Tutorials

10 quick tips for identifying phishing emails

Avoid falling victim to a phishing attack with these easy tips

Abstract image showing a red @ symbol hooked by a fishing line to symbolise phishing attacks

According to a study by Tessian, 96% of phishing attacks arrive by email, so your employees should hopefully be aware of them and how to report one when they receive one. Despite this move towards a more security-aware culture within organisations, cyber criminals are becoming increasingly clever in their ways to deceive.

Phishing incidents nearly doubled in frequency in 2020, with 241,324 incidents reported compared to 114,702 in 2019, with malicious actors taking advantage of disruptions caused by the pandemic, as well as the availability of more sophisticated malware.

Security awareness, or the lack of it amongst employees, is cited as the main reason for phishing attacks being so popular, as IT and security teams struggle to recognise the more frequent and sophisticated campaigns alone. Coupled with the rise of ransomware-as-a-service (RaaS) and “phishing kits” available for wannabe cyber criminals, users are easily duped into believing the genuineness of the email they’ve received.

Cyber criminals depend on the odd few recipients opening the blanket-sent emails, using large send numbers in the hope that the more emails sent, the more likely they are to find someone to open them and click on the malicious links or follow the request to provide information.

Often, at first glance, the emails can appear to be from legitimate sources or known senders, or even carbon copies of previously received emails, with a spoof sender address in place of the original, making it very difficult to realise its bad intent. However, there are ways for employees to recognise them, so here are some clear giveaways to look out for:

1. You have no account with that company

If you get a message like, “Please update your PayPal account!” but you don’t even have an account with the company, that’s a pretty big red flag. 

While you might pause to think, “What if someone opened an account in my name?” you still don’t want to open this email. Go directly to the company in question and request help.

2. The email account isn’t connected to the company

What if you do have a PayPal account, but it isn’t connected to the email account where you received the message? If you’ve never told the company about your other email account, it shouldn’t send emails to that account. 

It’s that simple. Delete!

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

3. The return email address isn’t normal

This is one of the easiest ones to overlook, but one of the most surefire ways to spot a bogus email. 

If you get an email from a known company, the email should come directly from that company. If it’s a bill from Netflix, it should come from something like billing@netflix.com. 

If there are extra letters or numbers in the return email address, it is not legitimate. Even if there is a minor error like billing@netflex.com, it’s a trick.

4. The email asks you to confirm personal information

You’ve probably heard this before, but let it sink in - reputable companies will never request personal information like your PIN number, account numbers or other account details via email. 

Even if everything else in the email looks legit, this is a giant red flag. Never click a link from an email you weren’t expecting and provide personal information. Ever.

5. The email is poorly written

Typos happen. That’s not exactly what we’re talking about here. We’re talking about consistently missed words or poorly phrased sentences, which are clear signs a non-native English speaker wrote the email. 

Reputable companies don’t let that happen. They have editors and proofreaders who verify their emails look professional before they’re sent out. 

6. There is a suspicious attachment

Attachments are pretty common, so we don’t worry about them too much, but we should. 

If you see an email with an unexpected attachment, be suspicious. Most reputable companies will ask you to download assets from their website and will not send you an attachment. 

7. The message is super urgent

A favourite tactic of phishing scams is to put the pressure on right away. The email may claim you have missed a payment, owe the government money or have been recorded through your laptop’s camera. 

These tactics are intended to make you panic and rush to respond to the situation, which means you’ll click on their links to get to the bottom of it. Boom. You’re a phish on the hook!

Don’t respond to high-pressure emails unless you know the reason it appeared. Even if you’re late on your credit card payment and receive a nastygram from your credit card company, don’t use a link from that email to pay or put in information. Go directly to the website.

8. The email doesn’t use your name in the greeting

Does this look familiar? “Dear valued customer” or “Greetings, friend.” Yeah, this is a dead giveaway that an email isn’t from a source you know or work with regularly. 

Any company you have an account with should know your name and use it in emails. That’s standard stuff. If you’re not greeted by name, the sender doesn’t know you, and you probably don’t know them (and don’t want to).

9. The whole email is a hyperlink

If your cursor turns into the pointing hand no matter where it is on the email, the entire email is one giant hyperlink. Why? If the whole email is a hyperlink, any random mouse click delivers the sender’s virus or malware. 

Why wait for you to open an attachment if the hacker can get you with any click? This one is fairly easy to spot and a dead giveaway.

10. The email is from a public domain

If you get an email claiming to be from a business you know and trust, but the sender’s email address is from a public domain like @gmail.com or @outlook.com, this is another red flag. 

Businesses that frequently send out emails have their own domain names, and all emails should come from that domain. If Jill is claiming to be from Vodafone, but her email is Jillydill@yahoo.com, you know it’s at least spam but very likely a phishing attempt.

What should you do if you’re not sure?

If you get a puzzling email, pause before doing anything with it. Go over this list and look for clues. If you’re still not sure, the best thing you can do is contact the company in question directly, not through that email. 

Go directly to the company’s website or call the company and explain what you saw in the email.

It’s possible you’ll alert the company of a fraud scheme it is unaware of. You may also learn the email is legitimate. Either way, by contacting the company directly, you’ve avoided the unnecessary risk from a phishing attack.

How do I report a phishing email?

If you’re fairly certain you have a phishing email on your hands, you can report it to the NCSC forward it to the Suspicious Email Reporting Service (SERS) using report@phishing.gov.uk

Keeping a watchful eye on your inbox and reporting suspicious emails is your best bet to fight back against phishing.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021
Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021