How to Spot a Phishing Email

You just received an email from Visa stating that suspicious activity has been detected on your credit card. You're instructed to click on a link to verify your security information.

Only thing is, you don't have a Visa card.

While it might be easy to avoid falling for this particular phishing email, many fake messages are harder to spot and ignore. Before you follow the links in a random email, follow these tips to keep from being lured into an online phishing scam.

What Is a Phishing Email?

A phishing email is a fraudulent message that might trick you into revealing sensitive information or granting access to private records and financial accounts. Cybercriminals design these fake communications to look like they're from legitimate companies or people, making them difficult to detect or stop.

Are Phishing Emails a Big Problem?

In a word, yes — phishing emails are a huge problem in the United States and beyond.

An estimated 3 billion phishing emails are sent around the world each day, with Google alone blocking 100 million of these malicious messages on its Gmail platform. The world's largest email provider also scans more than 300 billion attachments for malware every week.

Although most phishing attacks don't succeed, the ones that do prove costly. In 2020, phishing emails accounted for roughly $50 million in losses among more than 240,000 victims, according to the FBI.

"There's no rest for the wicked," says Jeff Catalfamo, senior information security analyst at PenFed. "You always have to be on guard — 24 hours a day, 7 days a week, 365 days a year."

How a Phishing Email Works

Phishing emails attempt to connect with you on an emotional level. This manipulative method, known as social engineering, typically appeals to one of four emotional senses:

• Kindness: Asks you to help a specific person or group accomplish something.
• Fear: Invites you to protect your bank account or remove viruses from your computer.
• Greed: Offers to help you make money quickly and easily.
• Duty: Insists you perform a task requested by an authority figure.

"These emails play on hopes and fears, and there's always a sense of urgency to them," Catalfamo says. "Scammers know we're often too busy and not paying attention to the details or we're just too trusting. That's why phishing emails work — people don't take time to read them carefully and think about them."

How to Spot a Phishing Email

Most phishing emails try to mimic a company or brand that you know and trust. Scammers use logos, fonts, and letterhead that resemble actual corporate materials, which makes fake messages easy to mistake for the real thing if you aren't paying attention.

Although phishing emails vary in terms of sophistication, they all have telltale signs. Be wary of communications that include or request:

Urgent Action

Emails that encourage you to act quickly to take advantage of a special offer to avoid penalties and other negative consequences are often phishing emails. This approach attempts to rush you to, say, provide a password or open an attachment before you've had time to study the message for clues that it's fake.

Sensitive Data

If you receive an email that asks you to enter login credentials, payment information, or other potentially sensitive data, use caution. Scammers often create messages that appear to come from a trustworthy source like your credit union or bank, when the email actually links to a fake site where they can capture your personal information or account details.

Obscure Addresses

Email addresses and domain names that seem obscure should raise concerns. For example, if the message comes from an address like info@mail.paypalco.com rather than info@paypal.com or a URL is spelled oddly (for instance, www.targit.com instead of www.target.com), chances are it's phony.

Embedded Links

Before clicking on any link embedded in an email, hover your mouse pointer over it to highlight the address where it's trying to direct you. If the URL looks strange, differs from the stated source of the email, or doesn't start with https:// to indicate it's a secure site, steer clear.

Bad Grammar

Misspelled words, incomplete sentences, missing punctuation, and odd phrasing are often found in phishing emails. Barring rare exceptions, most reputable organizations will proofread their messages before hitting Send, so take note if you receive a poorly-written email with obvious grammatical errors.

Distorted Images

Cyber thieves like to use logos and other visuals downloaded from the websites of popular companies to make their phishing emails seem more authentic. However, these reproduced images are usually distorted, sized incorrectly, or blurry — definite red flags if you see them in an email.

Suspicious Attachments

Attachments should always be treated with suspicion, especially if they come from an unknown source. Look out for unusual extensions too (.zip, .scr, .exe, .bat, and .vbs, to name a few). When in doubt, don't click to download or open the file.  

Exaggerated Claims

Emails that claim you'll win a prize by clicking on a link or opening an attachment shouldn't be trusted. If something sounds too good to be true…well, you know, it probably is.

What to Do if You Respond to a Phishing Email

A fake email from Amazon urging you to log in to your account in the next 30 minutes to claim a $50 gift certificate, in and of itself, is harmless. But when you open an attachment or click on a link in the fraudulent message, you're lifting the digital lid on Pandora's box. 

If you accidentally respond to a phishing email, time is of the essence. You need to immediately:

1. Disconnect from the Internet. This will help reduce the risk of malware spreading to other devices on your network. It will also prevent hackers from remotely tapping into your system.
2. Back Up Your Files. Since data can be lost or erased when recovering from a phishing attack, you should regularly save copies of all digital files — including invaluable items like family photos and videos — to an external hard drive or cloud storage. But if you haven't backed up in a while, go ahead and do it now.
3. Scan for Malware. If you have anti-virus software on your computer (and you should), run a complete scan and follow the instructions to remove or quarantine any malware. If you don't have an anti-virus program, take your machine to a tech specialist like Geek Squad.

Once you've addressed the most pressing issues, you should quickly move to:

1. Change Online Credentials. From a secure connection, change the login information for all of your online accounts, including email, online banking, utilities, retailers, social media, and anything else you access via the internet. Make sure to use different usernames and passwords for each account.
2. Contact Your Bank. If you entered account information or credit card numbers, unauthorized withdrawals or charges are likely soon to follow. Your financial institution and credit card company will guide you through the process of locking down your accounts and minimizing the impact.
3. Notify Credit Bureaus. If you suspect or know that cyber thieves have gained access to your personal information, you should file a fraud alert with one of the three main credit bureaus and they will alert the other two.

You may also want to put a credit freeze on your credit report to prevent new credit accounts from being fraudulently opened in your name. With a freeze, you'll need to contact all three bureaus separately:

• Equifax
• Experian
• TransUnion

How to Report a Phishing Email

Spam and online scams have become so commonplace that you might be inclined to simply ignore any suspicious messages you receive.

While that's the easiest thing to do, taking the time to report phishing emails can help in the fight against cybercrime. It's important to:

• Forward phishing emails to the Federal Trade Commission (FTC) at spam@uce.gov. As an added step, send phony communications to the business or organization that the email claims to represent so they're of the misrepresentation.
• File a complaint with the FTC if you're victimized by a phishing attack. Identitytheft.gov provides tips to limit damage caused by identity theft and resources to guide you through the recovery process.
• Report online crimes — including phishing emails and related fraud — to the FBI's Internet Crime Complaint Center. You can also file a complaint on behalf of someone else if you believe they've been scammed.

Email service providers like Gmail and Outlook have even programmed shortcuts into their software to make it easier to report phishing. A quick search in either app will show you where to go.  

How to Prevent Future Phishing Emails

Although there's no fool-proof way to prevent every harmful email from reaching your inbox, you can reduce the number of unwanted messages you receive. Here are some more Dos and Don'ts:

The Takeaway

Phishing emails are common cyber threats that can wreak personal and financial havoc on anyone who takes the bait.

However, if you learn to stay away from unsafe links and attachments, identify fake messages, and remain vigilant, cybercriminals won't be able to get their hooks in you.

"I've yet to find a phishing email that you can't spot," Catalfamo says. "There's always something that will give one away. You just have to look for it."