1. Poor spelling and grammar

Many of the less professional phishing operators still make basic errors in their messages — notably when it comes to spelling and grammar.

Official messages from any major organization are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate.

It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural.

2. An unusual URL

It’s very common for email phishing messages to coerce the victim into clicking through a link to a malicious or fake website.

Many phishing attacks will contain what looks like an official-looking URL. However, it’s worth taking a second careful look.

In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won’t check the link and will just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn’t notice.

Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and, if it looks fake, don’t click on it. And check that it is the correct URL and not one that looks very similar but slightly different to one that that you’d usually expect.

3. A strange or mismatched sender address

You receive a message that looks to be from an official company account. The message warns you that there’s been some strange activity using your account and urges you to click the link provided to verify your login details and the actions that have taken place.

The message looks legitimate, with good spelling and grammar, the correct formatting and the right company logo, address and even contact email address in the body of the message. But what about the sender address?

Also: This cruel email-hacking gang aims to tug on your heartstrings and steal your cash

In many instances, the phisher can’t fake a real address and just hopes that readers don’t check. Often the sender address will just be listed as a string of characters rather than as sent from an official source.

Another trick is to make the sender address almost look exactly like the company — for example, one campaign claiming to be from “Microsoft’s Security Team” urged customers to reply with personal details to ensure they weren’t hacked. However, there isn’t a division of Microsoft with that name — and if there was, it probably wouldn’t be based in Uzbekistan, where the email was sent from.

Keep an eye on the sender address to ensure that the message is legitimately from who it says it is.

4. This message looks too strange or too good to be true

Congratulations! You’ve just won the lottery/free airline tickets/a voucher to spend in our store — now just provide us with all of your personal information, including your bank details, to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is.

In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment. Never clicking on mysterious, unsolicited attachments is a good rule to live by online.

Even if the message is more detailed and looks as if it came from someone within your organization, if you think the message might not be legitimate, contact someone else in the company — over the phone or in person rather than over email if necessary — to ensure that they really did send it.

Cyber criminals also engage in CEO Fraud, a subset of BEC attack, where the attackers pose as a board member or manager, asking an employee to transfer funds to a specific account — often claiming it as a matter of secrecy and urgency.

In each of these cases, the attackers direct the funds into bank accounts they control, then make off with the money. By the time anyone notices anything is wrong, the attackers are long gone. According to the FBI, it’s estimated that BEC attacks cost a combined total of billions of dollars a year.

The growth of remote working in recent years has arguably made it easier for criminals to conduct BEC scams and other phishing attacks, because people working from home can’t as easily talk to one of their colleagues to check if the email is legitimate.

After a certain amount of time — it could be days, it could be months — the attacker might concoct a false story and ask the victim for details of some kind such as bank details, information, even login credentials, before disappearing into the ether with their info.

Also: Cybersecurity: These are the new things to worry about in 2023

One campaign of this nature targeted individuals in organizations in the financial, oil and technology sectors, with advanced social engineering based around a single, prolific social media persona that was fake.

Those behind ‘Mia Ash’, a social media phishing campaign, are thought to have been working on behalf of the Iranian government and tricked victims into handing over login credentials and private documents.