"You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time." –Abraham Lincoln

David Ellis, Director of Forensic Investigations
By: David Ellis
Are you sure that email from UPS is actually from UPS? (Or Costco, BestBuy, or the myriad of unsolicited emails you receive every day?) Companies and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization. In these emails, the sender asks recipients to click on a link that takes them to a page where they will confirm personal data, account information, etc.

SEE ALSO: Fighting Phishing Email Scams: What You Should Know


This technique is called phishing, and it’s a way hackers con you into providing your personal information or account data. Once your info is obtained, hackers create new user credentials or install malware (such as backdoors) into your system to steal sensitive data.

SEE ALSO: Examples of common phishing attempts.

It’s often difficult to distinguish a fake email from a verified one, however most have subtle hints of their scammy nature.Here are seven ways to help you recognize a phishing email and maintain email security.


1. Legit companies don’t request your sensitive information via email

Chances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to login.


Global Pay phishing example
Notice the generic salutation at the beginning, and the unsolicited web link attachment?

2. Legit companies call you by your name

Phishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone.


Best Buy phishing example
Sir/Madam? Also, what's up with the 17 in the middle of the sentence?

3. Legit companies have domain emails

Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: michelle@paypal.com michelle@paypal23.com Just remember, this isn’t a foolproof method. Sometimes companies make use of unique or varied domains to send emails, and some smaller companies use third party email providers.
Costco phishing example
"Costco's" logo is just a bit off. This is what the Costco logo is supposed to look like.
See the difference? Subtle, no?


4. Legit companies know how to spell

Possibly the easiest way to recognize a scammy email is bad grammar. An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated because they are easier targets.
Eubank phishing example
Notice the apostrophe in the word 'friends'? Me neither. Other than that tiny grammar mistake, this is a very convincing email.


5. Legit companies don’t force you to their website

Sometimes phishing emails are coded entirely as a hyperlink. Therefore, clicking accidentally or deliberately anywhere in the email will open a fake web page, or download spam onto your computer.
USPS phishing example
This whole email is likely a gigantic hyperlink.


6. Legit companies don’t send unsolicited attachments

Unsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website.


Like the tips above, this method isn’t foolproof. Sometimes companies that already have your email will send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types include .exe, .scr, and .zip. (When in doubt, contact the company directly using contact information obtained from their actual website.)
Accounting phishing example
Just remember, curiosity killed the cat.


7. Legit company links match legitimate URLs

Just because a link says it’s going to send you to one place, doesn’t mean it’s going to. Double check URLs. If the link in the text isn't identical to the URL displayed as the cursor hovers over the link, that's a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct, or doesn’t match the context of the email, don’t trust it. Ensure additional security by hovering your mouse over embedded links (without clicking!) and ensure the link begins with https://.
Nokia phishing example
Although very convincing, the real Nokia wouldn't be sending you a "Save your stuff" email from info@news.nokia.com
It doesn’t matter if you have the most secure security system in the world. It takes only one untrained employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand the telltale signs of a phishing attempt.

Was this post helpful? If so, please share!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.