What is phishing?
Phishing emails are sent by criminals to thousands of random people in the hope of stealing financial or other confidential information.
They might direct you to a fake website that asks for your personal information, or include an attachment which installs a virus or other malware on your computer when you open it.
Phishing attacks aren't just sent by email (although they're the most common) - they can also arrive in an SMS text message (known as "smishing") and even by phone ("vishing").
How to spot a phishing email
Criminals rely on all sorts of human traits to get us to fall for their email scams, whether that's curiosity, panic, or just a desire to help others.
The good news though is that most phishing emails can be easily spotted if you know the warning signs - most will have at least one of the following characteristics:
Check out our gallery of phishing examples (best viewed on a big screen) to see some of the tricks used - do any of these look familiar to you?
You should also take a look at our Email Scams page; here you'll see a collection of other types of email scam that are all too common.
I'm not expecting any payment from this company...
Most phishing emails are sent out at random. Even when (by chance) an email appears to be from a company you have an account with, the fact it's unexpected should always make you question it.
Always pause & ask:
- Is this email expected? If it's for a delivery you're not expecting, a product you've not bought, a payment you're not owed, or an invoice you know nothing about, then it's probably a scam.
- Do you even know the company or person it's meant to be from?
A phishing email taking advantage of the global WannaCry outbreak.
Some scammers also take advantage of major news events to make their emails seem genuine. In May 2017, fraudsters made use of the global WannaCry ransomware attack to pose as different companies asking customers to verify their security details. Charities are also often impersonated following major disasters too.
Another way that phishing emails are made to appear legitimate is by hijacking personal email accounts and sending emails to all that persons friends.
If you ever receive anything unusual from a friend then always phone them to ask if they did send it. It's easier to do that than to clean up after a virus infection!
Criminals rely on our natural curiosity to open attachments or follow links. Always stop & think!
Amazon should surely know my name?
Due to the bulk nature of email scams most are generic and don't contain anything personal.
- How is the email addressed - is it just to a generic "Dear customer"?
- Does the email contain any other details unique to you? Most legitimate firms will try prove it's a genuine email by including something personal to you which isn't publicly known, such as the last 4 digits of your credit card number.
Be aware that some malicious emails may still be personalised, so just because it contains your name or other details doesn't guarantee that it's legitimate (for example some scams quote the person's password that they've taken from hacking a website). But the absence of even your name in an email from a company you have dealings with should ring alarm bells.
3) Poorly written
Major corporations would produce professional looking emails - and use spell check!
A lot of cyber crime originates from countries where English isn't the first language. Whilst a lot of phishing emails are very professional looking & believable this isn't always the case - any poor grammar or spelling is always an obvious give-away.
- Does the email have spelling or other grammatical mistakes?
- Does the layout look sloppy and poorly formatted?
4) A sense of urgency or worry
This one is trying to panic me into clicking the link to avoid further fines
To persuade users to open web links or attachments criminals will often give the email a sense of urgency, create worry, or simply try to exploit our natural curiosity.
- Does the email imply you might lose money if you ignore it? For example is it an email confirmation of an order you didn't make (and hence hoping you'll click on an infected link to cancel it), or is it claiming a security issue on your account?
- Does it suggest other consequences, such as a court summons or that a bank or other account will be closed if you don't act?
- Does it prey on your curiosity, for example wanting to know who an unexpected parcel is from or who might be sending you an invoice?
5) An attachment
An unexpected attachment - likely to be loaded with viruses!
The objective of many malicious emails is to spread malware, often by fooling you into opening an attachment which then installs a virus on your PC.
Common forms of this attack include:
- Fake invoices;
- Missed parcel notifications;
- Claims of money you're owed;
- False booking confirmations.
If you receive an attachment that you're not expecting (regardless of what type it is, for example a Word document, zip file, or spreadsheet) the golden rule is to simply not open it.
6) Web links that don't match the website
One of the biggest giveaways that an email is not legitimate is the presence of web links that don't match the expected source.
For example in an email claiming to be from "Acme Bank", any links within it should go to www.acmebank.com - not to a random looking email address like sdbryjddvsrg.ru
- Hover your mouse over any link in the email. Either in a little pop-up, or at the bottom (sometimes bottom-left) of your email program, you should see the destination of this link. Is the address what you would expect?
- The link should always be to a page on the company's own website (such as acmebank.com/somepage.html). Be aware of slight differences that might be trying to fool you, such as "acmebankalerts.com" or "acme-security.com".
If the email is claiming to be from a company that you already have an account with, then the best thing to do is manually type their web address into the browser bar (use an address you know belongs to them - not the one in the email) and log in to your account that way to look for any messages. Never click on any link you're not sure about!
For further advice on how to read & understand domain names see our guidance here.
7) An unusual "From" address
Why would Apple be sending me an invoice from Shaw in Canada?
Who sent the email? If the "From" address doesn't originate from the same company as the email claims to be then this is another immediate red flag.
'From' addresses can easily be spoofed so never trust these even if it looks legitimate - but if the criminals haven't even bothered trying to mask this then it's an obvious giveaway.
What to do next?
If you've already acted on an email that you're suspicious of, for example following a suspicious web link or opening an attachment, then take a look at what to do next.
If you've not done anything with it yet though then the safest thing is to simply ignore the email & delete it. Easy!
But if you can't obviously classify it as fake, and if it looks like one which perhaps you shouldn't ignore, then try the following:
- Check online: If the email claims to be from a company you have an account with already then login to it. Don't click on any links in the email - open your browser & type the web address directly. If the email was genuine you'll normally see the same message in your account.
- Phone them up: Try phoning the company or organisation. Do a web search for their phone number (don't trust anything in the email) or, if you're a customer of theirs already, look for a phone number on a previous email or letter that you know to be from them.
But what if it is a genuine email?
Ignoring emails can feel like the wrong thing to do if there could be consequences should it indeed be genuine.
So, if you've not been able to rule the email out as being malicious, and if it's one that you just don't want to risk ignoring, then follow our advanced steps here for assessing emails. Beware - this page gets technical so it isn't for everyone; you may want a technical friend to help out!