We are seeing more and more people fall victim to phishing scam emails, so we wanted to share some red flags to watch out for and review a couple examples.  

What is Phishing?

Phishing is when someone poses as a someone else (such as a trusted website or company) to try to steal your information; such as usernames, passwords, bank or credit card information.

This usually manifests itself as an email where the email looks to be legitimate from a company or person you trust, where really its from a malicious party masquerading. It could also be a website (often linked to in an email) that looks completely legitimate.

It’s a common tactic used by scammers, and the best way to fight it is to stay informed. Here’s how:

How to Tell if an Email is Real or a Phishing Attempt

Here are some red flags and rules of thumb to keep in mind every time you open an email on your computer, your phone, your tablet. Every time.

Red flags to look out for

The email’s “From” address or domain doesn’t match the actual company it claims to be from.  

In the GoDaddy example below,  the email said it was from “GoDaddy” however the email it claimed to be from was something like “abc7@xyzbedandbreakfast.com”.  Definitely a red flag.

GoDaddy Phishing Email from address

Misspellings or bad grammar.

Often if a bot is used to generate these emails, the grammar and spelling won’t be accurate. In a typical email written by a trusted company or individual, the occasional typo or misspelling is normal. These emails, however, are often riddled with them.

It will also not flow normally, and feel disjointed. Trust your instincts!

Threats or unexpected and atypical payment requirements.

Many emails threaten you to upgrade immediately, log in now to prevent your service from being terminated, review changes in their system or policy, or even give threats that your security has been compromised and they’re trying to help…so you must act! 

These are often ploys to convince you to click the link or submit your login credentials so they can masquerade as you on others sites. If you weren’t anticipating making a payment and it seems “phishy”, it probably is.

If you’re unsure, you can always go to the actual website of the company the email is claiming to be from, and call into their customer service line or submit a contact form with the email’s text contained. They will let you know if it came from them.

Emails from big companies like PayPal, GoDaddy, Facebook, or Amazon.

These are popular companies or services used by millions of people, so they are the best bet for scammers to focus on. Beware: the email or websites will look like they are from the real company down to the logo, colors, and styling of the content (buttons, white space, layout, etc), but there will usually be something that gives away the ruse.

For example, they will sometimes include older logos, or a blurry logo, because they do not have access to the real thing and copied it online. Or, there will be spacing irregularities that aren’t typical.

To be sure, compare the email with one you had received in the past from the real company. If they are identical, it may be legitimate – however, if the other red flags are present, it may just be a fantastically convincing fake.

Emails requiring your action.

Phishing emails often asking you to take some form of action.  Most often this is to log in and do something such as pay, upgrade, read a message, learn about important updates, etc.  Beware: Sometimes this is very subtle.

For example, the email asks you read an important message and has a simple link to read the message. You click that and it takes you to their homepage. They didn’t ask you to log in, but naturally you think that if you log in you’ll probably then see whatever message they’re referring to.

In this example, you’d be on their phishing website, not the real one, and if you attempted to log in you’d simple be giving them your login credentials. Then, the scammers could log in as you any time they want.

Emails that are overly technical.

One technique scammers use is to try to blind you with technical jargon and information, hoping to overwhelm you and push you to just act and forego trying to wrap your mind around what exactly the email is talking about.

Usually, an authentic email from a company you trust will be more user-centric, and not written to confuse you.

Emails that are unexpected and out of the blue.

All is well; You know you’re just paying for hosting. You know when your bill is due annually and you’re all paid up.  What’s this? Suddenly they’re requiring you to upgrade? That’s unexpected.

This is likely a scam. Whatever you do, don’t input your login credentials or worse – your payment information until you verify with the real company with a phone call to the number you usually use.

Watch out for links.

This is an unfortunate red flag, because lots of perfectly legitimate emails have links. However, there are ways to protect yourself.

Think of all the information you have connections to from your computer or phone which you trust daily to log in to or use services like: PayPal, Facebook, Google, your bank account, your credit card, Amazon, eBay, and more.

The last thing you want is a malicious party stealing that information and using it to steal your money or even your identity. This is only one way individuals can get hacked, but it’s the simplest to do, and the most popular method.

Even if you see a link or a button that appears to say exactly where it will take you to, it could take you elsewhere.

Here’s an example:  http://www.paypal.com

This link very clearly looks like it will take you to paypal.com right? But if you clicked on it, it actually takes you to www.google.com.

Here’s an example from GoDaddy’s email below.  

GoDaddy Phishing upgrade button

This button is styled like the real buttons from real GoDaddy emails, but it could take you anywhere. 

Rules of Thumb

Be Cautious of Links

Never use an email link to log into your website hosting, PayPal, or other account. If an email appears legitimate, just go log into your account by going directly there (type Paypal.com into a browser).

Fortunately, verifying where a link will take you in an email is relatively easy.  

On desktop computers, just hover your mouse over the link for a moment and a tooltip will popup showing the actual URL it will take you to (barring any redirects after visiting that URL).

GoDaddy Phishing upgrade button hover

On mobile phones, typically just tap and hold down on the link for a moment for a popup showing similar information.

Read Thoroughly

Read an email thoroughly keeping in mind the above red flags. If anything seems suspicious, contact the company directly separate from the email, or ask your marketing or development company first.

Remember, If You Need Help You Can Always Ask

We are always just a call or email away and we’ll let you know if something looks illegitimate and have the technical knowledge and experience to validate requests.

infographic of email phishing by the numbers