How to Identify Phishing AttacksA Few Red Flags That Should Give You a Head’s Up That Something Isn’t Right
Spotting a Phishing Attack Before it Gets Out of Hand
The difference between a legitimate message and a phishing attempt sometimes comes down to a few subtle but critical details.
The scammer might send a threatening message, hoping that their victim doesn’t critically scrutinize the entire email. The scammer wants the target to simply react on an emotional level without picking up on some “red flags” that might signal something is up.
For example, the sending domain and writing style may look legitimate at first glance, but some tiny inconsistencies can give the scam away. This is why phishing emails typically exhibit a dramatic sense of urgency. The goal is to have the recipient focus so closely on the immediate need for action that they don’t stop to consider other possibilities.
When it comes to prevention, fraud filters and other technologies are necessary tools. At the same time, knowing how to identify red flags with the naked eye is an indispensable front-line defense you and your team should also embrace.
In this chapter, we highlight some tell-tale signs of an attack. Learning them can help you become more fraud-aware and scam-proof.
Phishing
Phishing involves a scammer attempting to deceive unsuspecting victims into voluntarily divulging sensitive information. An estimated 90% of cyberattacks begin with a phishing attempt. Here’s what you need to know about these attacks and how you can protect yourself.
How to Spot a Fake Phishing Email
Some phishing attacks leverage domain spoofing and other techniques to make an email appear to be entirely legitimate. Other times phishing attackers are not so sophisticated, and may unconsciously leave clues that can alert you to deception.
- Urgent or alarming subject line designed to grab your attention immediately.
- Misspelled or disguised domain/email address using lookalike characters or unusual domain names (lowercase “L” instead of the uppercase “I”).
- Incorrect, outdated, or inconsistent company branding elements.
- Generic greeting such as “Dear Customer” instead of using your actual name.
- Noticeable spelling mistakes or awkward grammar within the message body.
- Suspicious links that lead to fraudulent or unexpected websites.
- Unexpected attachments that may contain malware or viruses.
Other Phishing Attack Red Flags
Below, I’ve outlined some of the most common warning signs associated with phishing scams. Whenever you get any kind of urgent or unexpected message, scrutinize it carefully and scan for these warning signs:
Unfamiliar Sending Domains
Most companies or government offices have dedicated emails. Particularly if you’re operating a business, receiving an @gmail.com or @yahoo.com email from a vendor or employee should cause immediate suspicion. Also look for clever substitutions, like a lowercase “L” instead of an uppercase “I,” or a domain that is one letter off.
Generic Greetings
Familiar contacts should greet you by name. If you receive an un-personalized message that begins with “Dear Sir/Madam” or just “Hi,” you should proceed with caution.
Suspicious Links or Attachments
Never open attachments you didn’t expect to receive, even if they look innocuous. Similarly, before clicking on links, hover over them so that you can see the URL preview. If it looks suspicious or unfamiliar, don’t click. Also, scammers will often make the entire page a link to the bogus site. If hovering over any part of the page shows the same URL, take a closer look.
Spelling Errors or Poor Grammar
AI tools are enabling scammers — even those who lack command of the English language — to draft legitimate-sounding messages. These tools are far from perfect, though, and mistakes or inconsistencies often slip through. For example, if you’re in the US, look for words or phrases not commonly used in American vernacular, like the use of “kindly” as an adjective.
Urgency or Threats
Messages with an urgent tone should not compel you to action. Instead, you should do the opposite by default. Pause, think, and consider whether urgency is warranted — or whether it could be a scam. Examples include last-minute changes to wire instructions, threats of account closure, fines, arrest, or the use of fear and pressure tactics.
If there is any doubt in your mind about the legitimacy of a site, visit the real site in another window or dial a known contact number directly. Don’t simply click on the links provided in the suspicious email.
Contact the sender through another means and ask if they sent the message. If not, provide them with the phony details so that they know about the potential for an ongoing scam.
