Many companies featured on Money advertise with us. Opinions are our own, but compensation and
in-depth research may determine where and how companies appear. Learn more about how we make money.

Published: Jun 07, 2023 12 min read

Your email inbox is likely a busy location, as most users receive dozens of messages from retailers, banks, schools, employers and friends daily. You might also have numerous emails in your junk folder, which you'll typically ignore without a second thought.

However, cybercriminals can sometimes maneuver around your email spam filters and into your inbox by pretending to be a reputable company. This scenario can be dangerous because you might open an email you believe is from a brand you trust, only to fall victim to a phishing scheme.

Save yourself from significant hassle by learning how phishing emails work and some telltale signs one has arrived in your inbox. Keep reading to learn how to spot a fake email and what to do if you see one in your inbox or if hackers successfully victimize you.

What is phishing?

Phishing is a form of social engineering where an attacker sends an email or text message while posing as a legitimate organization. They do this to trick you into revealing personal or financial information or downloading malware. These cybercriminals then use the data they obtain to access your accounts or data, leading to financial losses and potential identity theft.

In many cases, a phishing email looks similar to a message you might receive from a brand you typically shop at, such as Amazon or Apple. This process is called spoofing, and when you click the offer in the email, the page could ask for your credit card number or account information. These offers typically create a sense of urgency by limiting the offer's timeline, causing you to click the link without scrutiny and leading to significant financial losses.

Email phishing can also install ransomware on your phone or computer. Ransomware is an extortion scheme where hackers lock your device and demand payment for its release. They might also threaten to reveal your search history or other personal information if you don't comply.

Phishing is popular with cybercriminals because it has a low entry barrier and can create high-value returns. Phishing emails are also easy to develop, require little technical knowledge and depend on just one user clicking to succeed.

That's led to a lot of headaches for a lot of people. According to the FBI's Internet Crime Complaint Center, internet users lost over $52 million to phishing schemes in 2022 alone. That's a significant number, and it could grow as cybercriminals become more sophisticated with their techniques. Learning how to spot a scam email can help protect you against these unsolicited messages and the damage they can do. The result is a safer online experience for you and your family.

Phishing email examples

Phishing scammers want to trick you into taking some sort of action, which could include the following:

  • Clicking a link
  • Changing a password
  • Paying an invoice
  • Transferring money or data

Before you jump on an email offering to help you reopen a suspended bank account or promising cash from the government, check for some common red flags.

The message is sent from a public domain

Legitimate companies send emails from addresses using the corporate domain name. So, if you receive an email offer from Apple, the sender's email address should include @apple.com. Emails claiming to be from a company but using a public domain like @yahoo.com or @outlook.com are typically fake because brands won't use those domains for marketing messages.

You could also receive messages from a public email domain as an employee of a particular company. These emails could pretend to be from the organization's CEO or another worker, for instance, but are trying to trick you into clicking a link and revealing your account information.

The domain's name is misspelled

Another telltale sign of a fake email is a misspelled domain name. Scammers can easily purchase domains that are a letter or two different from a reputable one and send phishing emails from them. It's a good idea to check the email header for a misspelled domain name before opening an email to reduce the chances of this occurring.

The email is poorly written

Generic greetings and grammatical errors commonly appear in phishing messages. Companies that legitimately acquire your contact information will use your actual name because they have that data available. A scammer is less likely to know your name, so they'll use a more general introduction.

Grammatical errors appear in the email body because these cybercriminals aren't likely to hire professional writers or editors to assist with their messages. As a result, the text is typically poorly written and full of easy-to-spot mistakes.

The email includes suspicious attachments or links

Opening a suspicious email doesn't necessarily mean you're in trouble. The next steps you take are vital, and if you learn how to tell if an email is a scam, you can prevent yourself from falling victim. Items to look for in the email's body include the following:

Suspicious links

Closely examine any URLs before clicking on them. If an email looks suspicious, don't click on any links. Instead, hover your mouse over the link to see where it will take you and whether it's an actual site from the company that supposedly sent the email.

Infected attachments

Attachments can also be dangerous, as they can load malware onto your computer. Always verify that the email is from who it says it's from before downloading anything. Better yet, see if the downloadable content is available directly through the brand's website and get it from there.

The message itself creates a sense of urgency

Brands want your business, but they also understand it takes time to decide and don't want to rush you too much. Criminals sending malicious emails know you're more likely to make a mistake when you're in a hurry. This is why they'll create a false sense of urgency to get you to send your credit card or other information without thinking about it. Be wary of any offers you receive with tight timelines for acceptance because they could be examples of cybercrime.

