If there was a handbook for cybercriminals, phishing emails would be on the first page. For years, hackers have been using these phony but believable messages to trick people into helping them. And the tactic still works. Phishing attacks rose by 11% and were the most common cause of corporate data breaches in 2020, Verizon found in its 2021 Data Breach Investigations Report.
The good news: It’s possible to avoid the vast majority of phony emails. You just need to know the telltale signs and the best ways to handle them. If you commit all of them to memory, you’ll be able to spot and outmaneuver phishing emails as they come in, keeping you secure and productive at work.
1. Check for typos
Most cybercriminals aren’t professionally trained writers. That means they will occasionally make spelling and grammar mistakes in their emails. Everyone is capable of the occasional typo – so don’t jump to conclusions – but you should be wary if you see more than a few, especially if the message has supposedly come from a company’s sales or marketing department. These types of emails are normally proofread by multiple people before they’re sent out.
It might seem obvious, but check that the sender has spelled your name and the name of your company correctly. Next, check the spelling of any technical terms that the sender should know based on their job role or industry.
2 Check the sender’s email address
If the sender works for a large company, they shouldn’t be using a free email service such as Gmail, Outlook, or Yahoo! Mail. That means you should be worried if you see a word like “gmail,” “yahoo,” “hotmail,” “aol,” or “live” after the “@“ symbol in their email address.
Most cybercriminals are cleverer than this in 2021. They’ll use a domain that is close to the company’s real name, hoping your eyes won’t catch it while they’re scanning through the email. Common tactics include removing a letter so “@bastionburgers.com” becomes “@basionburgers.com,” and adding a word like “mail” to the email address, so @bastionburgers.com” becomes “@bastionburgersmail.com.”
If you’re unsure, visit the company’s website and check whether the domain lines up with the sender’s email address. You should also check your inbox to see if anyone else from the company has contacted you before. If you’ve received a legitimate message from “firstname.lastname@example.org”, be wary if someone contacts you with an email address like “email@example.com.”
3. Hover over links before clicking
A seemingly harmless link might send you to a site that installs malware on your device or fool you into entering sensitive information. The trick to avoiding malicious websites is twofold. First, get in the habit of peeking at links before opening them. You can normally review the full URL by hovering your cursor over the link or long-pressing it with your finger. If this doesn’t work, you can also right-click on the link, copy the link address and then paste it into a text file for closer inspection.
Alarm bells should ring if the URL is a long line of random characters or obfuscated behind a link shortener.
The second tip is to navigate to the website yourself. Let’s say your bank supposedly contacts you about a problem with your account. Don’t click the link that says “sign in here” in the email. Instead, open your browser and visit the website using a bookmark, web search, or web address you already know. That way, you’ll know for sure that you’re on the right site and not an imposter that looks the same.
4. Consider the email’s voice and tone
Sometimes, you’ll receive an email from someone you’ve spoken with before. You might have met them in person, or chatted over Slack or Microsoft Teams. Consider their personality and how they normally communicate. Do they like to use particular words or phrases, or are they the type to include a GIF in every email? If so, check whether any of these are in the message you’ve just received.
Similarly, you should check if the email has any words or phrases that seem out of character for the sender. For example, you might know that they normally end an email with “cheers” rather than “regards” or “yours sincerely.”
5. Beware messages that ask you to take urgent action
Many phishing emails will try to scare you into acting quickly. They might say you haven’t paid your electricity bill and need to settle up immediately, or you need to enter your username and password to stop an account from being shut down. They’ll often use phrases such as “action required” to make you open a link or share sensitive information before you’ve taken the time to really think things through.
Don’t fall for these traps. Instead, take a deep breath and reread the email a couple of times – and remember: A well-established company will never send an email with language that’s designed to scare you. If you feel like the message is overly pushy or threatening, there’s a good chance the sender is actually an attacker.
6. Think before downloading any file attachment
Email attachments are a useful way to share important files. People use them for all sorts of perfectly legitimate reasons: to send reports and other important documents at work, for example, or to share their resume while applying for a new job. But, they can also be used by cybercriminals to trick people into downloading malware, ransomware, and other malicious software.
How can you tell which files are dangerous? The first step is to look at the extension. Does it match what the sender claims to be sending? An image shouldn’t have a .exe extension, for example. The second step is to consider the reason for the attachment. Let’s say you receive an email from someone who claims they want to arrange a meeting and have proposed some dates in an attachment. Ask yourself, “why didn’t they just put the dates in the email body text?”
7. Beware emails that ask you to forward them on
Here’s a common scenario: An attacker wants access to a sensitive database at your company. To achieve this, they need to fool a senior engineer. The problem is that they don’t know that engineer’s email address – only one for an employee who works in a different department. So, the hacker reaches out with a story that they hope will persuade the employee to forward their message to the senior engineer.
Be wary whenever someone from outside your company asks to be put in touch with one of your colleagues. Sometimes these requests are authentic and harmless, but they could also lead to a highly damaging breach at your company. Be on your guard and politely decline if you’re not sure. It’s better to be safe than sorry.
8. Watch out for fake “follow-up” emails
Attackers will sometimes try to trick you into thinking you reached out first. They’ll send a message with a subject line such as “RE: job application,” and pretend they’re responding to a speculative email you sent or a contact form you filled out on their site. The criminal is hoping you won’t spend too long trying to recall the original message, or accept that you send a lot of emails and forgot about the time you contacted them.
Don’t make assumptions. Can you see your original message in the email chain? If so, does it look like something you would write? If there’s no evidence of a chain, check your Sent folder and take a minute to research the supposed sender. If a quick web search doesn’t jog your memory, it’s possible that the sender is an imposter with malicious motives.
9. If you’re not sure, contact the supposed sender another way
Don’t reply to any email that you’re not sure about. Instead, contact the supposed sender directly. If it’s a large company, visit their official website and find a trustworthy phone number or email address. For a close colleague, you could walk over to their desk and ask them face-to-face, call them, or send a message over Slack, Microsoft Teams, or Discord.
Chasing people down like this can be time consuming. But, trust us: You’ll never regret the decision to reach out and check that an email was legitimate – especially when the company or person in question tells you the message didn’t come from them.
10. Then report the email
If you work for a company with an IT or security team, ask for a second opinion. They’ll be familiar with phishing emails and might spot something that you overlooked. And, if it turns out that your suspicions are correct, they’ll want to alert the entire company, just in case anyone else has received a similar email.
11. Protect yourself with a password manager
A password manager like 1Password can act as your personal safety net. For example: Let’s say you created an account on a site called givemefoodnow.com. Most password managers will save the URL alongside your username and password – that way it knows when to autofill your credentials. Now, imagine you clicked on a link that sent you to sendmefoodnow.com. You would notice straight away that your password manager wasn’t offering to autofill your username and password. That, in turn, would prompt you to look at the URL and realize that you’re on a fake site.
Some password managers can also be used to store and deliver time-based one-time passwords (TOTPs). These special codes act as an extra layer of protection for your most important accounts. Using multi-factor authentication like this means that even if you do fall for a phishing email and accidentally share one of your passwords, the relevant account will still be safe because the attacker won’t have access to the place where you store your TOTPs.