Email safety 101: how to spot a phishing scam
Phishing emails are the most common form of cybercrime. Learn how to protect yourself and your business with our four top cybersecurity tips.
"Phishing". It sounds so innocuous, doesn't it?
Like, "pack your rods and bait – we're going to do a spot of phishing in the sunshine".
Not so fast. While we love the sound of an afternoon on the lake, this is a very different, err… kettle of phish.
Email phishing is a kind of cyber attack where scammers pretend to be someone they're not. These digital crooks want to catch you when your guard is down – they're hoping that you'll share some personal info or click a seemingly harmless link.
And when you fall for it, there's no going back.
Individuals might become victims of identify theft, or see their coffers drained in nothing flat. Businesses have it even harder – they're more likely to be targeted with ransomware attacks, where online outlaws encrypt data and demand a hefty fee to regain access.
It gets worse. Email phishing is the most common form of cybercrime, with phishing in general accounting for approximately 90% of data breaches. And it's not going away anytime soon.
Needless to say, it pays to learn how to protect yourself. In this post, we'll show you how to recognise phishing email scams with the help of our four easy-to-learn tips.
Read them. Absorb them. Say them out loud. Heck, put them on your Walkman and listen to them in your sleep if you have to. You'll thank us later.
1. Look for personalisation...
...or, rather, look for the lack of it.
See, scammers aren't the most detail-oriented bunch. They want to make a quick bit of cash, so will often shoot off dozens of emails in the hope that one or two land. It's a bit like hitting 100 golf balls simultaneously, then crossing your fingers you get a hole in one.
Your bank or insurance company, say, are likely to address you by name. Partly because they already have your details on file, and partly as a confidence measure. They want to make it loud and clear that they're not trying to scam you.
However, THIS IS NOT A HARD AND FAST RULE. Ahem… sorry for shouting, but we really can't stress this enough.
These kinds of wide-net scams often target many individuals at once. It's just not in the scammer's interest to research each of their victims one by one. Time is money, as they say.
Things change when businesses are in the firing line. By defrauding a business, swindlers have more to gain – so they're more likely to do their research and add personal details to their emails.
So think of it as a useful rule of thumb, but nothing more. You should never consider an email safe just because it includes personalisation.
2. Look for a WEIRD amount of URGENCY
We all know what "marketing speak" sounds like. We see and hear it every day – on our televisions, in our search results, from overenthusiastic salespeople. So far, so normal.
But in the world of phishing, this kind of urgent language is taken to extremes.
Here's the thing. Marketers know how to push our buttons. They'll often use snappy, insistent words to convince us to do a thing – and do it quickly.
Phishers might use a similar style, but it's cranked up to 11. They're not interested in entertaining us or selling us a compelling brand story. They just want our data, or cash, or a bit of both.
Or, to put it another way, it's the difference between this…
Sign up today and discover a new world of cost savings
…and this…
URGENT: PAYMENT FAILED. WARNING your account will be locked if you don't update your details TODAY
If you haven't had your morning coffee, or you had a rough night, you might have to squint to see the difference. But be on your guard – these moments of weakness are exactly what scammers are hoping to exploit.
3. Unleash your inner pedant
Nobody likes a grammar snob – except for other grammar snobs. Put two together and they'll talk for hours about Oxford commas and split infinitives… and put whole rooms of people to sleep in the process.
However, it's sometimes worth letting your inner stickler shine through. At least for scam-spotting purposes.
See, if there's one thing scam emails are famous for, it's poor spelling and grammar. That's why you'll often see sentences like "send you're reply quickly" or "I am the corwn prints of Liechtenstein, and I have a urgent and specail request".
Some claim this is intentional – that scammers include dodgy grammar on purpose because gullible people are less likely to spot it. However, we think it's more likely that cybercriminals tend to be non-native English speakers. There are nearly eight billion people on Earth, after all, and only 400 million of them (or about five per cent) speak English natively.
In any case, the phenomenon is real. If you get an email from Barclays, but it's spelt "Barcalys", consider it suspicious.
4. Check links and addresses
BIG WARNING. You should never click a link in a suspicious email. In fact, you should make a habit of checking all email links before you click through.
You can do this by hovering over the link (again, DON'T CLICK). Most web browsers and email clients will display a preview of the target address, which you can scrutinise like the digital detective that you are.
Say an email purports to be from Apple. If it links to www.apple.com, then there's a good bet it's real. If it sends you to www.dodgy-domain56.scam, then you should think twice before clicking it.
But be aware – these online imposters will often attempt to trick you with a link that looks real. For instance, they might try to send you to apple-payment.fakesite.org or www.appl3.com. This is known as "URL spoofing".
You can apply the same thinking to the sender's email address. An email from Apple is likely to be sent from an @apple.com domain. If it's come from barry538229@scamparty.com, be on your guard.
But you should be doubly careful with this. Because, with a little technical trickery, scammers can make it look like their email came from a legitimate domain.
As usual, it's a rule of thumb – not a surefire scam detector.
Next steps
We hope you found our email safety tips useful. Keep them in mind, and – fingers crossed – you'll know how to spot a phishing attack before it happens.
But while that's all well and good for your own inbox, things get more complicated when you're trying to protect an entire business.
Not to scare you, but it only takes one sleepy employee to click a malicious link, and – BAM! – your whole company is compromised.
It's enough to give you nightmares. But don't worry – we can help. Think of us as your cyber nightlight.
One way to bolster your online defences is to achieve a cybersecurity certification. We offer two types of accreditation: Cyber Essentials and ISO 27001. Either way, we'll be with you every step of the way to help you pass with flying colours.
Alternatively, you could consider engaging us for ongoing IT support. We've put together packages to suit businesses of all sizes – and all have security protections built in.
(One more thing. Why not sign up for our Knowledge Hub mailing list? You'll get tech tips like this delivered straight to your inbox. Cool, right?)
