Unfortunately, phishing emails are getting better (or worse): the attackers are improving the format, style and language to make them more believable. Most don’t start “greetings, I have big big time oil deal for you, just share bank details…” anymore.
Fortunately, there are still signs to look for that an email isn’t genuine.
Many phishing emails we’ve seen use generic address sections (e.g. “Dear customer”) rather than the actual name of the user.
This is particularly relevant to phishing emails purporting to be from organisations that you would sign up to personally (e.g. PayPal), as the technology used to insert your name in any emails the genuine organisation would then send is not complicated so, when it’s not present, it’s a strong sign of fakery.
That’s not to say that every email you receive to “Dear customer” is a phishing attempt though! Use this alongside other ‘features’ in the email to assess its authenticity.
We’ve seen hundreds of phishing emails that – at first glance – appear to be from a genuine source, but the email address it’s been sent from is actually nothing to do with the company it claims to be from.
Legitimate organisations sending emails to users will usually do so from a ‘domain’ (or address) that matches their website (e.g. our email addresses end in “swgfl.org.uk”, and our website is “https://swgfl.org.uk”).
You can check by hovering your mouse over the ‘sent from’ address, and looking at the actual address. Sometimes the differences are small (e.g. an additional number or letter added), so look closely.
Also bear in mind that sometimes companies do use alternate domains for different purposes, so this isn’t a 100% accurate method of checking.
An oldie but a goodie. Most legitimate organisations will compose their emails properly, with accurate spelling, punctuation and grammar, and a general ‘tone and purpose’ (see more on this below) that tends to be consistent from email to email.
Despite technological advances and greater sophistication in phishing attacks, it’s still common to find spelling and grammatical errors: careful reading of emails often means phishing attacks with these errors can be spotted.
Generally, genuine organisations will not request sensitive information from users via email. If an email has a link or attachment, and instructions to provide sensitive information in order to achieve something (e.g. a tax refund) or avoid something (e.g. an online account being closed), it’s probably phishing.
Genuine organisations will also tend to communicate with users in a consistent way. If their emails don’t usually contain links, but all of a sudden one arrives that does, it’s a sign that it’s phishing or another type of email scam.
This consistency also applies to the organisation’s writing style (or ‘tone’) and the reason they email you (the ‘purpose’). Phishing emails often try to make a user action more urgent by stating that if it’s not completed within a short period of time there will be consequences.
Take care as well with emails that you don’t recognise that want you to reply. Whilst there mightn’t be a link or attachment to be wary of, it can be the case that attackers will send out an initial email in order to identify a smaller list (those who respond to it) to send the actual phishing email to. This plays on the ‘commitment and consistency’ principle set out previously.
Most phishing emails attempt to get users through to a website where the sensitive information will be entered. Whilst genuine companies do use links in emails, links are so common in phishing emails that it’s worth checking them closely.
You can check the URL behind a link by hovering your mouse over it. If the URL of the link doesn’t match the organisation’s legitimate website URL (e.g. swgfl.org.uk/login) and the domain the email came from (e.g. firstname.lastname@example.org), it’s a clear warning sign.
One sign of phishing is repeated use of the same URL (or website address) throughout the email. Sometimes there can be several ‘actions’ requested or offered in a phishing email, but closer inspection of the links reveals they all take you to the same place.
For example, if the email is suggesting you should log in to change your password, but also to contact the organisation, and to read their webpage explaining what’s happened, and all of these links have the same URL, that’s a sign of a phishing email.
We’ve even seen examples where the entire email was one big link, so clicking anywhere in the email would forward you to the fake website.
If an email is unsolicited or unexpected and contains an attachment, it’s a sign of phishing or other email-based cyber-crime.
Of course, many trustworthy organisations do send attachments to users and customers, so you need to keep in mind those that do, and why they do it (back to the ‘tone and purpose’ above).
Attachments can contain ‘malicious payloads’ (the parts that cause harm to your computer). Ones to be particularly careful with are:
The ins and outs of phishing - answering who, what, why, how, where, and when