What Is a Phishing Email and 5 Ways to Spot One

We consume five times more information every single day than we did just a few decades ago, and it’s all thanks to multitasking. You’re clicking links, opening emails, and responding at record speed all day, every day—during meetings, at your nephew’s swim meet, in line at that fancy artisanal cheese shop you love, and, yes, even while avoiding your kids at home in the bathroom.

We get it. You’ve got a lot to do and a lot of stuff to get through, but multitasking distractedly isn’t a great habit if you’re living a security-minded lifestyle. So, before we get into what a phishing email is and how to spot one a mile away, you’ve got to do one thing first: focus.

If you’re as distracted as we know you are, clicking on all of those links and opening emails and sending unnecessarily speedy replies is exactly how you can get sucked into a phishing scam. Now that we have your undivided attention, let’s do this.

What Is a Phishing Email?

Phishing emails are a type of correspondence that appears to come from a familiar source and have legitimate information but, in truth, is seeking private and sensitive information. “Phishing” is a twist on “fishing” because cybercriminals are essentially throwing out a fake “lure” and hoping recipients like you will “bite.”

The lure? An email that looks legitimate but is quite the opposite. The bite? You replying or clicking on a shady link and delivering private information to a happy cybercriminal on the other side of the screen.

Although phishing emails may ask you to reply with sensitive login or banking information, they most often include links to fake websites that can steal passwords, sensitive account information, login details, and credit card numbers.

Phishing and Ransomware

Most of the time, phishing emails come chock-full of hell-raising ransomware, which is usually spread through a malicious attachment or by getting someone to unknowingly click a link to visit an infected website.

Then, malware is downloaded and installed on the person’s device without their knowledge. Finally, a poorly written ransom letter appears in a pop-up, and the cybercriminal promises to free up the device and any stolen data once a ransom is paid—most often the demand is for the payment to be delivered through a hard-to-trace cryptocurrency such as bitcoin. Until the user pays the ransom, their data, computer, and livelihood are held hostage.

Check out our one of a kind phishing training strategy guide >>

5 Ways to Spot a Phishing Email

If you’re worried about being able to spot a phishing email, we’ve got your back. Here are five solid questions you can ask to sniff out an email with bad intentions:

1. Who is it from?

Phishing emails usually pretend to be from a friend, a colleague, or someone you consider intimidating like the CEO of your company. Take a look at the actual sender’s email address and make sure it’s a legitimate domain and name and not something decidedly fake like “fedexcustomerservice@hotmail.com.”

2. Who is it to?

Is the email actually addressed to you? If the email looks like it’s from HR and the greeting is something like “Dear Employee” but it’s asking for sensitive information, it’s probably fake. Do you really think the head of HR would email you asking for your login information without using your name?

3. What is the context?

Ask yourself about the context of the email. For example, if the email appears to be from FedEx about a package you have coming but you didn’t order anything that is being shipped via FedEx, it’s probably a phishing email. If you get an email from your doctor suggesting you try out the newest diet pill, you might want to think twice about clicking the link. Would your doctor really throw diet pill ads your way? Probably not. If yes, you might need to find a new doctor.

4. How is the grammar?

Believe it or not, cybercriminals don’t pour hours into their phishing attempts. Look for misspelled words, misspelled brand names, random capitalization, and other grammar mistakes that seem off.

5. Are the links to real websites?

Although not all phishing emails have links or attachments—some will just ask you to reply with sensitive information—many do. To check whether the links go to real websites, hover over them and see where they’re actually going. If it’s a phishing email, chances are the link that says “bankofamerica.com” is actually linking to “banofamerica.com/badguyswantyourmoney/gotcha.html,” which is 30 shades of bad news.

If you get an email that doesn’t have any of these classic signs of a phishing email and you’re still in doubt, report it to the security or IT team immediately. What’s the worst that could happen? You’ll either save yourself the trouble of giving a cybercriminal access to your savings account or get a note from IT saying it’s legit and to click away.

Educate the Masses

As many as 30 to 40 percent of employees will click on a scam email—and the only way to protect and empower them is by shifting mindsets and delivering opportunities to learn more about best practices and the right security habits.

One easy way to help employees avoid phishing emails? Remind them to take four or five seconds to consider the email or link they’re looking at before responding or clicking. This will require some coaching on how to not be completely distracted and multitasking 24/7/365, but it works.

Also, teach employees to use a password manager, make sure they know about using anti-malware software, let them know how to report suspicious emails ASAP, launch a phishing training program, and back it all up with a security awareness ambassador program.

New call-to-action