How to Spot a Phishing Email

Cybercriminals are continually conspiring to create new ways to obtain sensitive information. These predators prey on the public for any private information they can steal, and phishing by email is their most common method of mayhem. These bogus emails contain a link that you'll be enticed to click. They may alert you to supposed fraudulent activity that needs your attention, or they may claim to have a prize for you. When you click the link, you'll be asked to enter information — if you enter that information, it will go straight to the scammers.

Broadly speaking, there are two types of phishing scams. Conventional phishing is crude and widespread, landing in a random collection of email addresses the scammers could cobble together. Spear phishing is more focused, and scammers will take the time to impersonate a person, company, or government agency that you'd expect to receive an email from.

Being informed is the best defense and some telltale signs let you know you're being phished. Below, you'll find a rundown of signs to look out for, along with links to several quizzes you can take to test your phish-smelling acumen.

How to Recognize Phish-y Emails

An example of a common phishing email
Jerri Ledford 

As soon as you open a phishing email, you'll notice that some things aren't quite right. For example, the message here looks to be from Capital One, a well-known banking institution. Most banks, however, don't send emails requesting customers to click on links or provide personal information. Neither do most other businesses, for that matter, such as Facebook or PayPal.

One way to protect yourself is to set up two-factor or multi-factor authentication (MFA) on your accounts whenever possible. MFA adds another level of protection on an account. When an attempt is made to log into your account, a code is auto-generated and delivered by text to your phone. That code must be entered to confirm your identity, or else the login fails.

Examine Email Addresses Carefully

phishing email address
 Jerri Ledford 

In almost every case, legitimate institutions generate emails from a domain associated with their website.

Take a close look at the address in the image to the right, for instance. Notice how it ends with ​​"@online.com." That’s your first clue that this might be a phishing email because the message claims to be from Capital One. Take a look at any other emails from Capital One in your inbox, and you'll see that the real emails come from an address that ends in "@capitalone.com."

Check Links to See Where the URL Is Pointing

link in phishing email
 Jerri Ledford 

Looking at the link in this email message, it appears to lead to ​"onlinebanking.capitalone.com," but you don't know for sure if that's where the link will actually send you. The text could be hyperlinked to send you to another site. One way to tell if what you see is where you’ll end up is to place your pointer over the link — but don't click it.

If you're on a laptop or desktop computer, a pop-up window like the one shown in the image above should appear with the real URL attached to the link. In phishing emails, this address rarely matches what’s displayed in the email. 

If you're on a mobile device, hovering isn't an option. You can still check the link by pressing and holding the link until a dialog box comes up. When you do that, the full URL will be shown, and you'll have the option of copying it.

Anti-Phishing Extensions

You can download anti-phishing extensions that help detect phishing and malware misdirection. This is more effective if you're using a web-based email client. Keep in mind that these tools aren't fool-proof, and you'll still need to remain diligent to avoid scams.

There are many extension options available for all kinds of browsers. Here are some anti-phishing Google Chrome browser extensions as examples:

Be Aware of the Common Ploys Phishers Use to Try to Trick You

error in a phishing email
 Jerri Ledford 

Phishing emails are routinely marked as "Urgent." The scammers want you to act as quickly as possible so you don't have time to recognize tell-tale phishing signs, like suspicious email addresses. Don't fall for this ploy. A legitimate organization will rarely — if ever — mark emails as urgent.

Erroneous Account Activity

One common phishing tactic involves telling email recipients that "regular maintenance" turned up an accounting error of some type. A link will then be provided with a request to confirm the account information.

If your credit card provider or bank finds errors in your account, you will most likely receive a letter in the mail explaining the situation. On rare occasions, you might receive a phone call, but even that isn’t likely to happen because of the risks to the creditor or banks that are involved.

If you receive a suspicious email along these lines, don't hesitate to reach out to the bank through alternate means. Call the number on the back of your credit card or log into your account through the bank's mobile app and contact customer service that way. They will let you know whether the request is legitimate or not.

Look for Bad Spelling, Syntax, and Grammar

spelling error in phishing email
 Jerri Ledford 

Have you ever seen a piece of mail from your credit card company or bank that included misspellings or typos? Probably not. That’s because those companies proofread everything they send out to customers.

Similarly, these companies wouldn't send out email messages that included misspellings and punctuation errors. Errors of this kind are easy to spot and are indicators that an amateur is trying to steal your identity. 

Test Your Ability to Tell the Real From the Fake

Now that you know what to look for, you can practice pinpointing the phony emails. Many companies offer phishing tests that allow you to test your awareness of common phishing tactics. Here are a few examples you can use to test your knowledge:

Spear Phishing, Smishing, and URL Padding

Other forms of phishing are more sophisticated and subversive, which makes the intrusions much more difficult to detect.

Spear Phishing

Spear phishing is more insidious than conventional phishing. This scam is attempted with more tactical precision. After illicitly acquiring detailed personal information, the criminals send seemingly harmless emails that appear to be from trusted contacts. The emails typically contain malware attachments that install onto the user's computer without their knowledge. In one of the most prominent examples of this tactic, U.S. intelligence officials say spear phishing was used by Russian hackers in the days leading up to the 2016 election.

Once it's installed, you may or may not recognize that the malware is there. Stealthy malware will track your keystrokes or take screenshots of your computer without your knowledge. More obvious malware includes ransomware, which renders your computer useless until you pay a ransom.

Smishing

Smishing is executed on mobile devices using texting services (the "SMS" refers to the technical term for texting, "Short Message Service"). The heist attempt here is identical to an email phishing attempt, but it comes through a text. A text message claims to be from your phone carrier, Facebook, or your bank, and it includes a link. When the link is clicked, you're at risk of been compromised.

This scenario is being played out frequently enough for the Federal Communications Commission (FCC) to post tips on its website to help consumers avoid being scammed. Here are some of the agency's tips:

  • Never click links, reply to text messages, or call numbers you don't recognize.
  • Do not respond, even if the message requests that you "text STOP" to end messages.
  • Delete all suspicious texts.
  • Make sure your operating software and security apps are updated to the latest version.
  • Consider installing anti-malware software on your device for added security.

URL Padding

With this scam, criminals create links that mirror legitimate URLs at first glance. However, by tacking hyphens and a string of text at the end of the URL, scammers can change the actual URL destination. While this tactic would be more readily recognizable on a desktop device, it's hard to notice on a mobile device. Crane Hassold, the Director of Threat Intelligence for Phish Labs, lists these examples of malicious URL padding on his company's blog:

  • hxxp://login.Comcast.net-------account-login-confirm-identity.giftcardisrael[dot]com/    
  • hxxp://accounts.craigslist.org-securelogin--------------viewmessage.model104[dot]tv/craig2/  
  • hxxp://offerup.com------------------login-confirm-account.aggly[dot]com/Login%20-%20OfferUp.htm  
  • hxxp://icloud.com--------------------secureaccount-confirm.saldaodovidro[dot]com.br/  

Like guarding against conventional phishing intrusions, vigilance is ultimately the strongest defense to avoid being exploited by this and the other stealthy scams.