Nationwide cybersecurity and fraud guidance resources and articles can help protect your digital information.

reading mobile tablet at cafe window These attacks try to trick you into taking an action, such as clicking a link, opening an attachment or responding with sensitive information. We’re all a target, both at work and at home, because our information – and our devices – are worth good money to cyber criminals. Read on to learn how to spot phishing so you don’t take the bait.

Identify the red flags of phishing

Lack of personalization

Did the email use a generic salutation such as ‘Dear Customer’ or nothing at all? Service providers usually know who you are and typically personalize emails with your name and the last few digits of your account number.

Bad spelling and grammar

Legitimate businesses go out of their way to proofread their email. If an email has lots of spelling mistakes or improperly worded sentences, it’s likely a phish.

Strange website links

If you hover your mouse over a website link, you will see the actual destination of the website you’re about to visit (on some mobile devices you can accomplish the same thing by holding your finger on the link for a second or two). If that location differs from the way the link is written in the email, it’s a good indication of an attack.

Suspicious attachments

If you don’t know the sender, or receive something from a friend that looks suspicious, don’t open the attachment. If it is from someone you know, you can always pick up the phone and give them a quick call to make sure they actually sent the email.

Requests for sensitive information

Be suspicious of requests for sensitive information, such as user IDs and passwords, financial account numbers, health information or social security numbers.

Unfamiliar sender

The sender is someone you do not know, and the email address is one you’ve never seen before or looks different than it should.

Authoritative-sounding sender

A person representing a company or entity sends an email asking for information they should already have.

Blank or “undisclosed” recipients

Sometimes phishing emails are sent to a lot of people. Other times you see something like “undisclosed recipient list” in the “To:” field. Both are potential red flags.

Urgent call to action

Messages of an urgent nature, or requesting an immediate call to action, are a common method used to rush people into making mistakes and is another good indicator of phishing.

External

If you think you received an external email that you need to do your job, but you aren’t sure if it is safe, here are some tips to help you verify on your own whether an external email is safe. Proceed with caution!

Advanced techniques to identify phishing

  • Do an online search to make sure a company exists and the contact information they provide – like address and phone number – is correct.
  • Try to do an online people search via LinkedIn or Google to verify that the person sending the email works at the company listed. 
  • Navigate the company’s website in a browser to see if the URLs in the email match up. If they do, then the email is likely safe.
  • If you do business with the company, use your own contact information to verify that the email you received is legitimate. Call them directly!
  • Ask someone you know at work if they know the company and/or person who sent you an email.