While the name sounds light-hearted, phishing is a serious attempt to steal information; passwords, account credentials, social security numbers, bank details and more. Phishing scams rely on email, text messaging or phone calls to coerce people into divulging these sensitive details. 

Phishing attacks prey upon human nature. People inherently want to obey workplace superiors, and to exude a sense of generosity, warmth and kindness. But it doesn’t always pay…

Roughly 90% of all cyber attacks start with a phishing email. And sixty-five percent of attacks involve spear phishing.

14 Phishing red flags to watch out for

Whether you’re well-versed in phishing campaign styles or worrying about how to keep track of everything to monitor for, these phishing red flags can help you protect your networks, your customers, and your career.

1. Sense of urgency or threatening language. Phishers use emotionally manipulative tactics in order to persuade people to click. For example, a phisher might send a text message saying “This is a notice from law enforcement in [your city]. Your immediate response is necessary”. The enclosed link may deliver malware or direct individuals to a phishing site.

2. Unfamiliar sender or recipients. Experts generally advise people to avoid opening emails from unknown senders. These messages can contain executable code designed to launch immediately upon clicking on an embedded link or an attachment. After deleting emails from unknown senders, they no longer remain a threat.

It is also worth noting that hackers can “spoof” a sender’s address. In other words, hackers can make malicious emails appear as though they come from someone who a receiver knows. If unsure about the authenticity of an email, contact the alleged sender through an alternative channel to confirm.

3. Spelling and grammatical errors. Phishing messages used to commonly contain poor spelling and grammatical errors. Hackers are growing increasingly sophisticated, and are less prone to these types of slip ups than in years past, however, you might still be able to identify a phishing attempt based on clumsy language use.

One major complication within this identification technique is that it assumes everyone is a native speaker of the language in which they’re receiving emails. In diverse cosmopolitan metropolises, for example, many employees may not be able to recognize subtle linguistic inaccuracies.

4. Request for payment or personal details. Any requests for money or personal details are phishing red flags.

In many instances, the emails tell a compelling story – they include fake invoices, request a payment, say that you’re eligible for a government refund, ask people to verify information, tell people that a coupon for a big-ticket item is available…etc.

They can even appear to come from well-known businesses that do indeed regularly request payment updates or that may occasionally experience issues processing your payment.

5. A generic greeting. Phishing emails are commonly distributed en-masse and may contain extremely generic-sounding greetings. For example, a fair portion of them start out with “Hello Dear” or “Hi,”. A lack of personalization within the greeting is a red flag.

6. Compelling subject lines. The most-clicked phishing emails include seemingly generic, yet fear-inducing subject lines. One research study shows that these subject lines receive the highest number of clicks:

  • Official Data Breach Notification (14%)
  • UPS Label Delivery 1ZBE312TNY00015011 (12%)
  • IT Reminder: Your Password Expires in Less Than 24 Hours (12%)
  • Change of Password Required Immediately (10%)
  • Please Read Important from Human Resources (10%)
  • All Employees: Update your Healthcare Info (10%)
  • Revised Vacation & Sick Time Policy (8%)
  • Quick company survey (8%)
  • A Delivery Attempt was made (8%)
  • Email Account Updates (8%)

7. Enabling macros. On some occasions, Word documents contain content that can only be viewed by “enabling macros”. In instances when this is the case, Microsoft Word prompts users to click on a yellow button that says “enable content”.

Cyber criminals can hide the trigger that activates and operates malicious software within this action. Messages that prompt users to enable macros represent clear phishing red flags. Recipients of emails that require the enablement of macros should contact the sender directly to verify the reason for macro enablement.

8. Compelling call to action. The top five phishing scams use compelling language and include phrases like ‘expires in 4 hours,’ ‘click now’ and ‘Get information here’.

9. Too good to be true. Winning the lottery is an unlikely prospect. And winning a lottery that you didn’t enter is an impossible feat. Similarly, an email containing information about a prize or award notification may also be a phishing email. Avoid clicking on links in order to claim a prize. If you might have actually won a prize, contact the sender through a secondary channel to confirm.

10. Mismatching information. Do you listen to true crime podcasts? Put all of your learning to use as you attempt to piece together whether or not all of the elements within an email seem coherent. If the sender’s email address doesn’t seem to correspond to the organization from which the email is ostensibly from, that’s a sign of phishing.

11. Blurry or clumsy design work. Some cyber criminals create clones of legitimate logos that appear exact. But others really need to hire a graphic designer. When trying to spot a phishing email, look out for weird logos, image-only emails, and poor design formatting. If unsure about the legitimacy of the sender, reach out to the group via a different channel.

12. Hi, it’s Alex in sales. An email from someone who is purportedly new within the organization or that claims to be from “[common first name] in the sales division” might actually be from a cyber adversary using social engineering techniques. The age of remote work makes it particularly challenging to parse apart legitimate emails of these types from malicious doppelgangers. This is especially true in large organizations with thousands of employees.

Individuals who receive these types of emails can always request information about who the sender’s supervisor is, and loop others into the conversation as needed.

13. The fake LinkedIn profile. Although an unsolicited email may contain a tidy-looking sign off and signature, the sender may still not be legitimate. If wondering about the number of hackers who would bother creating a fake LinkedIn profile to include at the close of an email, the answer is many more than you might think.

If examining a LinkedIn profile, items such as a missing profile photo, limited company information, and/or few connections are all red flags. The absence of information or people associated with an individual suggests a phishing attempt.

14. Email seems ‘off’. Humans recognize and relate to one another through consistent linguistic patterns. If you receive an email from a colleague that sounds nowhere-near their typical email tone, use a non-email channel to confirm the validity of the email with the sender. A few simple precautionary measures could prevent your organization from experiencing a major data breach.

Phishing red flags best practices

  • As noted throughout this article, if you spot phishing red flags, verify the email with the sender via a non-email channel.
  • Individuals can also report phishing emails to IT departments or cyber security teams.
  • Deploy anti-phishing technologies that can isolate threats and prevent incidents.

In conclusion

Phishing red flags appear in numerous different forms. Learn how to recognize them and know how to both verify emails and report potential incidents. Ninety percent of cyber attacks start with phishing attacks, and incidents can cost organizations millions of dollars.

Think before clicking. A thoughtful approach to the emails that you receive in your inbox can prevent your organization from contending with potential catastrophes.

Lastly, for more information about phishing red flags, see CyberTalk.org’s past coverage. Or download this anti-phishing eBook.