icon of two gears to show concept of expanded lessons Expanded Lesson 5 min read

5 Ways to Recognize a Phishing Scam

  • Facebook
  • Twitter
  • LinkedIn
  • LinkedIn Copied link to Clipboard!

You know scammers are out there, lurking behind friendly, seemingly legitimate emails and text messages.  They attempt to get your personal information, often by asking you to click on a link. The link will bring you to a website that looks like a legitimate website, but it only exists solely for fraudulent purposes. Did you know that most phishing scams arrive by email? Just 1% attempt to scam you by phone. How can you recognize a phishing scam so you don’t fall prey to one? There are five common giveaways that an email may not be legitimate.

1. Companies don’t request your personal information via email.

Unsolicited emails from a company that provide a link or ask you to verify your account details are often a scam. Companies don’t ask you for your bank account information or Social Security number.

2. Companies usually call you by name.

Scammers are sophisticated, but phishing attacks are usually sent to thousands of people at the same time. They often begin with something like, “Dear Customer” or “Dear Amazon Customer.” If this email was actually from your bank, your credit union, or a personal account, they would know who you were and call you by name.

3. Phishing emails prey on fear.

Common phrases used in phishing attacks are:

  • Changes to your health benefits
  • Action required: new login attempt
  • Payment declined
  • Security update required
  • Important: please read

Sometimes scammers will send an invoice for something that you didn’t order in the hopes that you will click on the link they’ve helpfully provided to cancel this order so they can get your sensitive information.

Certain companies are impersonated more often than others. The most impersonated companies in the first quarter of 2021 were:

  • Microsoft
  • Amazon
  • DHL
  • LinkedIn
  • IKEA
  • Chase
  • Rakuten
  • Google
  • PayPal

If you get an email from any of these companies, you should be suspicious. If you have any doubts, go directly to the website (DO NOT click on a link!) and log into your account. Some scam emails are one gigantic hyperlink, so if you click anywhere on the email, it will initiate a malicious attack.

Hackers are pretty good at recognizing opportunities. During times of general uncertainty, they know people are more anxious and might not be paying as much attention. At the start of the Covid-19 pandemic, phishing attacks increased significantly. During hotly contested political contests, they send out scam emails looking for contributions. The last round of stimulus checks brought a new set of scams.

If an email is targeted to you specifically, that’s called spear phishing. They could be after your financial information, but they could be gathering information to use later.

A newer scam is “sextortion”. Attackers claim they have video of you doing something compromising, and they ask for a ransom in exchange for not releasing the information. Delete the email immediately—they don’t have any such video.

Another thing you can do is enter the exact wording of the email message into a search engine. This will often identify scams.

4. Legitimate companies know how to spell and use grammar.

This is the easiest way to recognize a phishing scam. Legitimate companies employ people with excellent grammar and spelling skills to write emails for them. Did you know that hackers do this on purpose? They use awkward syntax and bad grammar as an attempt to pry on the uneducated.

If the email doesn’t read right, or there are errors especially in grammar or syntax, you should be suspicious.

5. Check the domain address.

This is often overlooked by even savvy consumers. Hover your mouse or your cursor over the link in the email address, and the destination address should appear in a bar along the bottom of the browser. If there is a string of random letters and numbers after the company name, it could be a phishing attack. Sometimes companies do include varied domains to send emails, in which case you should make sure that the link in the text matches the URL.

What to do if you’ve been phished.

If you think a scammer has obtained your information, go to IdentityTheft.gov and follow the instructions. You should also:

  • Change all of your passwords immediately. You should change your passwords every three months or so, but especially after a phishing attack. Consider using a password manager to keep track of them all.
  • Get anti-virus software and scan for viruses as soon as possible.
  • Disconnect from the internet as soon as possible. You may be able to prevent the hacker from gaining remote access to your computer or from installing malware.
  • Contact the company that was spoofed. Companies have departments dedicated to dealing with fraud. You can also report what happened to you to the Anti-phishing Work Group, which analyzes and works to prevent phishing attacks.
  • Watch carefully for signs of identity theft. If you gave out financial information, check your bank accounts and credit card accounts for signs of fraud. You should also contact credit reporting agencies to let them know. Keep an eye out for new credit inquires that you didn’t authorize.
  • File a report with the Federal Trade Commission (FTC).
  • Don’t be too hard on yourself. While most people think they can recognize a phishing scam, hackers know that it only takes one moment of inattention.

Hopefully, you won’t fall victim to a phishing scam but if you do, you’re definitely not alone. Scammers send phishing emails because they work. Not clicking on random links or attachments will go a long way towards protecting yourself.

Related Resources

View All