Email phishing is one of the most common forms of cybercrime today. Cybercriminals are always looking to target particular individuals who are more vulnerable to falling prey to such attacks — i.e., older citizens and technophobes. But sometimes, even tech savvy people can fall prey to such attacks due to sheer ignorance and distraction. Growing awareness regarding how best we can recognize and avoid phishing attacks is the need of the hour. In this post today, I will discuss 10 phishing email prevention tips for 2023.
What is a phishing email?
Before we discuss the prevention tips, it’s important to first have a good understanding of email phishing. So, what’s exactly email phishing?
An email phishing attack occurs when a cyber-criminal masquerades as a genuine entity by sending someone an email, which appears to be genuine — with an intention to steal their confidential data, by tricking them into clicking on malicious links inside or reply to that email.
Example of an email phishing attack
Let’s understand the concept more clearly with the help of an example…
Suppose you have an active bank account with PayPal. A scammer somehow got to know about this information from somewhere. Now he plans to launch an email phishing attack on you. Here is what he might do:
Using a fake email address and name (such as firstname.lastname@example.org / PayPal), the scammer will email you, saying that your account has just been compromised.
The email might then ask you to confirm your credit card details in order to temporarily freeze your account to limit the possibility of any financial loss. The link to confirm the credit card details will then take you to a fake website that resembles that of the official PayPal website.
Believing all this to be true, you will enter all your credit card details, and will eventually end up falling prey to an email phishing attack. Cybercriminals might then use this stolen data to cause you financial losses beyond your imagination.
Spear Phishing: A more tailored form of email phishing
Spear Phishing is a more dedicated / custom tailored form of phishing which especially targets a specific individual, more often, the key management of a company.
For example, if you have recently joined a company, a scam email from a fake email ID of that company’s CEO may try to fool you into clicking a malicious link to validate your salary bank account details.
What helps protect from spear phishing?
Being aware and vigilant is the best line of defense against spear phishing. Since these scams are custom tailored, it’s tough to identify them. However, if you follow the tips below, you would be in a better position to protect yourself from such attacks.
How to identify a phishing email scam?
Whenever you receive an email, look for the following signals to identify a phishing email scam at an early stage…
1. Does the email look suspicious?
It’s a suspicious email, if it involves…
- An unusual tone / greeting
- An unusual timing
- Unusual spelling and grammatical errors
- Formatting such as bold text, unusually larger/smaller font size, etc.
Always be vigilant whenever you receive an email that asks you to click on a link — to claim an offer, or to update your personal / banking credentials. These kinds of emails are generally intended to scam you out of your personal and financial details. While a few of such emails might be genuine, but majority are phishing attempts only. I will tell you how to discern between the two in the later part of this post.
As a general rule of thumb, always be suspicious of an email that asks you to click on a link.
3. Does the email tell you about an offer that’s too good to refuse?
Cybercriminals are smart these days. First, they will snoop upon your online activities, track your social media profiles, and then will send you an email containing an offer that’s too good to refuse.
For example, let’s suppose you have just graduated from school and now you are actively looking for jobs online. You might have recently followed some job boards on Facebook and LinkedIn. You might even have posted some comments related to job search here, and there. If your social media privacy settings are weak, Cybercriminals will have access to everything you have posted, liked, or followed online.
Taking advantage of this opportunity, they can now launch a phishing email attack upon you by emailing a fake job offer that’s too good to ignore. This is a classic example of how spear phishing attacks may be socially engineered to scam you out online.
Similarly, depending upon your profile, many other fake offers can be sent to you, like:
- Claiming a tax refund or credit from IRS
- 100% cash-back
- Bounty / Lucky-draw winner
- Free movie/sports tickets
Also, have a look at this PayPal phishing email that I recently received in my inbox. It asks me to confirm the receipt of $90 PayPal gift. And that…this transaction will appear in my PayPal account only once I validate my details. Oh, really? It’s a clear fraud.
4. An urgency to act fast
An urgency to act fast is usually followed in an email with a fake offer. The scammers will ask you to act instantly, as if it’s a now or never offer! Like, if you don’t act right now, it will be gone in a flash. This creates a sense of urgency on the offer that seems like a once in a lifetime opportunity.
So, if an email asks you to act fast, or in an unusual urgency, it is a clear red flag.
In a nutshell, most phishing attacks try to get you to reveal your personal/sensitive information using a variety of scam tricks.
10 phishing email prevention tips to protect you from email scams
1. Use a good email client
Using a reputed and reliable email service such as Gmail or Outlook does a good job in preventing most of the email phishing attempts that hit your inbox. For example, when you open any suspicious email, Gmail warns you about it being dangerous, and nudges you against clicking any unsafe attachments or links inside that email.
