Do you know the difference between phishing emails and the ones that you actually have to take action on?
Spammers posing as popular businesses or banks to steal personal information such as usernames, passwords, credit card information, and more has become commonplace in your inbox – and even on your phone.
Some phishing spam is not very convincing, and can actually be laughable. However, others can look almost identical to the “real deal”.
Here is a step-by-step guide to help you better spot the frauds and protect your personal information.1
Step 1: Don’t Panic
Many of these scammers are banking on the hope that when you see an urgent email you will panic and act right away. Subjects like “Problem With Your Account”, “Please Verify Email”, “There Has Been Unusual Activity On Your Bank Account” or sometimes a fake invoice for products you didn’t buy.
No one wants to be behind on their bills, stolen from, or suddenly have their subscription to Netflix stop working. However, unless you click a bad link, what happens in the next 20 seconds or even 5 minutes isn’t going to make much of a difference. So take that 5 minutes to relax and look over the email for these tell-tale phishing signs.
Step 2: Who is the email is from
Before you even open the email (or if you already have, take a step back) who does it say the email is from? Many phishing emails will have generic names like “service” or “accounts” but no actual company. Others will have the company name, but they will make a spelling mistake or not use capitals like the company normally would (i.e. paypal vs PayPal). Do you even have an account with that business? Did you sign up using the email address they have addressed the email to? Or did you use a personal or work email address instead?
A lot of the time the subject line will also be missing capitalization or have spelling mistakes that you know wouldn’t be approved by a bank or business’ marketing team. If you can’t tell from the “From” name, proceed to step 3.
Step 3: Look at the Email Address
Make sure that you have adequate anti-spam and anti-malware installed on your computer before opening suspicious emails – and NEVER click a link or open an attachment without verifying it is safe first. Even if you don’t fill out the requested information, the site that the link leads to can be riddled with malware, spyware, and other nasty viruses. If you are really not sure, skip directly to step 6.
Does the email follow the same pattern as other emails that you have received from this company in the past? Senders of spam generally won’t be able to send an email from the domain of the real company. For example, firstname.lastname@example.org would be owned by Walmart and unless they have somehow hacked their email server, they wouldn’t be able to send an email from that domain. Often they will fudge the domain like walmartcompany.com or wal-mart.com so that it appears to be coming from the real company but isn’t.
In the image below, the spammer put the company name in the user section of the email “theNetflix@isite.co.uk”. Looking at this email address, I can confidently say that this email is not from “The Real” Netflix.
Still not sure? Keep reading…
Step 4: Look at the punctuation and spelling
Look at the spelling and punctuation in the body of the email. Many of these larger companies and banks will have professional marketing departments writing their emails. While it is possible for them to make a spelling mistake, it is unlikely. If you notice that the email has multiple spelling or grammar mistakes it is probably a fake.
The above example is a very convincing email – but if you look at the first paragraph there is strange punctuation and sentence structure. In the text message example, the capitalization is inconsistent and there are spaces missing between some words. Sometimes you will notice changes in the font from sentence to sentence. This type of formatting usually comes from copy and pasting the same message into multiple different emails.
Step 5: Look at the link
Many of these phishing emails and text messages will include a link that they want you to click to “take action”. Before you click it, look at it!
In the text message example, you will notice that there is no way that link goes to an official CIBC website! Not only is it not CIBC’s domain, but if your account is in English and the link is in Spanish – it doesn’t make sense. In this example, the domain literally translates to: “Wedding Night and Day Makeup Step by Step / CIBC”.
Some emails, like the Netflix example, will hide the link in a button. It is very easy to see where the link goes without actually clicking it. All you have to do is hover your mouse cursor over the button and the url will pop up.* (see below)
*Note: You can only use this tactic on a computer, if you are using a tablet or iPhone do not try this! Holding your thumb on a url will cause the link to open.
Step 6: Call the Company!
If you still can’t tell if it’s a scam or not – it is safer to call the company than to explore the link. Google the company’s phone number instead of taking it directly from the email just to be safe.
Tell them about the email you received and they should be able to tell you if you need to take action or not.