Unfortunately, there is no one trick to spotting phishing emails. You might think checking the “from:” address would be enough – but that can be easily faked. Instead, you should carefully examine any links in an email. But because there’s no single way to spot a phishing email, you’ll want to familiarize yourself with all of the following red flags.
In this article, we’ll go over six ways to spot a phishing email. From there, read on for eleven tips on how individuals and organizations can protect themselves from phishing attacks.
6 Red Flags: How to Spot a Phishing Email
Links are the first think I check when inspecting an email for signs of phishing. One of the most common phishing tactics is to create a fake version of a legitimate website – such as your bank, for instance. When you type in your login info to their fake page, the scammer can then use that info to log into your accounts. This is why I always check links before clicking on them.
Hover over the link to see where it really points. If it isn’t the official website, don’t click it. That includes link shorteners or any URL that does not exactly match the official website. When in doubt, don’t click it: instead, just go to the website directly. If you type it in yourself, there’s little chance you’re getting misled by a scammer.
Asking for Personal Information, Passwords, or Money
Most of the time, phishing scammers are after personal information, passwords, or money. Sometimes, they’ll ask you directly – that’s a big red flag. Personal information can include anything from your name to your social security number. If an unsolicited email asks for any information about yourself, that should raise an eyebrow.
Some phishing emails will ask for money directly. You’re hopefully skeptical enough not to fall for the most basic of these, but phishing scammers can be clever. If they can identify a contractor you’ve done business with, for example, they can send you a fake invoice under their name. Watch out.
Many phishing emails are designed to be sent out as widely as possible. It’s not uncommon for them to start with a generic opener, like “Hello friend” or “Dear Customer”. Even if they call you by name, the personalization often stops there. If you’re reading an email that could just has well have been sent to a million other people, it may be a phishing email.
If the email comes from a stranger, ask yourself: “Why is this person sending me this email?” It might sound nice, but I wouldn’t trust a stranger promising me thousands of dollars. Neither should you.
You should also take care with any generic emails that seemingly come from legitimate companies. Phishing scammers frequently impersonate organizations such as Bank of America and Fed Ex, creating emails that closely match what those companies routinely send their customers. Keep in mind that one red flag doesn’t mean the email is fake – it only means you should proceed with care, and check for other red flags.
Not all all phishing emails are generic. The phishing technique known as spear phishing relies on sending heavily personalized emails based on diligent research. There’s no one way to know for sure an email is real or fake.
Emotional Appeals Based on Fear, Urgency, or Other Motives
Many phishing scammers will exploit your emotions to get you to act without thinking. Most frequently, they appeal to fear. They might warn you that your bank account has been hacked, or that you’re being investigated by the IRS. If an email causes your pulse to quicken, you should probably take a second to think before you proceed.
Fear isn’t the only emotion phishing emails exploit. They often emphasize urgency alongside fear: act now, before you’re locked out of you bank account. They might also offer an enticing opportunity. Think of the “Nigerian prince” scammer promising untold fortunes. If you’re smart, you’re probably skeptical – but even then, doesn’t it sound tempting?
Don’t Gloss Over Warnings From Your Email Provider
This might sound basic. But you’d be surprised how many people will ignore literal warning signs from their email provider.
This is one of the clearest red flags you can get. It doesn’t absolutely ensure an email is a phishing scam, but any warning should be taken seriously. If your email flags an emails as spam or a potential danger, proceed with caution.
The From Address
Finally, we have the “from:” address. This might be the first place you check, but unfortunately it’s not completely secure. Through a technique known as email spoofing, a phishing scammer can easily make an email appear as though it came from any sender of their choice. Sometimes your email service provider will catch on, but there’s a big difference between sometimes and always.
That said, the “from:” address is a way to quickly spot some phish. If the sender looks off, you may be able to quickly identify a phishing email. Just don’t assume that an email is safe just because the “from:” address checks out.
7 Ways to Protect Against Phishing Attacks
By watching out for the above red flags, you’ll hopefully be able to spot phishing emails before falling for their trap. To further minimize your chances of being phished, I encourage you to follow these best practices.
Don’t Click the Links
The safest way to click a link in an email is to not click it at all. That might sound like a bit much – but email links are rarely the only way to access a website.
Instead, type the URL directly into the address bar on your browser. If you go there on your own, you minimize the risk a link from a stranger will mislead you to a fake website.
Of course there are times when you have no choice but to click an email link. Let’s say, for instance, you had to reset a password. In this case, you’ve requested the password change email – it’s no longer unsolicited. It’s still worth checking the link, but unless a scammer sent the exact right email at the exact right minute, it’s probably not a scam email.
Take Care with Personal Information
Any time an email asks for any kind of passwords or personal information, you should stop and think. Does this email have any of the red flags mentioned above? The same applies if the email sends you to a website that asks for your passwords or personal information.
