Top Ten Recipes for Phish

Top 10 ways you could be phished

Last week I gave thought as to why even the smartest people fall for phishing, and promised I would provide some additional thoughts on how to prevent yourself from being phished.

Here goes…

The key is to remain vigilant… and to look out for the various tell-tale signs that will, without doubt, be in the phishing email.

For those that play poker, there is something called a ‘tell’ – this is a sign which is given subconsciously which is then used by the other players to guess what you are doing… is the call being made real or is it a bluff? 

The same is true for phishing emails, there are things you can look out for to see if they are genuine, below are the top ten:
1 Is the sender someone you know?  You will frequently get emails from people you don’t know – and that’s the first indicator. Were you expecting an email from that particular organization?
Is the sender’s email address which is shown on the screen, the actual email address you see when you hover over it with your mouse? Why would someone like to ‘forge’ the email address they are sending from? May well be a phisher… especially if the email is then signed-off by someone completely different.
Does the sender’s email address look odd? Is it a set of letters and numbers and / or comes from an email domain which is similarly odd? There are some domains, such as .cn or .ru which should immediately set alarm bells ringing (unless you happen to live in or work with companies in China or Russia.)
4 Who is the email to? Is it you? (well it arrived in your inbox, so under the covers it will be), but is it addressed to you in the message, or are there lots of similar looking names? 
5 Is the language used in the email correct?  Or are there spelling and grammar mistakes etc. (This used to be the biggest giveaway – badly written emails - but today it’s not so obvious)
6 Look closely at the URL links, does the text for the link look the same as when you hover the mouse over it, or does it look odd?  See #3… for web URLs, they shouldn’t be a list of numbers, but rather something more meaningful. One of the challenges with shortened URLs, such as those which start with ‘’ or ‘’ is knowing where they are actually pointing to… there are ways to safely find out, but they are awkward to use – compared to just clicking on the link, which is why phishers often use shortened URLs.
7 Is the content asking *anything* to do with your bank account or credit card details, such as logging on to check them, reconfirm them etc.?  These days it can also be superstore loyalty cards as well. Never click on a link which then directly asks you to confirm such information. Any personal information which can be used to build trust (in a follow-up phishing email) is of value to the cyber-criminal.
8 If you click on a link and it then asks you to download or install something… Back out quickly, this is probably malware that wants to install itself on your system. (Keeping anti-virus and other anti-malware systems up to date on your device will help mitigate this problem should you fall prey – but it is not 100% guaranteed, so better not to click in the first place.)
9 If you are buying something from the Internet Check the URL address starts with ‘https://’ and there is a padlock icon on the screen – you can click the icon to see the security. This will help assure you that the site is genuine.
10 Does it ‘feel’ wrong…  This is the escape clause at the end of the list, and is really hard to quantify. But sometimes, there is something odd about an email (or a website), but you just can’t put your finger on it – an offer which appears too good to be true, an email from someone purporting to be an official agency, but you don’t know why they are sending it to you, threats or excuses as to why you need to do something, etc. If your gut feel says it’s wrong, trust your instincts!

In any case, if in doubt… delete it. Call the sender directly to see if it really was from them. Sometimes it turns out that their email account has been compromised, so calling them and letting them know allows it to be sorted out – and they can then send out an email to all their contacts to apologise. When calling people (or companies) look up the number from a different source, use directory enquiries or if you have a previous browser bookmark, use that – don’t use a link from the communication, or any telephone numbers that they provided, as the phishers are now sophisticated enough to have numbers and sites which work, or look like the original.

Of course, it’s easy to say you need to think about all these things for each email you look at – but it’s not always practical. However… over a period of time, the secondary checks you make, will become second nature, and while you might not do all of them, all of the time, it will be sufficient to spot the fraudsters and the scams – whether at work, or at home.

By Dr. Guy Bunker @guybunker