If you have ever seen an email in your inbox that makes you scratch your head, you’re not alone.
Phishing, an act of social engineering that attempts to deceive through email, can affect anyone. In 2021, 80% of reported security incidents and 90% of data breaches were caused by phishing emails. What’s more, a breach caused by a phishing email cost companies $4.65 million on average.
And phishing is on the rise. According to the Federal Bureau of Investigation, there have been an average of 4,000 cyberattacks a day since the onset of the COVID-19 pandemic. This is a 400% increase of what they had seen pre-pandemic.
But the good news is that you are in full control of your emails and what you click on. By looking for these red flags, you can protect yourself from harmful cyberattacks.
Bad grammar and spelling errors
One could argue it is because most people who attempt to phish are not great writers. But many experts claim most of the grammatical errors and misspellings you see in spam emails are intentional. Why? There are a few reasons:
- Email providers have gotten more sophisticated and know to look for certain words that appear in phishing emails. Therefore, many phishing emails will end up in your spam folder. By misspelling some of those trigger words or using bad grammar, phishers try to trick the spam filter into allowing their emails to pass through.
- Phishers send emails en masse, knowing that a vast majority of them will be ignored. Grammatical and spelling mistakes are a strategy that narrows the field to those who are more likely to respond to the email. Think of a fishing lure: many fish will swim past the hook, but only one needs to take the bait.
Discrepancies in email addresses and domainsAnother piece of the puzzle to look for is where the email is coming from. Most reputable organizations will use an email domain tied to their business, not a mainstream email provider like Gmail or Yahoo. For example, Google will use “google.com,” not “gmail.com”
Also, pay attention to domain names or if the email address has strange combinations of letters and numbers. Let’s look at this example: “IT-Teamemail@example.com.” Here, the sender is trying to use the term “IT” to look legitimate, but the random numbers should be a tip-off that this isn’t right. In addition, Outlook, a popular email platform, is misspelled.
A legitimate business will call you by your name, not address you by part of your email address. So, if your email is firstname.lastname@example.org, you should be suspicious if the email begins with something like “Dear sample123.”
Also be mindful of emails that use generic terms like “customer” or “account holder,” especially if they are asking you to click on a link or provide personal or financial information.
Be especially mindful of any email that contains links, even from sources that may appear trustworthy on the surface. You could be taken to a website that will try to collect your information or encourage you to download harmful malware or ransomware, which could have dire financial consequences.
But you are in full control of the links you click on, so it is always important to look at the URL to see if it looks suspicious. You can do this by hovering your cursor over the link on a desktop computer or laptop. On mobile devices, you can press and hold a link to trigger a pop-up containing the link.
Look for “https” to signal that the site is secure and if the link doesn’t seem correct or match the email context, do not click on it.
Emails as images
A legitimate company will never force you to click anything on their emails. But some phishers will try to get you to accidentally click by turning their entire email into a single image that can be clicked on as a link.
You can sometimes spot this if the email itself has a low picture quality and looks fuzzy on your screen. But to be safe, keep an eye on your courser on desktop and press and hold an email on mobile. If the entire email is a linked image, you will notice your cursor change or see a pop-up containing the link the image is leading to.
A tell-tale sign of a phishing email is an attachment. If you did not conduct business with the company or ask for anything that would be attached to an email, do not click on the attachment. Be especially wary of files that have extensions like “.exe” or “.zip,” which likely contain dangerous malware or ransomware.
If the suspicious email comes from a company or person you do business with, reach out to the them yourself using verified contact information, not the email information on the message you received.
Emails requiring immediate action
Remember, phishers are trying to get your attention and hope their message will be strong enough to have you ignore the other red flags outlined in this article. That is why phishing emails frequently use language that triggers urgency in hopes of getting you to click.
Be wary of emails that:
- Threaten access to services
- Claim an account has been locked out
- Offer a limited amount of time to react
- Encourage you to click on a suspicious link or attachment
- Intimidate you with consequences for not acting
What to do when you see a phishing email
This all might sound scary but phishing only succeeds when the user falls for its schemes. That is why it is so important to remain vigilant of any suspicious email that ends up in your inbox. If you come across one, here are some things you can do:
- Use your email provider’s “Mark as Spam” feature to flag any future emails from that sender as spam
- If you are at work and your organization has its own IT department, follow their protocol for reporting spam emails
- Report the email to the Federal Trade Commission at ftc.gov
The bottom line: When it comes to phishing, you are the first line of defense. Look for red flags before opening any email that looks suspicious.