Spot that Phish
By now, you’ve probably heard about “phishing” emails. Perhaps you even know about these dangerous messages by personal experience. These malicious attacks are a common method used by those trying to steal your personal (or business) information.
But how to spot them? Many of us receive dozens of emails each day, from various sources and for various reasons. How can we know which messages are legitimate and which are fake? How can we avoid clicking on the scammer’s link (thinking it’s a friend) or deleting the friend’s email (thinking it’s a scammer)?
Before laying out a few tell-tale signs to look for, one bit of overarching advice seems most helpful: cultivate a sense of caution. Like it or not, your inbox is not a place to let your guard down, and a healthy sense of watchfulness when going through your messages for the day goes a long way towards preventing you from biting onto a thief’s hook.
That said, even a sense of watchfulness needs something to watch for, so here are some specific signs that a message may not be what it claims:
- Bad Grammar or Unnatural Wording: No, we’re not encouraging you to play the grammar police with a message from your brother, but if an email claims to be from an institution like your bank, a large business, or a government agency, it should come to you as a polished document. These organizations pay people to craft careful communication. Obvious grammar mistakes, unnatural wording, or misspellings are a bright red flag that a message is not what it seems.
- Suspicious URL: This one takes a bit more focus, but before clicking a link in an email, you can usually hover your mouse overtop it (or give it a long click) to see the actual destination URL. Hackers try to disguise both the link and the URL that goes with it, but with a little close scrutiny, there are tell-tales signs of a scam.
We’ll highlight two: First, you want to make sure you see HTTPS and not HTTP at the very beginning of the URL. HTTP is the old protocol and is not secure or private; you never want to enter personal information on this type of website. Make sure the URL begins with the newer, far more secure HTTPS protocol.
Second, pay close attention to what comes right before the first “/” in the destination URL. For example, consider the following two addresses:
Notice that both of these URL’s contain “mail.psmail.net.” However, only one of them is legitimate. It’s what comes right before the first backslash that counts:
This is the domain name and tells you where a link is taking you. Sometimes, it’s simple: In the first example, you can see that the link is actually taking you to PSMail’s website (mail.psmail.net). In the second example, however, even though mail.psmail.net has been included, the actual destination is security.alert.com. The hacker just used mail.psmail.net to disguise his malicious website, security.alert.com, and if you weren’t paying attention, you’re probably in for a headache.
If you’d like to read a little more about spotting fake URL’s, check out this article.
3. Urgency: Scammers want you to act fast and without thinking. If they can scare or entice you into making a split second decision, they know you won’t notice the little tell-tall signs (see above) marking their message as a scam. Threats of jail or loss of assets, as well as promises of too-good-to-be-true rewards, are almost certainly scams. So don’t click that link! Pause, take a breath, and if you have real concerns that an email might be legitimate, contact the business or organization directly via their own website, not through the email message.
These three steps, combined with a growing sense of caution, will help identify and avoid a large portion of the phishing emails out there. For more in-depth tips and things to watch for, you can check out these articles or take Google’s online quiz, which tests your ability to identify phishing emails.