How to Spot a Phishing Email

As soon as you open a phishing email, you'll notice that some things aren't quite right. For example, the message here looks to be from a well-known banking institution—Capital One. Most banks, however, don't send emails requesting customers to click on links or provide personal information.

Neither do most other businesses, for that matter. Receiving fake emails from Facebook and PayPal is also fairly common. The best way to protect yourself just in case you should mistakenly happen to fall victim to phishing is to set up two-factor authentication on your accounts whenever possible.

Two-factor authentication adds another level of protection on an account. When an attempt is made to log into your account, a code (usually four or five digits) is auto-generated and delivered by text to your phone at the number you specify upon setup. Unless that code is entered to confirm your identity, access to your account is restricted.

Legitimate institutions that send communications to their customers generate them from a domain associated with their website typically.

In this message, for instance, the email address ends with ​​"@online.com." That’s your first clue that this might be a phishing email because the message claims to be from Capital One, which would probably have an email address ending with "@capitalone.com."

Looking at the link in this email message, it appears to lead to ​"onlinebanking.capitalone.com." One way to tell if what you see is where you’ll really end up is to place your pointer over the link—but don't click it!

If you're on a laptop or desktop computer, a pop-up window like the one shown in the image above should appear with the real URL attached to the link. In phishing emails, this address rarely matches what’s displayed in the email. ​

If you're on a mobile device, hovering isn't an option. You can still check the link by pressing and holding the link until a dialog box comes up. When you do that, the full URL will be shown, and you'll have the option of copying it.

Anti-Phishing Extensions

If you're on a desktop device using a Chrome browser, you can even download anti-phishing extensions that help detect phishing and malware misdirection. This is more effective if you're using a web-based email client. 

There are more than half-dozen extensions available. One of them, ipty.de/av, even has a website component where you can enter in the suspected URL to see if it's legit. If you right-click on the link, you can copy and paste it on the "link and go" section of the website.

• Avast Online Security
• Avira Browser Saftey
• Emsisoft Browser Security
• Identity Guard Safe Browsing
• ipty.de/av
• Malwarebytes Browser Extension
• Online Security Pro
• Windows Defender Browser Protection

On a mobile device, when you copy the full URL, you can open up another tab, visit the ipty.de website mentioned above and paste the link into the appropriate box.

Phishing emails are routinely marked falsely as "Urgent." Don't fall for this ploy. Few scenarios qualify for this sort of designation.

Erroneous Account Activity

It's also common for phishers to tell email recipients that "regular maintenance" turned up an accounting error of some type. A link will then be provided with a request to confirm their account information.

If your credit card provider or bank finds errors in your account, you will most likely receive a letter in the mail explaining the situation. On rare occasions, you might receive a phone call, but even that isn’t likely to happen because of the risks to the creditor or banks that are involved.

Asking You to Confirm Your Account

A similar trick phishers try to pull is playing on your sense of vulnerability. They'll do this by sending an email asking you to “Confirm your account now to stop fraudulent activity.”

Steer clear of this. Confirming your account usually means providing all of the identifying information that a criminal needs to gain control of the account. When in doubt, call the number on your credit card or banking statement.

Have you ever seen a piece of mail from your credit card company or bank that included misspellings? Rarely. That’s because those companies proofread everything they send out to customers.

By extension, it's not likely those companies would send out email messages that included misspellings and punctuation errors. Errors of this kind are easy to spot and are sure indicators that an amateur is trying to steal your identity. 

Now that you know what to look for, you can practice pinpointing the phony emails. For most of us, being constantly conscientious when it comes to our email isn't top of mind. 

• Phishing Quiz by Google
• Spot the Phish by Sophos
• Phishing IQ Test by SonicWall.com

There are other forms of phishing that are more sophisticated and subversive, which makes the intrusions much more difficult to detect.

Spear Phishing

Spear phishing is more insidious than conventional phishing. This scam is attempted with more tactical precision. With more detailed illicitly gained personal information, the criminals send seemingly harmless emails that appear to be from trusted contacts. The emails typically contain malware attachments that install in the background unbeknownst to the user when opened. 

That malware subsequently seizes control of your computer. From engaging ransomware that holds your device captive with a price to unlock to implanting viruses, trojans, and worms to siphon your most sensitive information, spear phishing can wreak all kinds of havoc. The most prominent example of this is the infamous Russian scandal involving hacked emails from the 2016 presidential election.

SMiShing

SMiSing is executed on mobile devices using Short Message Service (SMS), a fancier name for texting—something most of us do all day, every day. The heist attempt here is simple. A text message is typically sent with a link from what seems like a trusted source, could be your phone carrier, Facebook, PayPal, or your bank.

When the link is clicked, you're at risk of been compromised. This scenario is being played out frequently enough for the Federal Communications Commission (FCC) to post tips on its website to help consumers avoid being scammed.

• Never click links, reply to text messages, or call numbers you don't recognize.
• Do not respond, even if the message requests that you "text STOP" to end messages.
• Delete all suspicious texts.
• Make sure your smart device OS and security apps are updated to the latest version.
• Consider installing anti-malware software on your device for added security.

URL Padding

This is a relatively recent scam being employed. Here, criminals create links that mirror legitimate URLs on first glance and tack hyphens and a string of text at the end that masks the actual destination. While this tactic would be more readily recognizable on a desktop device, it's hard to notice on a mobile device, according to Crane Hassold, Director of Threat Intelligence for Phish Labs, who lists these examples on his company's blog.

• hxxp://login.Comcast.net-------account-login-confirm-identity.giftcardisrael[dot]com/      
• hxxp://accounts.craigslist.org-securelogin--------------viewmessage.model104[dot]tv/craig2/  
• hxxp://offerup.com------------------login-confirm-account.aggly[dot]com/Login%20-%20OfferUp.htm  
• hxxp://icloud.com--------------------secureaccount-confirm.saldaodovidro[dot]com.br/  

Like guarding against conventional phishing intrusions, vigilance is ultimately the strongest defense to avoid being exploited by this and the other stealthy scams.