We’ve all been there: you open up your email browser or app to find a series of emails asking you to join an organization, buy a product, or donate money completely unsolicited and out of the blue. Management of these emails is a no-brainer: just click delete.

What’s becoming more common now are phishing emails: emails that seem real, but something feels a little off. Sometimes, they come from people we know and love – but they’re asking up to buy them electronic gift cards. In other cases, they come from what seems like a legitimate business we work with on a frequent basis, but they’re asking us to go to a website and type our personal information in.

These types of emails are called phishing emails, and you’re not to blame if you can’t tell the difference between what’s a real email and what’s a scam email. According to cybertalk, one percent of all emails are a phishing email, and about 90% of data breaches occur due to phishing. Similarly, the FBI reported that they’re seeing a 400% increase in cyber attacks compared to pre-covid times. Now, more than ever, it’s important to make sure you keep yourself, and your business, protected.

In this post, we’ll tell you all about how to identify phishing emails, and what to do if you receive one.

Phishing vs. Spam

It may go without saying, but it’s important to note the difference between phishing emails and spam emails. Spam emails are those pesky, unsolicited messages we receive daily, and are typically very easy to recognize. In most cases our email hosts (like Gmail or Yahoo) have tools to equip themselves to recognize these emails and filter them out before they hit your inbox. But be warned: spam emails can still be just as damaging as a phishing email is if you open it, so be sure to hit the ‘delete’ button once you receive the email.

Phishing emails are spam emails that are sent via disguise: emails that you believe are coming from a legitimate or trustworthy source. In the tech world, there are four types of phishing emails: spear phishing, whaling, smishing, and vishing.

Spear phishing happens when criminals collect your information from websites or social media, and the phishing scam was catered specifically to you or a specific group of people. Common examples of spear phishing include CEO fraud, where the criminal imitates the identity of a company’s CEO, HR Manager, or IT admin and asks employees to complete urgent actions. Spear phishers usually perform a bit of reconnaissance before launching their attack.

Whaling is another type of targeted phishing attack, but these types of emails are almost exclusively aimed at senior citizens or highly ranked individuals in an organization. The emails are designed to encourage the recipient to do something of exponential value – like initiating a wire transfer.

Smishing is a unique form of phishing in that the criminal sends you a text message rather than an email to get you to disclose your personal information. An easy well to tell if you’re a victim of a smishing scam is to check out who the sender is: if the number is one you don’t recognize, or if it’s coming from an email and the request is for you to click on a link, there’s a good chance this is fraudulent.

Vishing has been around for a long time, but it only recently got its name. Voice phishing is the use of making phone calls or leaving voice messages in the form of a reputable company trying to get you to give out your personal information. Best practice for receiving vishing emails is to not answer the phone at all; but if you do, make sure you don’t answer any questions asked, especially those which can be answered with “yes.”

Ways to double-check if you’re being targeted for phishing

Let’s be realistic: deleting every email you see might not be an efficient way to manage your inbox, especially if you’re anticipating receiving important communications (like payment reminders). However, there’s a few steps you can take to make sure what you’re opening is real, or if the link provided in the message is safe to click.

  1. Check the URLs/links/email address

Before you click on a link, hover your mouse over the button or the link provided. Does the pop-up text (the URL) direct to where it says it’s taking you? Or does the pop-up text direct you to a website with lots of random numbers and letters? If it’s the latter, it’s a fake. For example, if you received an email from what appears to be Amazon, you would expect the URL to start with Amazon.com.  

Similarly, you can always check the email address of the sender to see if that person is really who they say they are, or if they created a copy-cat email address of someone you know. For example, if you normally contact your grandma at [email protected], but this email is coming from [email protected], you know this email is a malicious. As a backup, call the individual you know sending the email to make sure it’s really them sending the email; if it’s not, they may want to warn other friends or family members that someone is impersonating them.

2. You’re Receiving Threats

Phishers aim to get people to respond quickly to their emails, so in many instances the email will make a threat or a claim that will make you want to act immediately. Things like sending bills to collections, sending you to jail, or the threat of being let go/unenrolled from a school or program are common threats phishers make.

As a reminder: the IRS does not use email, texts, or social media to discuss financial information; you will always receive a formal letter in the mail.

3. You’ve never heard of them before

A more obvious sign of a phishing email is if you’re receiving communications from a person or organization you’ve never heard of before. If out of the blue you’re receiving an email from a medical collection’s agency for an unpaid bill you’ve never heard of, or never received a bill from your medical provider, there’s a chance the email is fake. If you’re worried about the urgency, it’s always better to call YOUR source directly – like in this instance, call your doctor’s office and ask to talk to the billing department. Remember: it’s better to be safe than sorry.

4. There’s lots of misspelled words/grammar

One of the most common tip-offs for phishing emails is poor spelling and grammar in the body of the email, which is more common when the phishing email is coming from an attacker whose primary language isn’t English (remember – one of the first email cons was the “Nigerian prince” scam). Remember not to look just in the body of the email, but to check the email address to see if the domain name (the text after the @ sign) is misspelled, which can also indicate a phishing email. But be weary – having good spelling or grammar in an email doesn’t automatically make it legitimate, so make sure you’ve found other signs of phishing that work with this step.

When in doubt, throw it out.

 For legitimate solicitations, in most instances your friend, employer, or vendor will try contacting you more than once, and on different channels (like email, snail mail, or text), so if you’re having a hard time deciding whether an email is safe or scam, when it doubt it’s best to just press the delete button. Most phishers are looking to get as many victims as possible in the shortest amount of time, so more often than not you’ll receive only one type of communication (like email) from the phisher only a handful of times.   

If you’re too afraid to delete the email, as a last-ditch effort you can always forward the phishing email to [email protected], forward the text to SPAM (7726), or report the phishing attack at ReportFraud.ftc.gov. These are all Federal Trade Commission-owned, and not only can they help you identify phishing, but you can help the FTC fight scammers by identifying criminals and shutting them down. As well, if you think a scammer has your personal information, you can go to IdentityTheft.gov, which will guide you through specific steps to take based on what type of information was lost.

Don’t wait to educate

If you’re a business owner with employees, don’t wait to educate them on important cybersecurity tactics like those listed above to make sure your business and your information is protected. For more information on cybersecurity education, go to the Cybersecurity & Infrastructure Security Agency’s page at www.cisa.gov.

Worried about protecting your customer’s from phishing? Read our article on why you should enhance your website’s security ASAP!