How to spot a phish

Phishing is the attempt to gain sensitive information over the internet or by telephone under false pretences, usually for malicious reasons. A common form of phishing is sending emails pretending to be from legitimate or recognised sources with instructions to click links, download files, or enter personal information. When the target is a senior executive or another high-profile person, the term ‘whaling’ is used instead of phishing to describe it. To ensure you don’t fall victim to phishing, follow our tips below. 

1: Look out for emotions

Greed – A phishing email will often tempt you into clicking a link or entering personal details by offering a reward. Remember: if it sounds too good to be true, it usually is.

Urgency – Phishing emails often include a tight deadline to panic potential victims into acting quickly and without thinking. If an email has a very strict deadline for acting, be suspicious.

Curiosity – Phishing emails often play on people’s natural curiosity by offering to reveal something exciting or forbidden in return for logging in or clicking a link. Be wary of the pot gold at the end of the rainbow.

Fear – Scaring potential victims in order to make them act rashly is a common tactic. Be suspicious of emails that threaten grave consequences.

2: Examine these aspects closely

Email signatures – A signature that looks very generic or doesn’t seem to follow traditional company protocols could suggest something’s not quite right.
E.g.
‘David Graham, Sales Executive
Sell, Inc.
020 6666 6666’

Sender address – If the email address doesn’t match the sender’s name, there’s a good chance that the entire email is dubious.
E.g.
‘From: David G <3hbd7j9@dodgy.co.uk>’

Email tone – We all know how our friends, colleagues, and even our favourite brands sound in emails, so if an email sounds odd, it’s wise to give it a second thought before acting upon what it requests.
E.g.
‘Howdy bud,

Give this link a click, would ya?’

3: Beware of these elements

Attachments – When you receive an email with an unexpected attachment, especially from a sender you don’t know, make sure the attachment is legitimate before downloading it.

Log-in pages – Phishers will often forge login pages to look exactly like the real login pages in order to steal your details. Make sure the email passes the previous steps before entering personal details into login pages. If in doubt, navigate to the login page yourself without clicking on the link.

Links – When there’s a link in an email, hover your mouse over the link and check what pops up – if it’s not in-line with the rest of the email, exercise caution and be wary of clicking.

An example

Here’s an example of a phishing email that one of us here at Currency UK actually received. There are several red flags here. Firstly, note the greeting ‘Hello, Dear Customer’ – it’s sloppy, and not something a genuine company is likely to send out (especially one as established as PayPal). Secondly, the subject line starting with ‘RE :’ it’s clearly a forwarded email; a genuine email from a company wouldn’t be a reply or forwarded email upon first contact. 

 

[Figure 1]:  

 

Thirdly, upon clicking the sender’s address to expand the information, we see that the actual email address of the sender does not match the display address, and looks incredibly suspicious and doesn’t have any connection to PayPal. The entire email is extremely suspicious, and upon receiving an email like this, you should contact PayPal (in this case) directly (on a separate email to this rather than replying) to confirm whether it was actually sent by them. 

 

[Figure 2]: 

 

As general advice, just keep your wits about you. Take a second look at emails before clicking links, opening attachments, or entering personal details. If something doesn’t seem right, it usually isn’t. It’s better to be safe than sorry, so if you have any doubt, ask someone you trust for guidance.