Do you know how to spot a phishing email?   Even with the most sophisticated security technology in place, phishing costs organizations around the globe hundreds of millions annually;  and more than half of internet users get at least one phishing email per day.

What is it?

Phishing is designed to trick people into revealing sensitive and highly personal information – such as usernames, passwords, credit card and bank data.   It has evolved, too — into a related tactic called spear phishing, where groups of people with something in common (think organizations and social networks) are targeted.  You might receive a message that looks like it’s from a bank, or some other legitimate entity, asking you to verify or change your account information.     Some say you’ve won a contest, lottery, or suggest you’re owed unclaimed funds.  Many are so outlandish it’s obvious they aren’t legit, which leads you to believe you can easily pinpoint them – giving you a sense of “internet security confidence.”  The problem is, some attempts are much more convincing, and therefore, more difficult to detect.

Luckily, sophisticated security technology does the bulk of the work in combatting phishing, and businesses are becoming increasingly aware that continuous safeguarding is now a standard operating procedure.   As global cyber citizens, we can all do our part to prevent phishing right within our email inbox.  Check out these 4 tips to learn how you can identify – and avoid – phishing attempts.

1.  What’s in a Name?

Examine the sender’s display name. A common tactic is to spoof the display name of an email.  For example, if you receive an email that says it’s from “XYZ Company,” click or tap on the display name to reveal the actual email address in the email header.  If the email address doesn’t match, or is unrelated to the name of the sender that displays, don’t interact with the email- aside from deleting it. While this isn’t a 100% foolproof way to detect a phishing attempt, it’s effective as a first step.

Learn (a little) about the domain name game.

Unless you work within a specific field of IT, you probably don’t know much about the standard naming conventions used for internet domains.  Knowing a little about how they work will help you uncover suspicious links within an email, such as buttons and hyperlinks that ask you to ‘Submit Personal Information,’ or ‘Claim Your Prize.’

Think of an internet domain as a parent domain, where the pages of a website are created.   Take a look at this web address as an example.  The parent domain is ‘XYZCompany’.   There happens to be a page on the parent domain named ‘/blog’.

When a webmaster adds sub-domains under the parent, the sub-domains (or ‘children’) are listed on the left – separated by a period, or ‘dot.’  A legitimate sub-domain for XYZ Company would look like this:

Always take a look at the last part of the domain (furthest to the right) to determine whether it’s trustworthy.   For example, www.XYZCompany.MaliciousDomain.com/Events is a domain that would never exist legitimately.

2.  The email contains spelling or grammar errors.

When large companies send messaging out, it’s usually reviewed for spelling, grammar, and legality, among other things.  Email riddled with poor grammar or spelling mistakes likely didn’t originate from a major corporation. Consider spelling and grammar mistakes a fair warning – and delete the email.

3.  The email asks for personal information.

No matter how official it looks, be wary of emails asking for personal information.  Remember – we live in a world powered by technology. Your bank already has your account number; they wouldn’t send an email asking for it.   Similarly, reputable companies wouldn’t send messages asking for your username or password.  In scenarios where a password change is needed, do so by visiting the site directly and initiating the standard reset procedure.

4.  The email mentions consequences if you don’t comply.

Be wary of email that presents consequences if you do not comply.  Examples include submitting forms or other personal info in order to avoid your account being blocked or suspended.  Invoking a sense of fear is a common tactic in phishing attempts.  Delete this type of email, and keep it moving –  there’s plenty of other mail in your inbox that needs your attention.