How to Spot a Phishing Email

As soon as you open a phishing email, you'll notice that some things aren't quite right. For example, the message here looks to be from Capital One, a well-known banking institution. Most banks, however, don't send emails requesting customers to click on links or provide personal information. Neither do most other businesses, for that matter, such as Facebook or PayPal.

One way to protect yourself is to set up two-factor or multi-factor authentication (MFA) on your accounts whenever possible. MFA adds another level of protection on an account. When an attempt is made to log into your account, a code is auto-generated and delivered by text to your phone. That code must be entered to confirm your identity, or else the login fails.

In almost every case, legitimate institutions generate emails from a domain associated with their website.

Take a close look at the address in the image to the right, for instance. Notice how it ends with ​​"@online.com." That’s your first clue that this might be a phishing email because the message claims to be from Capital One. Take a look at any other emails from Capital One in your inbox, and you'll see that the real emails come from an address that ends in "@capitalone.com."

Looking at the link in this email message, it appears to lead to ​"onlinebanking.capitalone.com," but you don't know for sure if that's where the link will actually send you. The text could be hyperlinked to send you to another site. One way to tell if what you see is where you’ll end up is to place your pointer over the link — but don't click it.

If you're on a laptop or desktop computer, a pop-up window like the one shown in the image above should appear with the real URL attached to the link. In phishing emails, this address rarely matches what’s displayed in the email. ​

If you're on a mobile device, hovering isn't an option. You can still check the link by pressing and holding the link until a dialog box comes up. When you do that, the full URL will be shown, and you'll have the option of copying it.

You can download anti-phishing extensions that help detect phishing and malware misdirection. This is more effective if you're using a web-based email client. Keep in mind that these tools aren't fool-proof, and you'll still need to remain diligent to avoid scams.

There are many extension options available for all kinds of browsers. Here are some anti-phishing Google Chrome browser extensions as examples:

• Avast Online Security
• Avira Browser Saftey
• Emsisoft Browser Security
• Identity Guard Safe Browsing
• ipty.de/av
• Windows Defender Browser Protection

Phishing emails are routinely marked as "Urgent." The scammers want you to act as quickly as possible so you don't have time to recognize tell-tale phishing signs, like suspicious email addresses. Don't fall for this ploy. A legitimate organization will rarely — if ever — mark emails as urgent.

One common phishing tactic involves telling email recipients that "regular maintenance" turned up an accounting error of some type. A link will then be provided with a request to confirm the account information.

If your credit card provider or bank finds errors in your account, you will most likely receive a letter in the mail explaining the situation. On rare occasions, you might receive a phone call, but even that isn’t likely to happen because of the risks to the creditor or banks that are involved.

If you receive a suspicious email along these lines, don't hesitate to reach out to the bank through alternate means. Call the number on the back of your credit card or log into your account through the bank's mobile app and contact customer service that way. They will let you know whether the request is legitimate or not.

Have you ever seen a piece of mail from your credit card company or bank that included misspellings or typos? Probably not. That’s because those companies proofread everything they send out to customers.

Similarly, these companies wouldn't send out email messages that included misspellings and punctuation errors. Errors of this kind are easy to spot and are indicators that an amateur is trying to steal your identity. 

Now that you know what to look for, you can practice pinpointing the phony emails. Many companies offer phishing tests that allow you to test your awareness of common phishing tactics. Here are a few examples you can use to test your knowledge:

• Phishing Quiz by Google
• Spot the Phish by Sophos
• Phishing IQ Test by SonicWall.com

Other forms of phishing are more sophisticated and subversive, which makes the intrusions much more difficult to detect.

Spear phishing is more insidious than conventional phishing. This scam is attempted with more tactical precision. After illicitly acquiring detailed personal information, the criminals send seemingly harmless emails that appear to be from trusted contacts. The emails typically contain malware attachments that install onto the user's computer without their knowledge. In one of the most prominent examples of this tactic, U.S. intelligence officials say spear phishing was used by Russian hackers in the days leading up to the 2016 election.

Once it's installed, you may or may not recognize that the malware is there. Stealthy malware will track your keystrokes or take screenshots of your computer without your knowledge. More obvious malware includes ransomware, which renders your computer useless until you pay a ransom.

Smishing is executed on mobile devices using texting services (the "SMS" refers to the technical term for texting, "Short Message Service"). The heist attempt here is identical to an email phishing attempt, but it comes through a text. A text message claims to be from your phone carrier, Facebook, or your bank, and it includes a link. When the link is clicked, you're at risk of been compromised.

This scenario is being played out frequently enough for the Federal Communications Commission (FCC) to post tips on its website to help consumers avoid being scammed. Here are some of the agency's tips:

• Never click links, reply to text messages, or call numbers you don't recognize.
• Do not respond, even if the message requests that you "text STOP" to end messages.
• Delete all suspicious texts.
• Make sure your operating software and security apps are updated to the latest version.
• Consider installing anti-malware software on your device for added security.

With this scam, criminals create links that mirror legitimate URLs at first glance. However, by tacking hyphens and a string of text at the end of the URL, scammers can change the actual URL destination. While this tactic would be more readily recognizable on a desktop device, it's hard to notice on a mobile device. Crane Hassold, the Director of Threat Intelligence for Phish Labs, lists these examples of malicious URL padding on his company's blog:

• hxxp://login.Comcast.net-------account-login-confirm-identity.giftcardisrael[dot]com/    
• hxxp://accounts.craigslist.org-securelogin--------------viewmessage.model104[dot]tv/craig2/  
• hxxp://offerup.com------------------login-confirm-account.aggly[dot]com/Login%20-%20OfferUp.htm  
• hxxp://icloud.com--------------------secureaccount-confirm.saldaodovidro[dot]com.br/  

Like guarding against conventional phishing intrusions, vigilance is ultimately the strongest defense to avoid being exploited by this and the other stealthy scams.