5 Ways to Identify a Phishing Email
Phishing emails are all the rage with fraudsters! Why? Because they’re easy to make and deploy. And, unfortunately, they work. The real question is how you can identify phishing emails and stop them before they ruin your business.
Why are phishing emails dangerous?
Before we dive into our five easy tips for identifying a phishing email, let’s quickly explain what we mean by “phishing.” Here’s the definition from our Cyber 101 section:
When someone sends an email with links to things that seem okay but are actually dangerous.
There are many types of phishing, like smishing (SMS or text phishing), vishing (voice phishing), and whaling (phishing that targets people in charge of an organization, like a CEO).
So, what counts as “dangerous”? Well, imagine you work in your company’s financial department and receive an email asking you to click a link to change your password to your bank account. Or imagine you’re an HR manager at a hospital, and an email requests you click a link to reset your password for the patient account portal (where all the hospital patient records reside).
That’s why phishing emails are dangerous. They try to put people in positions where they will unknowingly give up control of their website, data, bank account, or other digital property to a bad actor. Phishing emails don’t work all the time, or even most of the time. But they work enough times to be very, very dangerous, and one of the most common attacks used.
What happens after a phishing email?
So sure, phishing emails are extremely dangerous. But here’s the good news: if you take the correct action on a phishing email, nothing bad will happen. Generally speaking, doing the right thing generally involves:
Marking it as spam
Reporting it to IT
Deleting the email
Hopefully, your organization has it set up, so once you mark it as spam, the other two steps happen automatically!
Now, what if you do the wrong thing? Well, you might not even know. According to the Verizon Data Breach Investigations Report, while about 60% of data breaches are discovered within days, 20% take months to detect. That’s plenty of time for criminals to lurk inside your systems, doing and taking whatever they want.
Bottom line: Successful phishing emails can sink a business, so it’s best to ensure you know how to identify them. Fortunately, that isn’t rocket science. It just takes a little guidance and persistent awareness. Here are five ways to identify whether you are looking at a phishing email.
1. The email is poorly written
When we open an email, we tend to read it quickly. Our minimal expectation is that the email makes sense, especially in a work setting. This can be problematic, especially when money and accounts are involved. So if you receive an email that makes you wonder whether your 7-year-old wrote it, you might be looking at a phishing email.
For instance, here is a snippet from an actual phishing email:
“Paypal is automatically locked to protect your security and you will not be able to sign in to any Paypal Limited.”
Notice how the email starts off OK, then quickly ends with terrible grammar. “... You will not be able to sign in to any Paypal Limited” — um… what is that supposed to mean?
Awkward writing is a hallmark of a phishing email. Many of the people who write phishing emails operate in international locations where English isn’t their native or even primary language. If they are quickly typing phishing emails or relying on free translation apps, their writing will likely be poor, a top indicator of suspicious activity.
2. The domain name is questionable
If you start to suspect a phishing email for any reason, look at the domain name — it could be a dead giveaway for a phishing email. Here’s why.
In an email address, the domain name is the part that comes after the “@” symbol and before the “.com” part. Many people use Gmail for their personal email, meaning “gmail” is the domain name. So if you receive a work email from an account with a Gmail domain, you should double-check to ensure it’s from a legitimate external sender.
At work, your domain tends to be your organization’s name. That’s the way it is here at decodingCyber. When people reach out to us, we reply from our “@decodingcyber.com” email address — which means you can trust it’s really us.
The problem is bad actors know this, so they may create domain names that seem legitimate at first glance. For instance, if you get an email from someone “@decodlngcyber.com,” you might not see how a lowercase L (“l”) has replaced the “i” — indicating a fraudulent email.
Domain names can cause your Spidey Senses to tingle, whether in email or on a website. The two often go hand-in-hand. Phishing sites use a brand name in the domain name 29% of the time because they know that if someone gets an email to reset their Amazon account password, they may not realize that the email domain is “@amaxon.com” and the site domain is “amazonaccountresett.com” (hint: that’s not an actual website!). Those are clear signs of a phishing attack, but only if you’re paying attention.
