It’s early in the morning, and you’ve just made a cup of coffee. You’re checking your email when you see one from PayPal, informing you there is an issue with your account and to ‘click here’ to verify your account. The email even features the official PayPal logo.
Because it’s early and your coffee hasn’t kicked in yet, you might think the email is legitimate and click the embedded link or attachment. And you might end up sorry if you did. If you’d taken a closer look, you’d have realized it was a phishing email.
Phishing emails are designed to look like legitimate messages from actual banks, businesses, and other organizations. In reality, though, criminals created the message, usually in an effort to steal your money, identity, or both. They want you to click links that will take you to a website that looks authentic but is really just there to capture your credit card or other personal information or perhaps to distribute malware.
Here are some ways to spot phishing emails, and what you can do to protect yourself.
Seven Ways to Spot a Phishing Email
1. The email has improper spelling or grammar
This is one of the most common signs that an email isn’t legitimate. Sometimes, the mistake is easy to spot, such as ‘Dear eBay Costumer’ instead of ‘Dear eBay Customer.’
Others might be more difficult to spot, so make sure to look at the email in closer detail. For example, the subject line or the email itself might say “Health coverage for the unemployeed.” The word unemployed isn’t exactly difficult to spell. And any legitimate organizations would have editors who review their marketing emails carefully before sending it out. So when in doubt, check the email closely for misspellings and improper grammar.
2. The hyperlinked URL is different from the one shown
The hypertext link in a phishing email may include, say, the name of a legitimate bank. But when you hover the mouse over the link (without clicking it), you may discover in a small pop-up window that the actual URL differs from the one displayed and doesn’t contain the bank’s name. (You should be aware that not all email software would show the actual URL in a pop-up window, however). Similarly, you can hover your mouse over the address in the ‘from’ field to see if the website domain matches that of the organization the email is supposed to have been sent from.
3. The email urges you to take immediate action
Often, a phishing email tries to trick you into clicking a link by claiming that your account has been closed or put on hold, or that there’s been fraudulent activity requiring your immediate attention. Of course, it’s possible you may receive a legitimate message informing you to take action on your account. To be safe, though, don’t click the link in the email, no matter how authentic it appears to be. Instead, log into the account in question directly by visiting the appropriate website, then check your account status.
4. The email requests for personal information
Reputable organizations don’t ask their customers for personal information via email. If you have a checking account, your bank already knows your account number.
5. The email says you’ve won a contest you haven’t entered
A common phishing scam is to send an email informing recipients they’ve won a lottery or some other prize. All they have to do is click the link and enter their personal information online. Chances are, if you’ve never bought a lottery ticket or entered to win a prize, the email is a scam.
6. The email asks you to make a donation
As unbelievable as it may seem, scam artists often send out phishing emails inviting recipients to donate to a worthy cause after a natural or other tragedy. For example, after Hurricane Katrina, the American Red Cross reported more than 15 fraudulent websites were designed to look like legitimate Red Cross appeals for relief efforts. Potential victims received phishing emails asking them to donate to the Red Cross, with links to malicious sites that stole their credit card numbers. If you’d like to make a donation to a charity, do so by visiting their website directly.
7. The email includes suspicious attachments
It would be highly unusual for a legitimate organization to send you an email with an attachment, unless it’s a document you’ve requested. As always, if you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware.
What to Do About Phishing Emails
In addition to learning how to spot a phishing email, here are a few other things you can do to better protect yourself and others from phishing scams.
Adjust your email settings for what is allowed in your inbox
Depending on which email platform you use, you likely have the option to have all incoming email sent to junk except for those from your contacts and safe senders. Doing this helps to prevent you from inadvertently clicking on a phishing email you thought was from a legitimate sender. Since you’ll have the email address for your bank in the safe senders list, any email pretending to be from your bank will end up in your junk box. Also, it’s much more convenient to click “empty junk” rather than having to sift through your inbox for potential junk.
Security software is a must
While email providers do a decent job in filtering out junk or spam email, it always helps to have additional layers of security in place. In the event you accidentally click on a phishing email you thought was legitimate, your security software is there to warn you that the site you landed on is a forgery. If the website you landed on tries to distribute malware through drive-by-download, your security software can detect and stop the malware from executing.
Report the phishing scams
Microsoft offers tips for users of Internet Explorer, Outlook.com, and Outlook desktop software on reporting phishing scams. Google offers online help for reporting phishing websites and phishing emails. Also, the U.S. government offers tips for protecting yourself from phishing scams as well as an email address for reporting scams: firstname.lastname@example.org.
Test your phishing IQ
PayPal has a ‘Can You Spot Phishing?’ online quiz to test how savvy you are about scam emails. How well did you do?