Step one in spotting a phishing email is knowing what you are up against. Phishing attacks happen when a cybercriminal impersonates someone you might know or trust through a legitimate looking email. The phishing email asks for your personal and account information or asks you to download a malicious file. Because the cybercriminal is impersonating someone, you’re more likely to comply with otherwise suspicious activity.
Phishing email scams generally fall into one of these categories:
- Traditional phishing attack - The traditional phishing attack casts a wide net and attempts to trick as many people as possible. A classic example of this is the “Nigerian prince advance-fee scam”.
- Spear phishing - Spear phishing attacks are designed to target a specific individual or small group of individuals. For example, a spear phishing attack my use information about a particular restaurant or small business to target one or more employees at that business. Or it could look like an email from a friend.
- Whaling - Whaling attacks, which have become increasingly popular in recent years, are targeted at high-profile victims like C-level executives and their teams. A typical whaling email may look like it was sent from the CEO of your company. But it's really a fake designed to get you to share valuable information about the company.
5 of the best ways to spot a phishing email
Phishing and other social engineering attacks are only increasing in frequency, and unfortunately, sophistication. However, there are a number of common indicators of a phishing attack. Knowing what to look for goes a long way to protect yourself against attacks. If you spot any of the following tip-offs, proceed with caution.
This is a dead giveaway. If you receive an email from, say, your bank, and it is riddled with typos, awkward language, or formatting errors, it is most likely fraudulent. Legitimate organizations take care when crafting communications to current or prospective customers. While cybercriminals are getting more sophisticated, they are still sloppy by comparison.
For example, a phishing email identified by the IRS reads “We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server.”
2. Personal information requests
Reputable businesses do not ask for personal information—such as social security and credit card numbers—over email. This should be an immediate red flag. If an email requests this type of information, it is very likely a phishing email.
3. Too good to be true offers or scare tactics
Beware of emails offering rewards—vacations, cash prizes, etc. If an offer comes with a request for personal information, a link to claim your prize, or an attachment to download, it’s a phishing scam. It’s like the old saying, “if it seems too good to be true, it probably is.” This type of phishing email frequently encourages recipients to act quickly, because there is a time limit on the offer.
Some phishing emails take the exact opposite approach—attempting to scare recipients into clicking a malicious link or providing personal information. For example, an email from your credit provider that says your account has been compromised and a link to take some form of immediate action.
4. Mismatched URLs
If you hover your mouse over a link without clicking, you should see the full URL appear. If it doesn’t match the organization’s site name, or if it looks suspicious in any other way, it’s probably a malicious link. Look out for slight alterations to URLs that you visit frequently. For example, http://www.largenationalcompany.com might appear as http://largenatonalcompany.com.
5. Questionable senders
Verify the “From:” field in the email header. Is it from a legitimate email system? Using the example above, an email from Large National Bank should come from firstname.lastname@example.org not email@example.com.
Get the proper cyber resilience to protect yourself from email scams
Generally speaking, if an email seems sketchy, it probably is. If you don’t feel comfortable clicking on a link or downloading a document but aren’t completely confident that it is fraudulent, try to contact the sender in a separate email (better yet, in person or on the phone) to determine if the message is legitimate. Err on the side of caution, and you’ll avoid most attacks. Finally, be certain that you have a proper backup of your files. In the event that your computer is compromised by a phishing attack, backups allow you to restore files that were lost or corrupted.
Learn more about phishing and read the Top 4 types of email phishing scams.
Interested in improving your cyber resilience? Get started today: try Carbonite™ Safe.