3. The links look suspicious
Before you click a link in an email, look at it closely. Don't click if the URL (Uniform Resource Locator) looks strange. If you can’t see the URL because it’s embedded in the text, hover over the text; on most web browsers, this will cause the URL to show up in the lower-left-hand corner.
Remember that there is no single way to identify a fraudulent link. Some websites have strange names, and domains and security elements have evolved over the internet’s lifespan. So here’s a quick tip: Any link that ends in “.ru” can be ignored. Haha… unless you expect the link to take you to a site hosted in Russia. If you are, then click away! 🙂 The truth is that you should pay attention to international top-level domains, as they tend to be easy indications of potential phishing emails. It’s doubtful that your IT department is sending password reset emails from their computers hosted in North Korea.
As the graphic shows, the domain name consists of three main parts, plus the transfer protocol, though the browser usually hides it. Truth be told, you would be best off if you only went to sites with the HTTPS protocol. The “S” denotes that the site is “Secure,” as it uses Secure Sockets Layer (SSL) certificates to encrypt standard HTTP requests and responses. Sometimes a site might register with a Country Code Top-level Domain, like .us (for the United States) or .ru (for Russia). Either way, you need to review all links before clicking on them to ensure they are not suspicious.
Pro-Tip (to safely view a link’s URL on a computer)
Hover over a link (remember, don’t click on it, hover over it). You can see the website’s URL tied to the link in the lower left-hand corner of your screen.
Pro-Tip (to safely view a link’s URL on mobile)
It is a tad trickier than on a computer. You have to press and long HOLD the link. It will not take you to the link’s designation, but it will show you the URL tied to the link.
4. The greeting is generic
This is one of the smallest items in the phishing email identification playbook, but it’s critical. When regular people write real emails, they tend to personalize the greeting to connect with their readers. On the other hand, when bad actors write phishing emails, they are often too uninformed or uninterested in doing that. So you might be looking at a phishing email if:
Your name isn’t listed in the greeting
The greeting is “Hi”
The greeting is elaborate and out of place, like, “Dear kindest sir,”
There is no greeting
You might be thinking, “Hey…wait a minute. My work BBF never writes a greeting.” Well, sure, sometimes close colleagues don’t include personal greetings. But bad actors rarely do because they’re spamming people at scale. They don’t have time to worry about names or greetings. TBH, that level of detail is a bit too complicated to implement seamlessly in their scheme. They are banking on you not reading or thinking about the greeting. They just want to jump right to the heart of their request and hope you’ll be scared/excited/[insert a strong emotional response they are hoping to invoke] enough not to care about anything else.
5. The email contains a strange sense of urgency
Finally, you can often identify a phishing email simply by the strange sense of urgency in the writing. If the email makes you feel like you have to act now… or otherwise something terrible will happen… and you start to panic or feel anxious, it is, in all probability, a phishing email.
The objective is to get you to act in haste. They will quickly capitalize on your mistake before you can counter or correct your error.
Do you want to use our content for your site or training material, or would you like us to write curated white-label content for you? We can help you! Let’s talk.
Conclusion
Please remember that these are all clues and that you only need some of the five! Sometimes, just one is enough. If you ever have any doubt, contact the sender by going directly to the sender's website and contacting them directly via one of their official channels.
For example, if you have an email from the "FBI" informing you of an active arrest warrant and want to ensure you don't. Open another tab or browser, visit the FBI's official website, and click on the "contact us" link. Ask them directly. Please do not click on any link in the email.
Psst… just a little FYI — the FBI will never send you an email about an outstanding arrest warrant. They will just arrest you. 😉
Let's all be safe and not fall prey to a phishing email.
Share this article. We double-dog dare you!
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD
