- say they've noticed suspicious activity or log-in attempts
- offer coupons for free stuff
- claim there's a problem with payment/account information
- say you're eligible for a refund
- advise you to confirm personal information
- ask you to click a link
- include a fraudulent invoice
1. Extremely urgent language
Digital scammers are smart. They know they only have a few moments to trick you into clicking a malicious link or giving out information. Scam emails with no sense of urgency will typically result in a user spending a little more time reading it over. They'll be able to identify fraudulent messaging easier and avoid the attack.
Emails with urgent language are much more effective for phishers because it takes away that moment of clarity. Beware of emails containing this kind of language:
- "Make a payment TODAY to avoid a massive penalty!"
- "Click NOW to stop your account from being deactivated!"
- "Confirm your security details right away!"
2. Email contains spelling errors
Poorly written emails should always be cause for concern. Legitimate organizations do not make obvious grammar errors (typically). Phishing messages are often written quickly and are rarely edited. Whenever there are grammatical or stylistic mistakes, use caution.
Don't just look for errors in the body of the email, either. Hackers could change even a single character in the subject line, attached link or URL, and even the email address.
- "You're new payroll schedule calender for 2022 is now available for your approval."
- "Please fill this form."
- "This is a general maintenance request for your webmail have been reported for receiving spam emails and the space limit needs to be upped an extra gigabytes as placed by the admin thank you."
3. The domain seems a bit... phishy
Not even Google will send emails from an address ending in "@gmail.com." The majority of legitimate organizations have their own email domain and company accounts. That's why it's so important to look beyond just the sender display. Your inbox could display a colleague's name or company you're familiar with, but the address itself could be fraudulent.
Whenever you're skeptical of an email, be sure to always examine the entire 'from' address. Look for anything that looks strange or any potential alterations. Scammers frequently create new email addresses with additional numbers or letters to seem legitimate.
Support@Microsoft.com vs. Support@Microsoft32.com.
Keep in mind, however, companies do make use of unique domains to send emails - so it's not always a foolproof method, but worth further examination.
If a hacker is able to successfully pose as a popular company, they will try and mirror actual emails sent by those organizations. Check Point's Brand Phishing Report - Q4 2020 highlights the top 10 brands that phishers use as a disguise:
- Microsoft (43% of all brand phishing attempts)
- DHL (18%)
- LinkedIn (6%)
- Amazon (5%)
- Rakuten (4%)
- IKEA (3%)
- Google (2%)
- PayPal (2%)
- Chase (2%)
- Yahoo (1%)
4. The email includes suspicious links or attachments
Some phishing emails request personal information -- and that's it. But most scam messages contain some kind of infected attachment or a link to a sham website.
Your best bet is to be extremely cautious whenever opening any attachment or link, even when the email is from someone you know and trust. Even opening a single PDF document can unleash all kinds of malware on your computer or network. If you're ever prompted to adjust your settings or a warning flashes about the file's legitimacy, it's best to not proceed.
Scammers hide suspicious links in buttons and hyperlinks. Always hover over (but do not click!) and look at the destination of any links contained in an email.
5. Email sounds awkward or unfamiliar
Phishers will try anything. They'll pose as your boss, your coworker, your brother, and everything in between. If you have any strange feelings about the tone of an email from someone you know, call them and ask about its legitimacy.
When it comes to emails at the company level, it's important to note that you should never trust requests that don't already know your information. Netflix, for instance, would never email you asking for your account name.
On a personal level, generic greetings are often scams. If a coworker sounds a little too casual or a family member sounds a little too formal, something might be up.
- "Hello, Sir or Madam..."
- "Dear brother, I am writing to you..."
- "hey gonna need you to sign in. - ur boss"
6. The email is sitting in your spam folder
This might sound obvious, but just because an email is in a spam folder doesn't mean people won't open it. Scammers are constantly trying to find ways to avoid being sent to the spam folder, but even when they end up there, they are just as dangerous. According to Small Business Trends, 30% of phishing emails make it past default security, meaning 70% sit in spam folders.
Even if the email looks, sounds, and feels legitimate if it's inside the spam folder, it most likely is a scam.
7. The message is too good to be true
That recruiter you've never heard of is probably not going to get you that $450,000 salary. The "early" tax refund in May isn't really coming. And being "randomly selected" for any kind of Amazon gift card or similar promotion is simply just not real.
When it comes down to it, if an email sounds too good to be true... it most likely is.
8. The email asks for sensitive information
Lastly - and perhaps most importantly - legitimate companies, family members, and coworkers never ask for sensitive information via email. If you receive an unsolicited email from an organization that asks you to provide any kind of financial or personal data, it's almost always a phishing scam.
- "Please enter your username, password, and tracking number to verify your order."
- "Re-enter your credit card information immediately to avoid late fees."
- "We ask that you send your phone number and any passwords associated with your company logins."
Protecting Yourself From Phishing Attacks
Phishing attacks can happen to anyone. All it takes is one mistake, a single accidental click, or a second of naivety.
Here are some of the best ways to avoid falling victim to a phishing scam:
- Always be vigilant and cautious online.
- Make sure you're using updated security software on all your devices.
- Use multi-factor authentication.
- Back up your data.
- *Use Password Alert Extension (Google Workspace only).
If you have been a victim of a phishing scam, you should:
- Write down as many details of the attack as you can recall. Note usernames, passwords, account numbers, and anything else you may have shared.
- Change your passwords and enable two-factor authentication.
- Notify IT support if the attack affects your work accounts.
- Notify banks and credit card companies if financial details have been compromised.
- Report the message:
- Forward the phishing email to the Anti-Phishing Working Group: ReportPhishing@apwg.org
- Report the attack to the FTC: ReportFraud.ftc.gov
- Text a phishing text message to SPAM (7726)