Phishing emails are cleverly designed emails sent by scammers that pretend to be legitimate companies. They’re used to steal your personal details, bank account details – whatever they can get their hands on. The Coronavirus crisis has seen a huge rise in phishing emails – it’s important stay vigilant!
Phishing emails can be devastating if you provide your real details to a fake sender. Below we’re going to look at the main ways to spot a Phishing email.
The sender is fake
If in doubt, double check the sender. Do you have an email from a client requesting payment, but you don’t recognise the contact details? Contact your client directly to confirm.
But what if the sender looks real? We’ll go through how to work this out below.
On all email providers, it’s possible to see the full email address of every email that you receive. By default, Outlook for example will show you the name of the email sender, but not the email address:
Here you can see the email in our inbox has been labelled as CEO of Paypal. We know that the account won’t just be that, as it needs an @ sign to count as a real email address.
When you create an email account, you can ‘label’ your email account whatever you would like. We’ve done that here, making it look like a legitimate email by labelling it a popular company.
Let’s open the message to investigate further.
Straight away we can see that the email account in full has been included in brackets at the end.
Some email providers don’t show the email address in full here. On most providers’ dashboards you can click on the email account to bring up more information.
Here again is further proof that the fake email we’ve created isn’t actually from PayPal.
If your email provider doesn’t have this function, you can also click reply to see the email address:
We can see the sender of the email in full in the To… field here in Outlook.
ALWAYS check where an email is being sent from if it requests a download, personal details, or bank details. This is the one part of an email address that can’t be faked – where it’s really being sent from.
Spelling errors, odd phrasing & content
Next we’re going to look at the contents of the email. Occasionally, phishing emails can appear to be near perfect – but once you know what to look for, it becomes easy to tell them apart.
There are lots of signs in this email that give it away:
- Firstly, Paypal will either refer to your account by your username or your name. This email doesn’t know the recipient’s name.
- There are spelling errors or poor grammar – there are several places in this message that have an exclamation mark. Doesn’t seem appropriate for such a serious email, does it?
- Finally – and the biggest giveaway – is the button supplied in the message.
Not only is it now rare for legitimate payment companies (like PayPal, Halifax, HSBC etc.) to link to login pages from their email messages, but the button doesn’t link to the correct website. If you hover over a link in an email message or on a website, you can see where the link will go. Try it below:
This button links to HMRC’s phishing & scam reporting service. Dependent on your browser, the link will either pop up by your mouse or at the bottom left hand corner of your screen.
If you think the email is legitimate & you may need to update your details, NEVER click on the link to the login page from an email message. Go straight to the website & login from there. That way, you always know that you’re giving the right website your details.
Attachments
Our final check we recommend is to look at any attachments provided in the email. NEVER download an attachment from an email message unless you are 100% sure what it is.
Luckily, it’s quite easy to check what kind of file has been attached. Hovering over the attachment will allow you to check what file type it is. Below, we’ve got a screenshot of what this looks like on Outlook, and Gmail:
The final dot in the file name shows that anything that comes afterwards is the file type. Here, we’ve attached a .png file – an image.
There are plenty of file types available, and a certain few should NEVER be downloaded unless you have explicit permission from your IT provider or have confirmed with the sender that it is legitimate:
Windows
- .EXE – standing for Excecute
- .COM – standing for Command
- .BAT – standing for batch file
- .CMD – standing for Command
Apple
- Unix Executable File
- Script
- Terminal
- TerminalShellScript
These file types aren’t documents – they’re files (or applications in the case of Apple) that do, or change something to your computer. Not sure if you should download it? If in doubt, don’t.
Now you know how to spot a phishing email, check out our guide on what to do with them.