Phishing is the primary attack method in the cybercriminal's playbook

These attacks try to trick you into taking an action such as clicking a link, opening an attachment or responding with sensitive information. We’re all a target, both at work and at home, because our information — and our devices — are worth good money to cybercriminals. Read on to learn how to spot phishing so you don’t take the bait!
woman looking at a tablet

Identify the red flags of phishing

Lack of personalization
Did the email use a generic salutation such as “Dear Customer” or nothing at all? Service providers usually know who you are and typically personalize emails with your name and the last few digits of your account number.

Bad spelling and grammar
Legitimate businesses go out of their way to proofread their email. If an email has lots of spelling mistakes or improperly worded sentences, it’s probably a phish.

Strange website links
If you hover your mouse over a website link, you’ll see the actual destination of the website you’re about to visit (on some mobile devices you can accomplish the same thing by holding your finger on the link for a second or two). If that location differs from the way the link is written in the email, it’s a good indication of an attack.

Suspicious attachments
If you don’t know the sender, or receive something from a friend that looks suspicious, don’t open the attachment. If it is from someone you know, you can always pick up the phone and give them a quick call to make sure they actually sent the email.

Requests for sensitive information
Be suspicious of requests for sensitive information such as user IDs and passwords, financial account numbers, health information or Social Security numbers.

Unfamiliar sender
The sender is someone you do not know, and the email address is one you’ve never seen before or looks different than it should.

Authoritative-sounding sender
A person representing a company or entity sends an email asking for information they should already have.

Blank or “undisclosed” recipients
Sometimes phishing emails are sent to a lot of people. Other times you see something like “undisclosed recipient list” in the “To:” field. Both are potential red flags.

Urgent call to action
Messages of an urgent nature, or requesting an immediate call to action, are a common method used to rush people into making mistakes and is another good indicator of phishing.

If you think you received an external email that you need to do your job but you aren’t sure whether it’s safe, here are some tips to help you verify on your own whether an external email is safe. Proceed with caution!

Advanced techniques to identify phishing

  • Do an online search to make sure a company exists and the contact information they provide — such as address and phone number — is correct.
  • Try to do an online people search via LinkedIn or Google to verify that the person sending the email works at the company listed.
  • Navigate the company’s website in a browser to see whether the URLs in the email match up. If they do, the email is probably safe.
  • If you do business with the company, use your own contact information to verify that the email you received is legitimate. Call them directly! ​​​
  • Ask someone you know at work whether they recognize the company and/or person who sent you an email.