Phishing scams have levelled up.
Gone are the days when the typical approach was from a ‘desperate multimillionaire’ looking to deposit several million dollars in Europe, via your bank account.
Criminals are using ever-more-sophisticated and subtle methods to get their hands on your data, servers, or money.
Here’s our guide on how to spot a phishing email – for everyone from the digitally naïve to the tech savvy – to help stop the bad guys hooking us in.
What Exactly Is a Phishing Scam?
A phishing scam is typically an email (or a text, phone call or social media approach) impersonating a legitimate source that attempts to get you to reveal important information – for instance, account passwords, or to fraudulently gain remote access to your systems/email. Once this information is revealed, a criminal may be in a position to steal data or even large sums of money, and to impersonate you to your clients and suppliers. Spear phishing is even more targeted – not just a blanket email, but one that’s tailored precisely to dupe you, or your colleagues.
How to Spot a Phishing Email: 3 Things to Look Out For
1. Obvious Errors
Never trust an email posing as a legitimate source if you discover mistakes. Organisations use copywriters and designers to ensure their content is impeccable and anything less than spot-on is a red flag. What do we mean by mistakes? Think spelling and grammar errors, poor punctuation and messy formatting. If it looks amateur, it’s likely an amateur criminal.
2. Scammer ‘Tells’
A ‘tell’ in poker is behaviour that betrays a player’s intentions. Fortunately, many email scammers reveal them in their approaches.
a) Multiple recipients. Be highly suspicious if the ‘To’ field contains multiple names or ‘Undisclosed Recipients’. Genuine emails will be addressed to you and you alone, and an email to multiple people has phishing scam written all over it.
b) Vague greetings. If you are not addressed by name, but as ‘Dear Customer’ or similar, keep your guard up. Genuine companies will know your name. (Having said that, don’t take an email that addresses you by name as a sure sign of legitimacy.)
c) Suspect links. Scammers often want you to click on a link. So, check that link by hovering over it (but never clicking). You should now see the link URL, either at the bottom of your browser window or hovering over the link itself. Does it look like the destination it claims to be? If in doubt, avoid.
d) Incorrect email addresses. Some frauds are spotted because the email address uses a ‘typo-squatted’ domain, which looks very similar to the original, but has letters added or removed (for example compaany.com or companycom.org instead of company.com). However this isn’t always the case, because a fraudster may have compromised your supplier or customer and is using their emails to pretend to be someone you trust.
3. High-Pressure Content
Are you being triggered emotionally?
Criminals may try to panic or scare you into taking action, or even make you feel hopeful or curious. Common tactics used to get you to respond emotionally, and not rationally, include:
- Urgency: ‘Do this quickly, or face consequences’ (such as a fine or the displeasure of your boss).
- Scarcity: Fear of missing out (FOMO) is a strong emotion, and criminals will try to manipulate you into getting a deal or bargain ‘before it is too late’.
- Current events. Criminals will tap into newsworthy items such as an impending tax deadline, health scare, or charity appeal to get you engaged.
If you feel your emotions are being manipulated, or you feel emotionally charged, trust your instinct. If it’s a spear phishing email, these hooks will have even more barbs because it specifically targets you, your role or your company. If you’re reading the email on your smartphone, you may be more likely to be distracted or it could be harder to spot, so take even more care, before you take any action.
Step back. Put your critical head on. Reassess.
What Are Common Examples of a Phishing Email?
Some frequent types of phishing campaigns include:
• Fake invoice scams asking you to view your bill via a link
• Subscriptions (Microsoft, Netflix, Amazon etc.) needing new payment details to continue service
• Google Docs scams encouraging you to click on links to view a file
• Paypal scams suggesting there is a problem with your account and requesting you to click a link to fix it.
What Should I Do if I Think I Have Received a Phishing Email?
Never respond or click on anything in the email.
- Take a screenshot of the email and send it to your IT security team if you have one. Never forward the actual email to anyone within your organisation as you risk spreading the risk to others. You can however forward it to the National Cyber Crime Agency at report@phishing.gov.uk who will investigate it further.
- If you think the email may be from a legitimate source, but have doubts, open a new browser window and go directly to the organisation in question. From there you can make contact about your concerns or check your accounts as appropriate.
- Delete the original email immediately.
A final sign off:
Of all the advice in this how to spot a phishing email post, here’s the golden rule: if your gut is telling you something isn’t quite ringing true, there’s a very good chance it’s a scam.
We’ve also created a phishing email examples post to give you real world instances of phishing at work.
Our cyber security awareness training can help staff adopt safe online practices. Contact us for more details.