Last Updated: August 20, 2020
Every year thousands of people lose their hard-earned money to phishing attacks, which are mostly carried out via email.
If you don’t know how to spot a phishing email, you have some catching up to do. Such scams affect everyone and are now more widespread than ever.
Did you know…?
- The average user receives 16 malicious emails per month.
- More than 75% of companies have experienced an email phishing attack.
- The digital violation costs mid-sized firms $1.6 million on average.
- The number of phishing attacks grew by 65% in 2017.
- Phishing is a $5-billion dollar industry.
- 97% of people cannot identify a phishing email, according to a recent survey.
As you can see, phishing is a serious threat to both individuals and businesses — and a small mistake can cost a lot.
Which begs the question:
How can you protect yourself?
The key is to understand how this type of scam works and its warning signs. This will allow you to spot fraudulent emails a mile off.
Don’t worry, beating cybercriminals is easier than you think — and by the end of the article, you’ll discover how it is done.
So, let’s get rolling.
What Is Phishing?
Phishing is similar to fishing in a pond, but instead of attaching the hook to a fishing pole, the phisher puts it in an email. This way, he can steal personal information.
Now you might be wondering:
How is this done?
Well, the phisher poses as a genuine person or company and convinces users to click a link to a website, that looks like the real deal. It’s actually a fake, designed to be the “hook” in the whole operation. Once users enter their information, it is effectively stolen.
Alternately, hackers might trick people into downloading a file that looks innocuous but is actually malware or ransomware.
Malware is malicious software designed to steal data. In contrast, ransomware encrypts all files on an infected computer. The hacker can then demand a ransom to de-encrypt the data.
Now that we know what phishing is, let’s find out the most common types of phishing attacks.
6 Common Phishing Attacks
Phishing attacks come in all shapes and sizes:
1. Deceptive phishing
Deceptive Phishing is the least sophisticated and most common type of email phishing scam. It uses a “spray and pray” approach, where mass mails are sent to millions of users.
These are the “You’ve won a prize” and “URGENT message from your bank” messages that try to trick users by instilling fear in them or by blinding them with greed.
Most often a fake webpage is involved, which looks very much like the real thing.
For example, PayPal scammers might send an email, asking users to click at a link to fix a problem with their account. The link will lead them to a fake PayPal page, where their login details will be collected and sent to another site.
Sometimes, hackers play on the users’ curiosity by sending out blank emails with a malicious attachment.
This was exactly how Locky ransomware, considered one of the most effective file-encrypting malware, got spread in 2017.
Within just 24 hours, threat actors delivered 23 million emails with a zip file that hid the malicious payload – and a subject line that read “scan”, “print,” or “download”.
Once someone clicked the file, the Locky ransomware encrypted all their files on said computer. To get back the data, the unfortunate victims had to pay 0.5 bitcoin ($2,300 at the time).
Over time such scams have become even more sophisticated. If you want to protect yourself, you must know how to identify a phishing email.
Prevention is the only viable approach here. Once you run malicious software, there’s not much you can do.
2. Spear phishing
Unlike deceptive phishing, this type of scam is much more personalized.
Threat actors customize the attack emails with the target’s name and other details to trick them into believing the email is genuine.
The goal of spear phishing is the same as deceptive phishing — to coax the victim into downloading a malicious file or entering personal information on a fake web page.
On a personal level, attackers could masquerade as a business you trust – like your bank.
They might send emails stating there’s some discrepancy in your account. To fix it, allegedly, you must click the specified link and fill in the required fields.
While such scams do target individuals, more often than not, they are aimed at businesses.
Spear phishing messages that target companies can come in different forms, like a fake purchase order from a client or a false customer query.
However, the central theme remains the same — to lull recipients into believing the email is from a reliable source.
3. CEO fraud
This is a very specific kind of phishing scam.
It works like this:
The hacker disguises herself as the CEO of a company and sends an email message to a high-level employee, requesting a money transfer to a particular account.
The key to such malicious campaigns is having enough information about the company CEO and presenting yourself as them.
This is the only thing (and it’s a big one) that makes them stand out from a “spray and pray” phishing campaign.
4. Dropbox phishing
Some phishers target users of a specific company or service.
Take Dropbox, for instance. Millions of people use it every day for sharing files and creating backups.
Given its popularity, it’s no wonder hackers repeatedly target its users.
In one such attack, Dropbox users were told someone has sent them a file, but it’s too big to be sent as an email attachment. The phishers had “conveniently” provided a link, from where to access said file.