It’s pretty obvious why you wouldn’t want a scammer to get their hands on your password. Personal information can be trickier. It includes all kinds of details, from your name to your address to your social security number, some of which are more sensitive than others.
What’s in a name, for instance? On its own, it might not even be enough to identify you. But the more information someone has, the more material a scammer has to commit identity theft and break into your accounts. A phishing email that directs you to fill out a form can be just as damaging as one that asks for your password.
Understand the Phishing Tools of Deception
Some phishing emails are obvious. But others rely on more advanced tools, such as spoofed emails and clone websites, to deceive their victims.
In a spoofed email, the phishing scammer fakes the “from” line. It’s not too hard for them to say an email came from anyone – you can see an example below.
Phishers also clone websites, creating fake web pages that look just like the real thing. The only thing they can’t fake perfectly is the website URL. That’s why links are my number one focus when trying to determine if an email is legit or not.
Make sure you look carefully, as many phish will buy domains that look very similar to the real one. Changing one letter means only a few pixels’ difference – and those few pixels might be the only thing between you and getting phished.
Stay Up to Date on Phishing Scams
Phishing techniques are always evolving. Over the years, they’ve developed from simple advance fee fraudsters to spawn new types of phishing such as spear phishing, SMS phishing, and catfishing.
Developing an awareness of phishing techniques isn’t something you can just cross off a list. To stay safe, you’ll want to keep up to date. A great place to start is the FTC’s index of the latest phishing scams.
Set Up Two Factor Authentication
The #1 technical fix I recommend is two factor authentication. With two factor authentication, a password isn’t enough to access an account. Instead, another step is required to log in. Most frequently, that’ll be a text, email, or phone call. When you log in, the company sends you a short code that you then type into your browser. If you’re using your phone number, a scammer would need to have your phone on hand to log in.
Many companies insist on two factor authentication, especially if you’re logging in with a new device. You might not need two factor authentication for every account you have, but I would leave it on for important ones, such as for your bank and any medical accounts.
Use a Password Manager
Password managers are another great tool to reduce the risk of getting phished. If you use the same password across multiple accounts, you’re at especially high risk: if a scammer or hacker gets one password, they can then log in to your accounts across the board. What’s more, a good password manager will recognize if the website is the legitimate one or a fake.
With a password manager, you can readily set up unique, secure passwords across every account you log into. Because it holds the key to all your passwords, you need one you can trust. The New York Times recommends 1Password, but I encourage you to do your own research.
Keep Your System Up-to-Date
Ten years ago, I would have told you to install an anti-virus software. These days that’s still an option, but the built-in defenses of most computer have gotten significantly better, to the point that you likely no longer need a third-party anti-virus.
However, you’re only safe as long as you stay up-to-date. So don’t put off important updates. These days, both Windows and Mac OS are good at serving updates, whether you want them or not.
For added security, consides installing an anti-malware software such as Malwarebytes. This isn’t strictly necessary, but provides and added layer of protection in case someone sends you a sketchy file.
4 Ways Organizations Can Prevent Phishing Attacks
Finally, we have a few tips on how organizations can protect themselves. All of the above guidelines apply to both individuals and organizations, but the following tips are particular to companies trying to guard against phishing attacks.
Train Your Organization to Spot Phishing
Any chain is only as strong as its weakest link. Defending a firm from phishing attacks does not fall on any one person – it falls on everyone. So if you want to protect an organization from phishing, you need to implement phishing awareness training to inform everyone how to spot and stop phishing attemps.
Everyone means everyone. That includes executives, who are often the most prime targets when phishing scammers go after organizations.
Have a Clear Reporting System in Place
As part of your organization’s anti-phishing program, it’s essential that people know what to do if they spot a suspected phishing email. Otherwise, they’ll just forward it to whoever they think is the right person.
This leads to communications mishaps and actually increases the chance someone will fall for the phishing email. That’s exactly what happened to the Democratic National Committee in the infamous DNC email hack of 2016.
One way to do this is to set up a generic email, like email@example.com. You want to make it easy for your employees to report phishing emails. If it takes someone more than a minute to report, many empolyees simply won’t bother.
Follow Up – and Test
If you run a phishing awareness training program once and never follow up, it’s unlikely the message will stick. To be certain, you’ll want to test your organization by sending them fake phishing emails. Testing shouldn’t be punitive: the goal is to keep your organization safe, not to call out specific people. You can read more here.
Take Great Care with Customer Information
Phishing scammers typically seek out money, passwords, or personal information. Organizations present high value targets – not only do they have more money than the typical individual, but they often have loads of customer information.
You should guard customers’ personal information even more carefully than your business finances. Don’t collect what you don’t need, delete what you don’t need to hold onto, and carefully safeguard any customer information you do keep on file. You don’t want to end up a news story on how your business compromised all of its customers.
Hopefully now you’ve got a better sense of how to stay safe from phishing attacks. Watch out for the red flags, carefully check links, and above all, stay vigilant.