Imagine you’re out at lunch with a friend and you get a notification on your phone saying, “Your payment is being processed” — but you didn’t buy anything online. You check who sent the email, and it says email@example.com. Looks kinda legit, right? But there’s more going on than what you might notice on first glance. What you’re experiencing is known as phishing.
Here are a few tips to help you easily spot phishing and hacking attempts. And also, guide you through what to do if you receive a suspicious email.
How can you spot a phishing scam?
They aim to scare you with the subject line
Getting an email with a subject line telling you that your payment was successful when you haven’t purchased anything recently is something that would jar any of us. That’s exactly what a scammer’s goal is – to cause you to panic.
Here’s a few examples of commonly used phishing subject lines to keep an eye out for:
- Your account has been deactivated due to suspicious activity
- Response required
- Your sensitive data has been compromised
- Your password has expired
- Your payment is being processed
They try to hide their email address
Have you ever received an email that looked like it came from a company you do business with, only to open it and find that the message seems off? You’re not alone – which is why it’s important to double-check the sender’s email address. Using fake email addresses that closely resemble the real source’s is a favorite move of scammers and one that’s easy to overlook.
Here are the things to look for to spot the difference between an email that’s real and one that’s phishing:
- An email address is made up of two parts: a username, which comes before the @ symbol, and a domain, which comes after it.
- Scammers like to make subtle changes to the domain to hide where an email is coming from. This means that the difference between a real and a fake email could be as simple as firstname.lastname@example.org (real) and email@example.com (fake).
- You can tell the first email address is really from Microsoft because the company name is the last part of the domain. The second email is from another source because the word “newuser” comes at the end.
They ask for your information
It’s highly unlikely for a company to ask you to give out personal information like usernames, passwords, or credit card numbers.
If you get an email that asks for sensitive information, even if it looks legitimate, your best move is to contact the company directly. If asked to click a link from the email — just say no. Type the company’s website into your browser, and look for a page that says “Contact us.”
In some cases, a scammer’s goal may be to convince you to click a link and enter your password into a fake, look-a-like site they’ve built. In this case, they may try to spoof a legitimate email address. Remember — you can always hover your mouse over the link, and it’ll show you where the link is attempting to take you.
They don’t use your name
Companies you regularly do business with often send you emails with a personal touch, like calling you by your name in the subject line. Someone sending a phishing email is not likely to know this level of detail, making them easier to spot. They’ll use generic greetings like “Hello,” Dear Customer,” or “Dear Member.”
They use incorrect grammar
Established companies often have entire departments dedicated to proofreading emails, so lots of incorrect punctuation, grammar, or spelling should be a red flag.
They send you an attachment
Scammers will occasionally attach files to their emails, hoping you’ll download them. These attachments can infect your device with malicious software or steal your information.
What can you do?
Once you know the common phishing tactics, it’s easier to keep your data safe. You can help others by reporting phishing attempts to the United States Computer Emergency Readiness Team, which will add them to a list of known scammers.