Naturally, the link led to a fake Dropbox login page, from where cybercriminals were able to steal users’ login credentials.
5. Google Docs phishing
Hackers target Google Docs users pretty much the same way they prey upon Dropbox users.
Namely, they create a fake Google account login page and then use it to collect user credentials.
Alright, so these are just a few phishing email examples. There are many other types of scams going around.
While the aim and mechanics of these attacks might vary, they all center around coaxing the user to either download a malicious file or enter personal information on a fake webpage.
Now, let’s learn how to identify such attacks.
10 Tips on How to Spot a Phishing Email
Did you know 135 million attempts at phishing attacks take place every day? Or that nearly 25% of victims never fully recover their losses?
The threat of phishing email attack is real.
This is because:
Phishers target companies and individuals alike.
If you use email, you’re technically at risk.
So what can you do to keep yourself safe?
Well, take a look at the following tips the next time you open your inbox.
1. Don’t blindly trust the display name.
Altering the display name of an email is a classic ploy used by phishers.
This is how it works:
An attacker impersonates a company by using its name while emailing you from a completely different email.
For example, let’s say a hacker wants to spoof the brand “Bank of America.” She might use it with an unheard-of domain name, like secure.com.
So the email delivered to you will look something like this:
Once delivered, the email appears genuine, as most inboxes only show the display name.
However, blindly trusting the display name can land you in trouble — as shown in the above example.
So what’s the solution?
First, check the email address in the “from” field of the email header.
If it doesn’t match the displayed name, you can bet it is a scam.
That said, even if the email address looks genuine, that’s not enough! Hackers are known to alter email addresses as well.
The good news is that’s all they can fake.
The other fields in the email header can tell you the whole story. Namely – the “mailed-by” and “signed-by” fields.
Emails from legit companies will have these sections. More importantly, the “mailed-by” and “signed-by” fields will have the name of the same company.
Here’s an example:
In case there’s a mismatch between mailed-by and signed-by, the email could be a scam.
Here’s an example of phishing, where while the mailed-by and signed-by fields are present, they don’t match.
2. Check URLs for a misleading domain name.
Let’s say you’ve received an email from this address:
Now, do you think this domain belongs to Apple?
If you said yes, you are wrong. Hackers often exploit people’s lack of knowledge of how this works.
You see, in a domain name, the last part is the most important, whereas the one on the left is basically insignificant.
So, in the aforementioned example, “Infocenter” is the actual domain name. This means an obscure company called Infocenter — not Apple — has sent you the email.
Using a well-known name as a child domain is one of the telltale signs of phishing.
Hackers often use this tactic to trick users into believing the email has come from a reputable source.
Thankfully, you now know better and will not fall for such cheap tricks.
3. Check a link before clicking on it.
No one can fake a domain name – it’s just not possible.
However, any run-of-the-mill hacker can disguise it in a link – that’s as easy as pie.
This brings us to the main question:
How do cybercriminals conceal malicious links?
Well, typically they use any of the three tactics we’ll mention right now.
For one, they might use a link shortening service to conceal the true destination of a link. So – if you see a shortened link in an unsolicited email, be cautious.
Another common tactic is to use URL encoding to hide the destination of a phishing site. For example, when the letter “A” is URL-encoded it reads as %41.
Here’s an example of an encoded link: http%3A%2F%2Ftiny.cc%3F712q431bca
The link looks weird — and that’s often a reliable warning sign that something’s fishy.
Here’s the bottom-line:
If a link has a bunch of % in it, don’t click it.
Finally, the last maneuver for hiding a URL is to put the link in text. Fortunately, identifying such phishing emails is easy.
Simply hover the mouse over the hyperlinked text and you’ll see the actual link.
4. There’s an unsolicited attachment.
Emails with unsolicited attachments reek of fraud:
Usually, legit businesses don’t send random emails with attachments. If they want you to download something, they would rather direct you to their own website.
If the sender is an individual and someone known to you, watch out for high-risk attachment file types like .zip, .exe, and .scr.
If you’re unsure, the best thing to do is to directly contact the sender and confirm if it was indeed they who sent the email.
5. Check for spelling mistakes.
If an email is filled with typos, poor grammar, formatting errors, or awkward language, it is most likely fraudulent.
Legitimate businesses pay attention when crafting emails to their customers.
While hackers have become more sophisticated, they sometimes still make basic mistakes. You can still identify a suspicious email easily most of the time.
6. Read the salutation carefully.
Who is the email addressed to? Is it addressed vaguely, as in “Dear Esteemed Customer”?
