. When in doubt, ask James or Peirong before sharing.

8. If something goes wrong

If you believe you have clicked on a phishing link, entered your credentials on a suspicious page, or otherwise compromised your account — act immediately. Do not wait, and do not be embarrassed. Early action can prevent serious harm.

Change your Google Workspace password immediately at myaccount.google.com.

Contact James straight away so that your account activity can be reviewed and any suspicious sessions terminated.

Check your Gmail settings for any forwarding rules or filters that may have been added without your knowledge (Settings → See all settings → Filters and Forwarding).

Inform Peirong so that, if necessary, other staff can be alerted to a possible wider threat.

James Burden — Web and IT Manager

For all IT security concerns, including suspected phishing, account compromise, or lost devices.
WhatsApp / Phone+44 7506 789420
Email[email protected] / [email protected]