Phishing emails are messages designed to trick you into clicking a malicious link, entering your credentials on a fake website, or opening an infected attachment. They are the most common way attackers compromise accounts and deliver malware. Learning to recognize them is one of the most useful security skills you can develop.
Red flags to look for
- Urgency and pressure: Messages that say your account will be locked, your payment failed, or you must act within 24 hours are designed to make you react without thinking.
- Unexpected attachments: An attachment you were not expecting from someone you know is suspicious, especially if it is an Office document, ZIP file, or executable.
- Mismatched sender address: The display name may say Microsoft or your bank, but hover over it to see the actual email address. If it does not match the organization it claims to be from, it is fraudulent.
- Suspicious links: Hover over a link before clicking to see where it actually goes. If the URL does not match the organization in the email, do not click it.
- Generic greetings: Legitimate services you have an account with usually address you by name. Generic greetings like Dear Customer or Dear Account Holder are common in phishing.
- Poor spelling and grammar: Many phishing emails contain errors, though sophisticated attacks are increasingly well-written.
What to do if you receive a suspicious email
- Do not click any links or open any attachments.
- Do not reply to the email.
- If it claims to be from a company you have an account with, go directly to that company's website by typing the address in your browser and check your account from there.
- Report it as phishing using your email provider's built-in reporting feature.
- If you clicked something before realizing it was suspicious, change your password on the affected account immediately and enable two-factor authentication.
