6 Ways to Spot Phishing Emails

What is phishing, and why should it concern me? 

A phishing attack is an attempt by fraudsters to trick recipients into revealing sensitive information or otherwise providing access to private systems. To avoid falling prey to a phishing scam, it’s important to be able to spot common warning signs. While this article focuses on phishing emails, criminals use a variety of communication methods, including text, voice messages, and pop-ups, to lure victims.  

Everyone is a potential target of phishing, and small to medium-sized businesses (SMBs) are no exception. A recent study of more than 1,600 SMB executives and human resource managers found that 60% of SMBs fell victim to a phishing attack in 2022. 39% of these lost at least $100,000 as a result, and 73% of respondents reported that phishing scams negatively impacted their business in the previous year. 44% reported stolen data, and more than a third said they lost business as a result of phishing attacks.  

How can I recognize a phishing attempt? 

There are several red flags that should alert you that an email is suspicious. If you notice any of these, avoid opening any attachments or clicking any links the email contains. 

1. Public Email Domain 

The email is sent from a public email domain, such as Gmail, Hotmail, or Yahoo. A legitimate business will typically have a private email domain, which will often match the name of the business. It’s wise to be suspicious of any supposed business email that comes from a free account. 

2. Generic Greeting 

If a business has your name, they’re likely to use it when corresponding with you. If an email supposedly comes from an organization you do business with, but the greeting is generic (for example, “Hi there,” or “Dear valued customer,”), proceed with caution. This doesn’t necessarily mean the email is fraudulent, but it should prompt deeper investigation.  

3. Subtle Misspelling of Trusted Business 

Often, hackers approximate the names of trusted businesses in their email domains. Be on the alert for emails where the sender’s domain is a misspelling of a trusted business. This is a favorite tactic of hackers, since it can be very difficult to detect without looking closely. Would you be suspicious of an email with these domains? 

  • @MICR0S0FT.COM (Os are replaced with zeros) 
  • @MlCROSOFT.COM (I is replaced with lowercase L) 
  • @bIuefrog.com (lowercase L is replaced with uppercase I) 

When in doubt, you can copy the email address and paste it into a document where you can change the formatting. Changing lowercase letters to uppercase or vice versa can make these tricks more obvious: 

  • @micr0s0ft.com 
  • @mlcrosoft.com 

4. Poor English Usage 

The email contains incorrect spelling, poor grammar, or odd sentence structures. While common spelling errors will occasionally appear in legitimate business emails, many errors or strange use of language can indicate a phishing attempt. Often, phishing attacks are launched from outside the U.S., where attackers are less likely to speak English as a first language. If it doesn’t read like a typical business email, it probably isn’t.   

5. Sense of Urgency 

The email evokes an emotional response and creates a sense of urgency. A popular way of doing this is with “fake boss” BEC attacks. If you receive an email that raises an alarm or asks you to take immediate action, stop right there. Hackers use this tactic to leave targets little time to question what’s being asked of them. If you think an “urgent” email might be legitimate, verify by reaching out to the supposed source in a different way, such as by phone or by navigating to their website via the URL or search engine. DO NOT click any links in the email.  

6. Suspicious Links 

The email contains suspicious links. Often, scam emails will ask recipients to click a link that leads to a bogus website, where users may be directed to provide sensitive information or download malware. The email might tempt users to click these links with too-good-to-be-true offers. Never click a link in an email unless you’ve verified its URL is legitimate.  

Scam links can be difficult to spot when URLs are hidden behind clickable graphics like call-to-action buttons. When you’re at a laptop or desktop computer, you can reveal a hidden URL by hovering over the link. This causes the URL to display at the bottom of the browser window. On a mobile device, hold the link to view its destination in a pop-up window. 

What can happen if I fail to spot a phishing email? 

If you or your employees are taken in by a phishing email, it could cause a lot of damage. Downloading a malicious attachment can infect your computer or systems it accesses with malware, including ransomware. Additionally, business leaders and employees are often tricked into revealing login credentials, which can expose bank accounts, personally identifiable information, and essential internal systems to criminals. This can not only lose your business money but also undermine the trust of your customers and damage your brand. 

Create a culture of cybersecurity. 

To protect your business against phishing attempts, it’s important to educate yourself and your employees about cybersecurity best practices. Implementing cybersecurity awareness training is an important step. Train employees at onboarding and periodically to keep them abreast of the latest threats. Secure offboarding practices are also essential to prevent former employees from continuing to access critical systems. To learn more about creating a culture of cybersecurity in your workplace, explore Pendello’s cybersecurity services, or find more free tips on our blog.