Phishing emails are becoming so convincing and realistic that it’s sometimes hard to know what’s genuine and what’s a scam. Depending on the type of scam and sophistication of the hacker, there’s no straight answer to this. Some phishing emails can be easy to spot, a strange, maybe even foreign email asking you to transfer money into a bank account, or it could seem legitimate with company logos and credentials such as PayPal or Amazon asking you to log onto your account or give away confidential information. If you find a phishing scam, learn how to report it.
So how do you tell the difference between a phishing email and a legitimate one? Unfortunately, there is no one single technique that works in every situation, but there are several things that you can look for that we've listed below.
The message contains a mismatched URL
One of the first things you should check in a suspicious email message is any of the embedded URLs. Oftentimes the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address and if this hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.
In this instance, don't click the link, report it if possible or don’t take any further action.
URLs contain a misleading domain name
Scammers who are behind phishing scams usually depend on their victims not knowing how the DNS naming structure for domains works to trick them.
The last part of a domain name is how you can tell if it's a phishing email or not. For example, the domain name info.cybersecurity.com would be a child domain of cybersecurity.com because cybersecurity.com appears at the end of the full domain name (on the right-hand side).
Conversely, cybersecurity.com.maliciousdomain.com wouldn't have originated from cybersecurity.com because the reference to cybersecurity.com is on the left side of the domain name.
This is a common way of trying to convince victims that a message came from a company like Microsoft or Apple. The cybercriminal simply creates a child domain using the Microsoft or Apple name. The resulting domain name would then look something like this: Microsoft.maliciousdomainname.com.
Poor spelling and grammar
This is one of the key indicators that the email could be phishy. If a legitimate company or business sends out an email, it will usually be proofed and checked for any spelling or grammatical errors so if you notice a few mistakes in the email, it could be a fraudster.
Always re-read the email and check that there are no mistakes, and remember if it doesn’t feel right or look right then it probably isn't right!
Asking for personal information
No matter how realistic and official an email might look, it's always a bad sign if the sender requests personal information. Your bank doesn't need you to send it your account number, sort code or any other information about your account as it already knows what that is.
A reputable company should never send an email asking for your password, credit card number, or the answer to a security question. If you're unsure you can always call the company or bank directly regarding the information they claim to need.
An offer that seems too good to be true
There's a belief that if something seems too good to be true, then it probably is. If you receive an email with a great offer or someone making big promises, then it's probably a scam.
There are also a lot of phishing emails circulating that claim you've won a lottery you didn’t enter, or a competition you didn’t apply for. All the scammer needs you to do is to click the link and enter your personal information online. These types of emails are sent to victims all over the world every day, so no matter how many zeros are on the cash prize, don’t fall for it.
Asking for a donation
As unbelievable as it may seem, scam artists often send out phishing emails inviting recipients to donate to a worthy cause after a natural or other tragedy and a lot of people fall for it. You should never send money to someone you don’t know or trust, or give away your details to someone you haven't met or from a reputable source.
When thinking about phishing emails, the bottom line is that you should always double check, and never click any links or attachments or give confidential information or passwords if you have any doubts or find it suspicious. It’s always better to be safe than sorry.
Knowing the key components that make up a phishing email could stop you from a catastrophe to yourself or even your business, so always be vigilant.
For more information about phishing, read our other blog about phishing here.