Phishing scams have levelled up.
Gone are the days when the typical approach was from a โdesperate multimillionaireโ looking to deposit several million dollars in Europe, via your bank account.
Criminals are using ever-more-sophisticated and subtle methods to get their hands on your data, servers, or money.
Hereโs our guide on how to spot a phishing email โ for everyone from the digitally naรฏve to the tech savvy โ to help stop the bad guys hooking us in.
What Exactly Is a Phishing Scam?
A phishing scam is typically an email (or a text, phone call or social media approach) impersonating a legitimate source that attempts to get you to reveal important information โ for instance, account passwords, or to fraudulently gain remote access to your systems/email. Once this information is revealed, a criminal may be in a position to steal data or even large sums of money, and to impersonate you to your clients and suppliers. Spear phishing is even more targeted โ not just a blanket email, but one thatโs tailored precisely to dupe you, or your colleagues.
How to Spot a Phishing Email: 3 Things to Look Out For
1. Obvious Errors
Never trust an email posing as a legitimate source if you discover mistakes. Organisations use copywriters and designers to ensure their content is impeccable and anything less than spot-on is a red flag. What do we mean by mistakes? Think spelling and grammar errors, poor punctuation and messy formatting. If it looks amateur, itโs likely an amateur criminal.
2. Scammer โTellsโ
A โtellโ in poker is behaviour that betrays a playerโs intentions. Fortunately, many email scammers reveal them in their approaches.
a) Multiple recipients. Be highly suspicious if the โToโ field contains multiple names or โUndisclosed Recipientsโ. Genuine emails will be addressed to you and you alone, and an email to multiple people has phishing scam written all over it.
b) Vague greetings. If you are not addressed by name, but as โDear Customerโ or similar, keep your guard up. Genuine companies will know your name. (Having said that, donโt take an email that addresses you by name as a sure sign of legitimacy.)
c) Suspect links. Scammers often want you to click on a link. So, check that link by hovering over it (but never clicking). You should now see the link URL, either at the bottom of your browser window or hovering over the link itself. Does it look like the destination it claims to be? If in doubt, avoid.
d) Incorrect email addresses. Some frauds are spotted because the email address uses a โtypo-squattedโ domain, which looks very similar to the original, but has letters added or removed (for example compaany.com or companycom.org instead of company.com). However this isnโt always the case, because a fraudster may have compromised your supplier or customer and is using their emails to pretend to be someone you trust.
3. High-Pressure Content
Are you being triggered emotionally?
Criminals may try to panic or scare you into taking action, or even make you feel hopeful or curious. Common tactics used to get you to respond emotionally, and not rationally, include:
- Urgency: โDo this quickly, or face consequencesโ (such as a fine or the displeasure of your boss).
- Scarcity: Fear of missing out (FOMO) is a strong emotion, and criminals will try to manipulate you into getting a deal or bargain โbefore it is too lateโ.
- Current events. Criminals will tap into newsworthy items such as an impending tax deadline, health scare, or charity appeal to get you engaged.
If you feel your emotions are being manipulated, or you feel emotionally charged, trust your instinct. If itโs a spear phishing email, these hooks will have even more barbs because it specifically targets you, your role or your company. If youโre reading the email on your smartphone, you may be more likely to be distracted or it could be harder to spot, so take even more care, before you take any action.
Step back. Put your critical head on. Reassess.
What Are Common Examples of a Phishing Email?
Some frequent types of phishing campaigns include:
โข Fake invoice scams asking you to view your bill via a link
โข Subscriptions (Microsoft, Netflix, Amazon etc.) needing new payment details to continue service
โข Google Docs scams encouraging you to click on links to view a file
โข Paypal scams suggesting there is a problem with your account and requesting you to click a link to fix it.
What Should I Do if I Think I Have Received a Phishing Email?
Never respond or click on anything in the email.
- Take a screenshot of the email and send it to your IT security team if you have one. Never forward the actual email to anyone within your organisation as you risk spreading the risk to others. You can however forward it to the National Cyber Crime Agency at report@phishing.gov.uk who will investigate it further.
- If you think the email may be from a legitimate source, but have doubts, open a new browser window and go directly to the organisation in question. From there you can make contact about your concerns or check your accounts as appropriate.
- Delete the original email immediately.
A final sign off:
Of all the advice in this how to spot a phishing email post, hereโs the golden rule: if your gut is telling you something isnโt quite ringing true, thereโs a very good chance itโs a scam.
Weโve also created a phishing email examples post to give you real world instances of phishing at work.
Our cyber security awareness training can help staff adopt safe online practices. Contact us for more details.