How to stop phishing attempts

The best thing you can do to protect yourself against phishing emails is to be vigilant. You don't necessarily have to double-check for every red flag in every message you receive, but trust your instincts. If an email seems at all fishy or creates panic, making you feel like you have to immediately accept an offer, take those extra precautions to ensure you're not giving bad actors free rein over your personal information or compromising your computer system.

Keep in mind that Amazon, Target, banks or any other organizations scammers pretend to be from probably aren't going to ask you for financial information or account numbers via email or social media. These brands have more secure ways to communicate with you when sensitive information is necessary, and you can always call their customer service lines with your concerns. Don't use the phone number on the email, though. You should always look it up on the brand's official website.

It's also advisable to back up your work and personal email data regularly and set up multi-factor authentication. That way, if a scammer does get their hands on your username or password, they still can't access your information. Investing in some high-quality security software also protects against cyber attacks.

How to report phishing

If a suspicious email sneaks into your work inbox, report it to your IT administrator and ask your colleagues if they've gotten similar messages. Scammers sometimes target many people at once, including employees at the same company, so this can prevent others in your circle from getting tricked and potentially avoid a company-wide data breach. When forwarding a suspicious email to IT or your colleagues, change the subject line to note that it may be a case of phishing and explain what makes it suspicious.

For personal email, you can forward potential phishing scams to the Anti-Phishing Working Group (APWG) at reportphishing@apwg.org. This group includes security vendors, financial institutions, law enforcement agencies and ISPs, so it's a legitimate resource. You should also inform the company or person the spoofing email impersonated and get in touch with the FTC.

Email providers, such as Microsoft Outlook and Gmail, have options for you to report emails as phishing attempts by just clicking a button next to the email. Clicking this button blocks additional messages from that address and lets the service provider know about the scam.

Spotting a phishing email FAQs

What should you do if you fall for email scams?

chevron-down
chevron-up
Immediately taking action is essential if you fall for an email scam. Start by changing your email password and the passwords to any accounts associated with that address, such as online banking, utility and online retailer accounts. You'll then want to notify at least one of the three major credit bureaus — Experian, Equifax and TransUnion — and inform your credit card companies of the breach. Letting the Federal Trade Commission (FTC) know about the breach is advisable. It may also be necessary to update your antivirus and anti-malware programs and run a thorough scan, particularly if you click a link that downloads malicious software onto your device.

How can you get online help with phishing emails?

chevron-down
chevron-up
Online assistance with phishing emails is available in numerous locations. If you fall victim to a scam, you can visit the FTC's Identity Theft page to learn more about your rights and the next steps to take. Many reputable businesses offer phishing support, too, as companies such as Apple, PayPal and Google allow you to report phishing emails directly. From there, these companies will investigate the claims and work to prevent future phishing emails.

How can you avoid phishing emails and online scams?

chevron-down
chevron-up
The primary way to protect yourself from phishing scams is to learn how to spot a fake email. Spoof emails can be challenging to filter out, but by looking at the domain name that sent the message and double-checking any links before clicking them, you can limit the chances you'll fall for a phishing scheme and protect yourself online. If anything in an email looks suspicious or too good to be true, don't click on any links until you're certain the message is from a reputable source.

You fell for a phishing email. Now what?

Mistakes happen, but creating a phishing email what-to-do list and carefully following it can put you on the track to recovery. For instance, if you fall for a phishing scam through your work email, immediately alert your IT department so they can mitigate the damage on their end and stop it from spreading.

If the breach happened through your personal email, run an antivirus scan on your computer by downloading and installing the necessary software. This software will identify and remove any malware that appears before it can damage your device or leak your data.

You'll also want to change your passwords across all accounts, particularly your financial ones, and inform your bank and credit card company of the issue. If you believe a hacker has access to your banking information, call your bank and ask to close your account and open a new one. You can also set up two-factor authentication to prevent unauthorized access to your accounts.

Additional steps could be necessary, depending on what kind of information you gave the scammer. In cases where you sent your Social Security number, informing the FTC of the incident and signing up for regular credit reports can keep you informed of any changes that appear. You should also file your taxes early to get a jump on the scammer trying to do the same and consider placing a credit freeze through one of the three major bureaus.

Falling for a phishing scheme can create significant anxiety as you wait for an outcome, but taking a proactive approach can put you in a better position. The result is less damage to your finances or your company and a faster resolution to this issue.