While the name sounds light-hearted, phishing is a serious attempt to steal information; passwords, account credentials, social security numbers, financial details and more. Phishing scams rely on emails, text messages or phone calls to coerce people into divulging sensitive details about a business or about themselves.

Phishing attacks use psychological tricks, preying upon human nature. People naturally want to obey workplace superiors, and to exude a sense of generosity, warmth and kindness. Phishers leverage these instinctive behaviors for criminal gain…

Roughly 90% of all cyber attacks start with a phishing email. Thirty-percent of phishing emails are opened, and more than 40% of employees report accidentally clicking on potentially malicious content. Share information about these 10 signs of phishing with your colleagues and peers during Cyber Security Awareness Month.

10 phishing red flags to watch out for

Whether you’re well-versed in phishing campaign styles or worrying about how to keep track of everything to monitor for, these phishing red flags can help you protect your networks, your customers, and your career.

  1. Sense of urgency or threatening language. Phishers use emotionally manipulative tactics in order to persuade people to click. For example, a phisher might send a text message saying “This is a notice from law enforcement in [your city]. Your immediate response is necessary”. The enclosed link may deliver malware or direct individuals to a phishing site.
  2. Unfamiliar sender or recipients.Experts generally advise people to avoid opening emails from unknown senders. These messages can contain executable code designed to launch immediately upon clicking on an embedded link or an attachment. After deleting emails from unknown senders, they no longer remain a threat.It is also worth noting that hackers can “spoof” a sender’s address. In other words, hackers can make malicious emails appear as though they come from someone who a receiver knows. If unsure about the authenticity of an email, contact the alleged sender through an alternative channel to confirm.
  1. Spelling and grammatical errors. Phishing messages used to commonly contain poor spelling and grammatical errors. Hackers are growing increasingly sophisticated, and are less prone to these types of slip ups than in years past, however, you might still be able to identify a phishing attempt based on clumsy language use.One major complication within this identification technique is that it assumes everyone is a native speaker of the language in which they’re receiving emails. In diverse cosmopolitan metropolises, for example, many employees may not be able to recognize subtle linguistic inaccuracies.
  1. Request for payment or personal details. Any requests for money or personal details are phishing red flags.In many instances, the emails tell a compelling story – they include fake invoices, request a payment, say that you’re eligible for a government refund, ask people to verify information, tell people that a coupon for a big-ticket item is available…etc.They can even appear to come from well-known businesses that do indeed regularly request payment updates or that may occasionally experience issues processing your payment.
  1. Enabling macros. On some occasions, Word documents contain content that can only be viewed by “enabling macros”. In instances when this is the case, Microsoft Word prompts users to click on a yellow button that says “enable content”.Cyber criminals can hide the trigger that activates and operates malicious software within this action. Messages that prompt users to enable macros represent clear phishing red flags. Recipients of emails that require the enablement of macros should contact the sender directly to verify the reason for macro enablement.
  1. Too good to be true.Winning the lottery is an unlikely prospect. And winning a lottery that you didn’t enter is an impossible feat. Similarly, an email containing information about a prize or award notification may also be a phishing email. Avoid clicking on links in order to claim a prize. If you might have actually won a prize, contact the sender through a secondary channel to confirm.
  2. Blurry or clumsy design work.Some cyber criminals create clones of legitimate logos that appear exact. But others really need to hire a graphic designer. When trying to spot a phishing email, look out for weird logos, image-only emails, and poor design formatting. If unsure about the legitimacy of the sender, reach out to the group via a different channel.
  3. Hi, it’s Alex in sales. An email from someone who is purportedly new within the organization or that claims to be from “[common first name] in the sales division” might actually be from a cyber adversary using social engineering techniques. The age of remote work makes it particularly challenging to parse apart legitimate emails of these types from malicious doppelgangers. This is especially true in large organizations with thousands of employees. Individuals who receive these types of emails can always request information about who the sender’s supervisor is, and loop others into the conversation as needed.
  1. The fake LinkedIn profile. Although an unsolicited email may contain a tidy-looking sign off and signature, the sender may still not be legitimate. If wondering about the number of hackers who would bother creating a fake LinkedIn profile to include at the close of an email, the answer is many more than you might think.If examining a LinkedIn profile, items such as a missing profile photo, limited company information, and/or few connections are all red flags. The absence of information or people associated with an individual suggests a phishing attempt.
  1. Email seems ‘off’. Humans recognize and relate to one another through consistent linguistic patterns. If you receive an email from a colleague that sounds nowhere-near their typical email tone, use a non-email channel to confirm the validity of the email with the sender. A few simple precautionary measures could prevent your organization from experiencing a major data breach.

Phishing red flags best practices

  • As noted throughout this article, if you spot phishing red flags, verify the email with the sender via a non-email channel.
  • Individuals can also report phishing emails to IT departments or cyber security teams.
  • Deploy anti-phishing technologies that can isolate threats and prevent incidents.

In conclusion

Phishing red flags appear in numerous different forms and the best of employees can accidentally fall for a scam. Incidents can cost organizations millions of dollars in damage repair and losses.

Share these phishing red flags with your colleagues and peers, and be sure to implement the technological solutions that will assist your organization in reducing phishing risks.

Lastly, for more information about phishing red flags, see CyberTalk.org’s past coverage. For security admin insights into phishing prevention, and information about how to upgrade your phishing prevention strategy, see this eBook.