Phishing emails are fraudulent messages designed to trick recipients into giving away sensitive information or installing malware. They often appear to come from a legitimate organization and urge you to act quickly by clicking a link or opening an attachment. Being on guard against phishing scams is a great step in keeping your personal information out of the hands of hackers.

1. Check the Sender’s Email Address

The first thing to check is the sender’s email address in the “From” field. Make sure it matches the proper address for any organizations or contacts claiming to have sent the message.

For example, an email claiming to be from Amazon.com should be coming from an address ending in “@amazon.com”, not something random like “@store827.com”. Be especially wary of emails using a forged display name that does not match the actual sender’s address.

Photo by Solen Feyissa / Unsplash

Scammers often use slight variations of real addresses or try to mimic them by using symbols. Look closely at the sender’s full email address to detect spoofing.

2. Hover Over Links to Check Destinations

Never click directly on links in suspicious emails. Hover your mouse cursor over any links first to reveal the actual destination URL.

Legitimate links should navigate to the organization’s real website and include logical page names. Watch out for odd URLs that use lots of numbers, unrelated business names, or cash phrases like “invoice” or “payment”. You can also copy and paste links into a text editor to view the full URL. See if the link path matches what the email claims you are clicking on.

3. Verify the Sender’s Identity

If an email looks suspicious, contact the organization which supposedly sent it directly to verify. Look up their real phone number or support email address via an official channel like their website.

Ask them to confirm whether or not they sent the message you received. This extra step takes little time but provides peace of mind that a message is authentic.

Having this confirmation habit means you won’t fall victim to a clever phishing scam claiming to be a colleague, vendor, or service provider. Never assume an email is legitimate based on the display name alone.

4. Watch for Odd Attachments

Most legitimate companies will not send you an unsolicited attachment via email. Be very cautious before opening anything with a file extension like .zip, .xls, .pdf or .doc.

Hover over attachments to preview their true file type. Make sure they match what the message claims. If something seems off, contact the sender directly before touching the attachment. Attackers love using infected Office documents or scripts disguised as PDFs. Enable “Protected View” in your email client to open attachments in isolation.

5. Check for Typos and Odd Formatting

Many phishing scams originate overseas and contain spelling, grammar, or formatting errors. The content may look slightly off or unprofessional.

Watch for awkward phrases, repeated words, missing buttons, or outdated branding that signal something fishy. Does the sender’s signature match their role? Are there discrepancies in titles? Any minor mistake could be an indicator of fraud.

Photo by Drew Gilliam / Unsplash

Legitimate senders are unlikely to make silly mistakes in formal communication. Always read carefully rather than skimming.

6. Verify Unexpected Requests

Step back and evaluate if any unusual requests make sense before acting. Watch for demands to update billing info, provide passwords, or download software from an unexpected party.

Think “Would this company realistically do this?” and consider reaching out over a known-good channel to confirm strange requests. Don’t assume a message is authentic based on sender name or logo alone.

Stay alert for any urgent calls to action. Phishing schemes often pressure targets to act quickly without scrutiny. Take your time vetting requests instead of panicking.

7. Check for Personalization

Many phishing scams are sent impersonally in mass batches. Spear-Phishing is an exemption but we will cover that in a later post. Greetings like “Dear user” or “Valued customer” are red flags, especially from companies you have an established relationship with.

Legitimate senders will include your specific name, account details, order numbers, or customized info that scammers won’t have access to. Lack of any personalization signals potential fraud. Reach out to the company directly if a message seems suspicious but claims to know private account details.

8. Watch for Threats and Pressure

Phishing schemes often use fear tactics to trick users. Threatening account deactivation, legal action, or late fees pressures targets into clicking without thinking things through.

Real organizations usually don’t need to threaten customers for routine actions like password resets or invoice payments. Any message threatening dire consequences if you don’t act quickly is likely a scam. Remain calm and diligent. Ask yourself “Would they really do this?” before caving to demands or acting rashly. Contact support channels to verify threats.

9. Watch for Internal Compromised Accounts

Phishing scams don’t only originate outside your organization. Hackers can compromise real employee accounts to send more convincing malicious emails from within. Watch for any unusual requests or changes in writing style from internal senders claiming technical issues or asking for sensitive data. Verify odd requests over the phone or in person.

Don’t make assumptions even if the sender appears totally legitimate. Compromised accounts mean a phishing attempt could come from anyone internally.

10. Evaluate Messages That Seem Too Good To Be True

Treat messages offering free money, prizes, job offers, or extreme discounts with skepticism. Phishers lure targets with fabulous offers that seem too good to resist.

Ask yourself realistically “Would this company send me unsolicited cash or lavish gifts?” Big financial institutions don’t operate this way. If an offer seems wildly enticing, it’s likely just bait to harvest your data.

Stick to official communication channels and be very wary of windfalls landing in your inbox unexpectedly. Don’t let excitement over online “deals” cloud your judgement when evaluating messages.

11. Do Not Call Phone Numbers in Suspicious Emails

One common phishing tactic is including customer support phone numbers within scam messages. The numbers appear legitimate but actually route to fraudulent call centers. Never dial phone numbers provided in suspicious emails, even if they look official. Customer service centers don’t cold call or email unsolicited contact info.

Photo by Rahul Chakraborty / Unsplash

Instead, reference the organization’s real website or documentation to find valid customer support contacts. Then call and inquire about the suspect email separately.

Following up over channels you control verifies an organization’s identity without falling for phone number spoofing tricks. Limit your contact points to independently researched sources when evaluating sketchy inbound messages.

12. Enable Two-Factor Authentication

Two-factor or multi-factor authentication adds extra login security, requiring both your password and a secondary code tied to a physical device you own. Even if phishers steal your password, they can’t access your accounts without also hijacking your smartphone or security key capable of generating the secondary code.

Turn this option on for critical services like email, banking, and social media to protect yourself. The minor extra steps are worth the security benefits.

13. Report and Delete Suspicious Emails

If an inbound message raises multiple red flags, resist the urge to click anything. Report phishing attempts to the organization being impersonated. Doing your due diligence to identify and report frauds helps keep the entire community safer. Make reporting phishing emails a regular habit.

After reporting, delete extra sketchy messages immediately to clear them from your inbox. They likely contain tracking pixels or could re-infect systems if opened again after removal. Don’t interact with fake content.

Staying observant against clever phishing schemes requires building smart habits. But a few extra precautions like checking links and sender addresses can stop you from falling victim. Keep these comprehensive tips in mind to help identify and avoid malicious emails trying to steal your valuable personal or company data.