If yes, it is probably a scam.
More often than not, legitimate businesses use your first and last name.
7. The email asks you to send money.
This is a dead giveaway.
After all, your money is what phishers are after. If they are writing to you, they will ask for it, sooner or later.
Don’t act on an email that asks you to send money to cover fees, expenses, taxes, or something similar. It’s a sure-shot scam.
8. The email asks for personal information
It’s always a bad sign when an email asks for personal information, like credit card number or bank account details.
Your bank is not going to ask you for your account details. It already has them.
Similarly, other reputable companies or government agencies will not email you to share confidential information. That’s not how they operate.
If you receive any such email, you can be sure it’s part of a phishing scam.
9. The email makes an unrealistic offer or threat.
Phishers often trick people into giving up money or sensitive information by promising a reward or just plain scaring them.
Here’s an example:
You get an email that asks you to quickly fill up a form (which asks your account details.) That’s, allegedly, if you don’t want your bank account to be canceled and assets to be seized.
Well, this is obviously a scam.
You don’t need to be Sherlock Holmes to figure out that banks don’t close accounts and seize assets just because someone didn’t reply to an email.
Likewise, if an email offers a reward that sounds too good to be true, watch out.
10. Review the signature line.
You can identify a phishing attack from the signature line.
Does the email give information about the sender? Does it list the contact information of the company?
If not, there’s a good chance the email is an attempt to phish.
Reputable companies always provide such information in their emails.
Phishing is a type of social engineering attack, in which hackers try to steal users’ personal information.
Over time, such attacks have become more frequent, with research showing that 135 million phishing email attacks get carried out daily.
The best way to thwart such scams is to find out how to spot a phishing email.
This article has shone a light on what to look for when you open an email. Pay attention to that — and you will be fine.
Alright, so this was the extensive guide to finding out how to spot a phishing email.
If you’ve fallen victim to a phishing scam, follow these steps immediately to prevent or mitigate the damage.
Step 1 – Disconnect your device from the internet.
If you use Wi-Fi, simply turn off the router.
In case of a wired network, disconnect the internet cable from your laptop or desktop.
Step 2 – Backup all your files.
A phishing attack can easily lead to data loss. Therefore, don’t waste any time in creating an offline data backup (offline because you’re no longer connected to the internet).
Use an external hard drive, a USB thumb drive, or a DVD to back up your files.
Step 3 – Run a malware scan.
Conduct a full system scan using your anti-virus/anti-malware software to delete or quarantine malware that may have sneaked into your system.
Step 4 – Change your email password.
Lastly, change the password of your email account. You might want to consider activating two-factor authentication, which offers an added layer of defense. You can also consider using a password manager, which generates strong passwords for you.
To find out whether an email is genuine or not, first check the email address listed in the “from” section of the email header.
If it doesn’t match with the sender’s name or looks suspicious, it’s a phishing scam.
In case the address in the “from” field looks genuine, investigate further by checking the “mailed-by” and “signed-by” sections.
Make sure the email is signed by the same company that has sent the email.
Here are a few things you should look for in a phishing email:
Generic greeting – Scammers typically send a fraudulent email to thousands or even millions of people at once. Therefore, these emails tend to have generic greetings, like “Our Valued Customer”. If your name doesn’t appear in the email, be suspicious.
Forged link – Just because a link has a name that you recognize doesn’t mean the link is genuine. Hover your mouse over the link to see if it’s actually linking to the real company. A mismatch here points to fraud.
Requests for a money transfer or personal information – Scammers send phishing emails to filch money from you. They may ask for money outright or they may first try to steal your personal information. If you get an email that is asking for either of those, don’t act on it.
Sense of urgency – Promoting fear or a sense of urgency is a common tactic used by cyber criminals. For instance, they might ask you to verify your bank information “immediately” to avoid account suspension.
Here’s an example of phishing:
As you can see, the email betrays some of the most obvious signs of phishing — a generic greeting, a request for personal information, and use of threatening language.
If you’ve received a phishing email, report it by forwarding it to the Federal Trade Commission (FTC) at firstname.lastname@example.org and to the Anti-Phishing Working Group at email@example.com.
Phishing emails, are fraud messages sent by cyber criminals to trick users into sharing their personal information. This may include bank account numbers, password, and credit card details.
Such emails often ask users to click an embedded link and fill their personal information on a fake web page, where their details are eventually collected and passed to hackers.
Sometimes, threat actors try to convince unsuspecting users to download a malicious attachment, designed to steal confidential data from their systems.