How to identify phishing emails. Six things to look out for.
Phishing emails are a type of cyber attack that may request personal data such as bank details or usernames and passwords. They may encourage you to click a malicious link or download a harmful file and will often disguise themselves as a genuine email, from a legitimate source.
These type of emails are sent at an alarming rate and it is likely that you will encounter phishing attempts on a regular basis. You may have seen a few, particularly in your spam folder. As phishing emails will often be disguised to look genuine, in an attempt to get you to comply, it is critical that you know what to look for. This was you can verify whether an email is legitimate or otherwise and keep your company safe.
In this blog post, we have identified six ways of spotting whether an email is a phishing attempt and included an infographic at the bottom to help you and colleagues remember. Please feel free to download, print and share the graphic with those you work with, so they too can identify phishing emails.
Check the display name AND the email address.
The display name is the name you see in your email inbox when you receive an email. It is always a good place to start when identifying malicious emails. Is the display name spelt correctly and is it formatted in a conventional manner? People can always make mistakes when setting their display name, but strange characters, poor use of grammar or spelling mistakes might suggest the sending is not who they say they are.
With that being said, don’t rely solely on the display name. Unfortunately, these can be easily manipulated by the person sending the email. Also check that the email address itself looks legitimate, follows normal conventions and is the same as any previously used by that person or company. For example, if you have had an email conversation with Sam@Acme.com you should be wary if you receive a future email claiming to be from Sam with the email address Sam11@Acme-Corp.net.
The email address isn’t as prevalent as the display name in most email clients so make sure you take a specific look at it to check whether it looks legitimate or not.
Be wary of overtly urgent requests.
Don’t allow an urgent request rush you into making a poor decision – however alarming or threatening the email might be. Take your time to calmly consider what is being asked of you, and to read the email thoroughly before making any decisions. An urgently worded email can often be employed to scare you into action, making you act foolishly by clicking a malicious link before you’ve had time to evaluate the situation.
Remember, in most instances, if the matter was as urgent as the sender claims it to be, they would have picked up the telephone. Think about how you behave when you urgently need someone to do something? Do you send an email and hope that the person is sat at their computer? In fact, you are much more likely to contact the person directly and request immediate assistance.
As many phishing emails will look to mimic reputable organisations, don’t rush and consider what the sender is asking of you. Your bank would not ask you to provide them with any personal information and your email provider would not ask you for your login information, but these are easy mistakes to make when rushed. Ask yourself why the sender is in such a hurry and if they are being overly demanding, be wary as to what their genuine intentions might be.
Look for an email signature.
Legitimate companies will have an email footer at the bottom of each of their emails. This is the image or selection of images that often contain the company logo and additional information such as phone numbers. If the email you receive doesn’t have a signature, think twice about who the sender might be. Similar to the email address, check emails that you have received from the sender, or their company in the past. Have they had a signature? If so, why doesn’t this new email?
The email signature can also be replicated by those wishing to cause you harm, so don’t take a signature as proof that the email is legitimate. Nonetheless, it can often be an area that phishing emails have malicious intent. Does the signature contain spelling mistakes? Are the telephone numbers up to date? Is the logo correct? Pay attention to the detail and if things look a little odd or different to what you’d usually expect, you should be cautious of the email.
Are you being asked for personal info?
We have touched on this a little above, but it’s worth being clear – a legitimate company will never ask you to share personal information via email. Therefore, under no circumstances should you ever respond to an email with account information, passwords or personal information such as maiden names or bank details. This sort of information can at best grant people access to your accounts, but at worse, it can lead to identity fraud. Don’t be tempted to divulge this information.
Take a moment to consider the situation. Would you share the personal information you’re being asked for, with a stranger if they asked for it on the street or if they knocked on your front door one evening? Of course, you wouldn’t. So don’t make the same mistake by email.
It might be a cliche, but it is always better to be safe than sorry when it comes to cyber security, so do not worry about inconveniencing or upsetting a legitimate sender. They will have other means of contacting you. Any potential embarrassment will be much more palatable than a phishing email successfully getting access to your something such as your bank account. Just ask yourself, would this sender be asking for this information and why would they email you asking for it?
Check how the email addresses you.
Does the email address you by name or is it a vague opening such as ‘Sir or Madam’ or just ‘Hello’? The person emailing you should be aware of your name (it’s probably in your email address!) so be cautious if you receive a generic greeting. Of course, they may be leaving it off, but think of all the emails you send. There’s a good chance you address the majority of people by their name, especially as email is not a very formal means of communication. Very few people send emails to ‘Sir or Madam’ as that’s the convention for letter writing, so something like this should be a hint that the email your reading is, in fact, a phishing attempt.
Have a think about your previous interactions with the person before or the company they are representing. Are they addressing you in a manner you’d expect? If you know the supposed sender well, it would be odd if they addressed you by your surname. It’s just not the done thing!
Also, consider the supposed intentions of the email and the content and whether it matches the manner of address. Your bank would never use informal language such as ‘Hey’ even when communicating via email, so this too can suggest that the message might be malicious.
Scrutinise spelling and grammar mistakes.
Everyone makes the odd spelling mistake and grammatical error, but a large number of errors may be a clue that you’re looking at a phishing email. Read the email carefully to check if the sender has made careless spelling mistakes, or used punctuation marks incorrectly.
Think about when you send an email. If you misspell something, the email client will often alert you to an error, so that you can fix it. This is the same for other senders, so you have to question why the email you’ve received hasn’t made the most of such a feature. Be especially critical if you’ve received an email claiming to be from a reputable source, that is littered with mistakes. Banks and building societies, for example, are highly unlikely to send you an email that contains easy to spot problems.
Also, consider how the email is formatted. Does the email look like it has been written and put together by a human being? Is there strange spacing or use of punctuation you wouldn’t usually see? These can often be tell-tale signs that the email is not legitimate.
What to do if you identify a phishing email?
So you’ve received an email that you suspect of being a malicious phishing attempt – what should you do?
Well, first of all, take your time to consider everything. Re-read the email and check for worrying signs that suggest it could be malicious. If you are unsure as to whether an email is legitimate, be cautious and act as if it is, until it can be confirmed otherwise. Don’t allow the email to rush you into making any decisions and where possible, eliminate any doubt by asking for a second opinion.
Do not click on any links, download any files or respond to the email if you believe it might be malicious. Phishing emails are often sent to huge numbers of email addresses, in the hope of getting just a few clicks or downloads. However, most of their attempts fall on deaf ears by landing in spam or inactive mailboxes. Just by responding to the email you are telling those at the other end that your email address is active, and as a result, you are likely to receive more such emails in the future.
You should ignore the email and delete it. If the email was legitimate the person will contact you again. Remember, it is better to look rude than to be compromised. You should always adopt a safety-first approach.
One way to verify the original sender is by calling the company that has sent you the email. However, you must only do so with extreme caution. Never use any phone numbers or links from within the email itself. Use a reputable source such as Google or Yell to verify the correct contact information.
For example, should you receive an email from your bank asking for details about a recent transaction you may have made, you can call the bank on a number you already have. You know the number is legitimate so there is no danger in asking them whether the email they sent is legitimate or otherwise.
If you are very worried about phishing emails or appear to be receiving a lot of malicious emails, you may wish to speak with an IT professional or IT support company. They will be able to help you verify the original source and confirm whether it’s malicious or otherwise. Don’t be afraid of looking stupid and sounding silly. You can never be too sure and an IT expert should be able to put your mind at rest and help you spot malicious emails in the future.