Identify the red flags of phishing
Lack of personalization
Did the email use a generic salutation such as ‘Dear Customer’ or nothing at all? Service providers usually know who you are and typically personalize emails with your name and the last few digits of your account number.
Bad spelling and grammar
Legitimate businesses go out of their way to proofread their email. If an email has lots of spelling mistakes or improperly worded sentences, it’s likely a phish.
Strange website links
If you hover your mouse over a website link, you will see the actual destination of the website you’re about to visit (on some mobile devices you can accomplish the same thing by holding your finger on the link for a second or two). If that location differs from the way the link is written in the email, it’s a good indication of an attack
Suspicious attachments
If you don’t know the sender, or receive something from a friend that looks suspicious, don’t open the attachment. If it is from someone you know, you can always pick up the phone and give them a quick call to make sure they actually sent the email.
Requests for sensitive information
Be suspicious of requests for sensitive information, such as user IDs and passwords, financial account numbers, health information or social security numbers.
Unfamiliar sender
The sender is someone you do not know, and the email address is one you’ve never seen before or looks different than it should.
Authoritative-sounding sender
A person representing a company or entity sends an email asking for information they should already have.
Blank or “undisclosed” recipients
Sometimes phishing emails are sent to a lot of people. Other times you see something like “undisclosed recipient list” in the “To:” field. Both are potential red flags.
Urgent call to action
Messages of an urgent nature, or requesting an immediate call to action, are a common method used to rush people into making mistakes and is another good indicator of phishing.
External
If you think you received an external email that you need to do your job, but you aren’t sure if it is safe, here are some tips to help you verify on your own whether an external email is safe. Proceed with caution!
Advanced techniques to identify phishing
- Do an online search to make sure a company exists and the contact information they provide – like address and phone number – is correct.
- Try to do an online people search via LinkedIn or Google to verify that the person sending the email works at the company listed.
- Navigate the company’s website in a browser to see if the URLs in the email match up. If they do, then the email is likely safe.
- If you do business with the company, use your own contact information to verify that the email you received is legitimate. Call them directly!
- Ask someone you know at work if they know the company and/or person who sent you an email.