Gmail is able to recognize such suspicious emails because of collective data intelligence. Scammers don’t hit out at just one target. They indeed target multiple accounts at once. So, Gmail advanced spam and phishing detection algorithm is effectively trained to filter out a majority of automated phishing attempts.
Recommended to read further: 6 tips to protect your email address from spam
2. Always (double) check the email address of the sender
You shouldn’t blindly rely on software to block incoming email phishing attacks. Sometimes, your own intelligence and awareness prove to be much more reliable and effective.
Carefully checking the email address of the sender is one of the few good ways that can help you in prevention of email phishing attacks. Always make a habit of double checking the email address. Even more so, when suspicious red flags are triggered.
You have to notice the following key points:
A) Check whether the email has been sent using a free public email client, such as Gmail, Hotmail, etc. Official emails, such as those coming from your email provider, bank, stock broker, insurance, companies, etc. are usually not sent using free public email clients. These will always be sent using official email addresses such as – email@example.com rather than firstname.lastname@example.org.
B) Sometimes, cyber criminals try to act smarter. They buy misspelt domain names, in an attempt to impersonate the big corporations. For example, PayPal.com might be impersonated as paypaal.net or bankofamerica.com might be impersonated as bankofamericans.com or simply bankofamerica.net. You have to look at the domain name part of the emails very carefully. Any email sent using a misspelt or unofficial domain name is likely to be a phishing attack.
Here is an illustrative example…
3. Analyse possibilities of spoofed email address, if red flags are raised.
A phishing email attack may also be sent using a spoofed email address. A spoofed email address appears to be exactly the same as you would expect from a legitimate organization / entity. So, it’s easy to be fooled into believing that the email has been sent from a genuine organization.
So, carefully analyzing the email headers will help in prevention of email phishing attempts due to spoofed emails. Here is what you have to analyze:
a) DKIM (DomainKeys Identified Mail) tag: ‘PASS’ — this means that your email server at the receiving end has successfully authenticated the email of the sender after matching the public key of its DNS record with the private key that was used to sign that email.
b) SPF (Sender Policy Framework) tag: ‘PASS’ — this means that your email server at the receiving end has verified the authenticity of the source IP address.
c) DMARC (Domain-based Message Authentication, Reporting and Conformance) tag – ‘PASS’ — this means that your email server at the receiving end has verified that the email has been sent using a specific organization’s approved domain name.
If either any or all of the above header tags ‘Fail’, proceed with caution. It might be a scam email.
Always be a critic of why someone has requested you to click on a link in an email. Even more so, when you suspect that something is fishy during the first screening.
Good practice is that, if you really have to, always copy the link and open it in a separate private browser window, so that no personal information from that email is tracked/passed on when you click that malicious link.
Even if you have happened to click on a phishing link, it is your utmost responsibility to check the authenticity of the URL and its connection security status in the web browser’s address bar. For example, if you have been asked to confirm your PayPal account details in a phishing email, check the authenticity of the URL that has been clicked and opened. It’s one of the good ways to prevent being a victim of phishing attacks even if you have clicked on a malicious email link. Here is an illustrative example…
6. Take notice of silly spelling / grammatical errors in email body
Observing silly spelling or grammatical mistakes in professional emails is a clear red flag indicating the possibility of a phishing attack. So always be vigilant and refrain from clicking any link or downloading any attachments therein. Take a look at the email address of the sender and also analyze the email headers (refer point no. 3 above) to confirm the possibility of a spoofed email.
7. Don’t give away your email address carelessly
It’s vulnerable to use your primary email address for signing up on every account/app/website under the sun. Many people also unintentionally drop their email address on various public forums and comments. This makes it easy for cybercriminals to collect your email addresses and launch a variety of spam and phishing attacks.
8. Use a separate email address for banking / other sensitive accounts
It’s good practice to create a separate email address for your banking and other sensitive accounts. Once you have made a separate email id, keep it private, and refrain from using it on other public accounts like social media, gaming apps, forums, etc. This will greatly reduce the chances of your email address being exposed to the prying eyes of the scammers.
9. Independently review your bank account status
Whenever you receive an email that intimidates you that your bank account has been blocked and that you need to urgently click on some link to unblock your account — stop, don’t rush urgently. Instead of panicking, first review your bank account status independently. If everything seems ok, that email is most likely a phishing attack.
10. Use good antivirus software, if you really have to download email attachments
Use a good, reliable antivirus software on your computer if your work requires you to download email attachments. So, even if you happened to download some malicious attachment from a scam email, the antivirus could possibly prevent you from installing it on your computer.
How do you protect yourself from phishing email attacks?
What additional tips or security measures do you take to prevent email phishing attacks? Please share your thoughts in the comments below…