So many aspects of our lives can be found in our email inboxes. Messages from our banks on recent transactions, promotions from our favorite places to shop, updates from school, work, daycare ... the list goes on.
It's no surprise, then, that when we get an email from an organization we recognize (or think we recognize) most of us tend to open it without giving it a second thought. But that can be extremely dangerous.
Phishing emails, which cybercriminals use to steal personal and sensitive information from unsuspecting people, are getting more and more convincing. Even two tech giants, Facebook and Google, were duped out of more than $100 million total in 2013 and 2015 when scammers posing as a computer manufacturing company emailed employees with fake invoices and contracts.
Those bad actors were eventually caught, but thousands of new phishing attacks are launched every single day, according to the Federal Trade Commission (FTC). And they're often successful.
Here's how to spot a scam email, and what to do if one arrives in your inbox.
What is phishing?
Picture actual fishing: you trick a fish into biting your hook by baiting them with something they want, like a worm.
Phishing (with a “ph”) is a similar concept. The scammer disguises a dangerous message—often with the aim of getting you to click a link or download an attachment—by pretending to be a sender you know. This can look like a sale offer from a place you shop at, a note from your employer or an "urgent message" from a company like Amazon or PayPal. Phishing can be wide-spread, or target specific groups or individuals, like employees of the same company, which is called "spear phishing."
This scam has been around for decades: the term “phishing” was coined around 1996 by scammers tricking people into sharing their AOL accounts and passwords, according to Computerworld. (The “ph” comes from “phone phreaking,” a word to describe hacking phone systems; often to make free calls). So why is it such an appealing tactic for scammers today?
Phishing has a low entry barrier for cybercriminals with a high-value return, says Patrick Wheeler, director of threat intelligence for the cybersecurity company Proofpoint. Phishing emails are easy to create, require little technical knowledge and, most importantly, depend on just one user clicking to succeed.
That's led to a lot of headaches for a lot of people. In 2019 alone, people lost over $57 million to phishing schemes, the FBI’s Internet Crime Complaint Center reported.
Phishing email examples
Phishing scammers want to trick you into taking some sort of action, Wheeler says. That could include clicking a link, changing a password, paying an invoice or even transferring money or data.
So before you jump on an email that is supposedly helping you "reopen a suspended bank account," or offering money from the government, check for common red flags.
There are subtle hints you can look out for, like misspellings or poorly-written text. Sometimes you can spot a phishing scam based on the email address of the sender. Maybe, for example, the email is coming from an address that ends in @paypal.work.com, instead of just @paypal.com. This tactic is also used to trick employees at a specific company into thinking they're getting an email from their CEO, so if an email from someone you work with seems off, make sure to compare it to earlier, legitimate emails that person has sent. You should also make sure that the display name—the sender's full name often shown next to an email address—is correct. It’s never a bad idea to ask a company or person directly if the email is legitimate before acting on it.
Sometimes a phishing email gives itself away in how it addresses you. Companies will usually use your actual name, so a note that starts with something generic is suspicious, the FTC notes. Those greetings might look like, “Hi Dear” or "To Valued Customer."
Be suspicious of URLs, too. If an email looks at all strange, don’t click on any links—instead, hover your mouse over the link so you can see where it will take you, and if it's an actual site from the company the email supposedly came from. Attachments can also be dangerous, as they can load malware onto your computer, so verify that the email is from who it says it’s from before you download anything.
How to stop phishing attempts
The best thing you can do to protect yourself against phishing emails is to be vigilant. We’re not telling you to double-check for every red flag we’ve listed in every email you receive, but trust your instincts. If an email seems at all fishy—or makes you panic—take those extra precautions to ensure you’re not giving bad actors free rein over your personal information or compromising your computer system. Keep in mind that Amazon, Target or any of the other organizations scammers pretend to be from probably aren’t going to ask you for details like financial information via an email.
For both work and personal email, the FTC recommends backing up your data regularly and setting up multi-factor authentication so that, if a scammer does get their hands on your username or password, they still can’t access your information. Security software, like Avast Free Antivirus, can also protect against cyber attacks.
How to report phishing
If a suspicious email sneaks into your work inbox, report it to your IT administrator and ask your colleagues if they've gotten similar messages, Wheeler advises. Scammers sometimes target many people at once—like employees at the same company—so this can help prevent others in your circle from getting tricked. Change the subject line in any forwarded emails to note that it may be a potential case of phishing and explain what makes it suspicious.
For personal email, you can forward potential phishing scams to the Anti-Phishing Working Group at email@example.com, as well as the FTC. Email providers, like Microsoft Outlook and Gmail, also have options for you to report emails as phishing attempts by just clicking a button next to the email itself.
I fell for a phishing email. Now what?
Mistakes happen. If you do fall for a phishing scam on your work email, immediately alert your IT department so they can mitigate the damage on their end and stop it from spreading. If the phish happened on your personal email, run an antivirus scan on your computer by downloading and installing antivirus software to ensure no malware has been installed. Change your passwords across all accounts, particularly your finance ones, Wheeler advises.
The FTC lists additional steps to take based on what kind of information you gave the scammer. If he got your Social Security number, the agency advises, sign up for regular credit reports, file your taxes early to get a jump on the scammer trying to do the same and consider placing a credit freeze on your report. If he got your banking information, call your bank and ask to close your account and open a new one. Keep a close eye on future transactions: monitor your bank statement for charges you don't recognize or set up alerts for account balance changes.