Phishing emails flow into your mailbox continually. If you have an email address that’s been around for a long time, we might see a couple a week, or as many as one to two a day.
While some of these emails are crazy and stand out like a sore thumb, others are well crafted and subtle – making them quite difficult to spot as a phishing or illegitimate email. So how do you tell a malicious phishing email from a good email? Unfortunately, there is no single rule or way to spot phishing emails, but here are some handy tips:
- The message contains mismatched URLs or Addresses
Hover your mouse over the links in the email and a window will appear showing you the address of that link – chances are that isn’t going directly to your bank – but instead to some compromised website where the scammers have hosted a page which looks like your bank login. This is a sure sign that the email is a phishing email. - URLs have misleading domain names
Once you’re hovered over the links, look for something like chassse.com instead of chase.com – or chaselogin.mismatchdomain.com. A misleading domain name could be the domain itself, or a subdomain of another domain. - Poor spelling and grammar
Many phishers are not from an english speaking country, and English might not even be their 2nd language. You can be pretty sure that your bank or credit card company has had many eyes review their corporate communication, and they are not likely to have made the simple English mistakes that a spammer who uses an online translator to convert from say, Vietnamese to English might make. At least you can feel proud that the language you grew up with is hard to master, and that scammers show their cards when they don’t have good English skills. - The message asks for personal information
Your bank would never ask for this – any email asking you for personal information is a sure sign that the email is not legit. - This offer seems too good to be true
It is! If someone is telling you that you have a long-lost relative with millions to hand to you – or a prince who just needs a little help in return for a payout, then you’re right, it is too good to be true – and it’s a scam. Trash this email. - You didn’t initiate the action
So you get an email that says you won the lottery – and you didn’t even buy a ticket??!? Yes, that’s a scam. If you get emails saying you won prizes from a company you did do business with, don’t click on the links, but google their company name, get their corporate contact details and call them. - Being asked to send money to cover expenses
This is a scam plain and simple. If you won something, you won’t be asked to cover the expenses of sending you the prize – that’s simply not how it works. Whether the fees are to cover shipping, taxes or some other “fee” being asked to provide money to collect something is a sure sign that this is a scam email. - Unrealistic threats
Some scammers resort to threats in order to scare people into clicking and providing information – such as your account will be closed if you don’t verify your identity. This is quite an amusing threat if you think about it – especially when it supposedly comes from a bank or credit card company that you might have done business with for years or decades. Any threat of closure of legal actions would never come in an email – but instead in a postal letter. Threats of this type are always phishing scams. - This message comes to you from a government agency
Phishing scammers don’t always try to pose as your bank or credit card company – sometimes they pretend to be from the Police, or FBI. Government agencies in the US don’t send emails of actions. They arrive on the doorstep with a warrant. Sometimes they announce their visit with a phone call and sometimes they just turn up. But they never send you an email saying “fix this or we’ll shut you down”. Actionable information for a US agency does NOT get you emails – such emails are always scams. - It just “doesn’t look right”
Security teams are taught to look for something that JDLR – or – just doesn’t look right. The same principle applies to emails. If something feels ‘funny’ or ‘wrong’ – it usually is. If you have a funny feeling about an email, the chances are that it’s a scam.
Hover over your links – check the ‘from’ address’. Two fairly easy to spot indicators of a phishing email.