phishing scams

How to spot and avoid phishing scams

We send and receive emails every single day. Whether that’s for work or in our personal lives, emails have become a common method of communication for us.

Due to this, we often receive a large number of spam emails in our inboxes. For instance, in September 2021, an average of 105.67 billion emails were sent daily, of which 88.88 billion were spam emails – a whopping 84.1%.

Many of these are simply promotional emails from businesses and individuals looking to sell you their goods or services. However, a significant portion of these spam emails are sent with malicious intent, such as phishing attacks.

Phishing scams are a popular method that tricks users into revealing their card or bank details online. Fraudsters who gain this information often go on to commit Card Not Present fraud (CNP), a common type of scam where the real owner of the card is not present during the payment.

To ensure your financial information remains safe, we’ve created this article to help you understand what phishing scams are, how to spot them, and how to avoid them.

Identifying phishing emails (and text messages) can be difficult, but they often convey a sense of urgency, requiring you to take quick action. They’ll usually ask for sensitive information such as credit card details or ask you to click on a suspicious-looking link. These key giveaways let you know you are on the receiving end of a phishing scam.

Whilst you can’t get rid of phishing emails from your life completely, you can protect yourself from them by first educating yourself on what they look like, using multi-factor authentication on all your accounts, and verifying a website’s security before entering any information.

But before we go into more detail, let’s take a step back and explain what phishing is.

What is Phishing?

Phishing is when scammers impersonate reputable businesses and attempt to trick users into downloading malware or clicking on a fraudulent website to steal personal or financial information.

By presenting themselves as a trusted business, users often let their guard down and follow the actions outlined in the email. These actions can include:

  • Opening an attachment.
  • Clicking on a link.
  • Filling out a form.
  • Replying to the email with certain information.

It should be noted that phishing scams can be in the form of text messages and phone calls. However, it’s most commonly associated with emails.

What is the difference between spam phishing and targeted phishing?

Spam phishing is when phishers send the same generic email to as many people as possible. Essentially, they are casting a wide net and trying to trick as many people as they can, regardless of who they are.

Since scammers don’t need to tailor their emails to a specific person, it is the easiest phishing method. As such, spam phishing is by far the most common type of phishing scam you’ll encounter.

Targeted phishing, also known as spear phishing, is when a specific email is sent to a specific target. The targets can be individuals or groups of people, such as employees of a particular business or organisation.

Since targeted phishing scams are more personalised, they require much more effort from the phisher, and as a result, they’re not as common as spam phishing emails. However, they can be harder to identify as scams due to that very reason.

Scroll back to the top ▴

How to spot phishing scams?

Spotting phishing emails isn’t always easy. Since they are designed to look like they’re sent from an actual business, it can be difficult to tell the difference between a regular email and a malicious one. Still, there are a few key things to look out for which can help differentiate between the two.

1. Emails requiring urgent action

Phishing emails typically describe a scenario that requires your urgent attention and action. Examples include security threats to one of your banking or social media accounts or an urgent fine you must pay off.

This is done to put you in a state of panic where you’re no longer thinking logically. As such, you won’t notice certain things, such as irregularities in the email, that can mark it as a scam.

If you receive one of these suspicious emails, you should first pause and take a minute to process what it says. By carefully dissecting the email, you’ll often notice inconsistencies that point toward it being a phishing scam.

2. Emails with inconsistencies

If you can find differences in the email address, the link they ask you to click on, and the website domain name, it’s a good indication that you have received a phishing attack. An example of this would be if you received an email from ‘Google’, but the link they asked you to click on was ‘Gooogle’ with three o’s.

You can verify this by moving your mouse above the link. A pop-up will appear at the bottom left of your browser. If this domain name doesn’t match up, it’s safe to say that the link takes you to a malicious website, and you should not click on it.

3. Emails that request sensitive information

As a general rule of thumb, any email that asks for your sensitive data – such as your login details, bank details, or other personal or financial information – should be treated with care, as this is a common way phishers try to trick victims.

These are often phishing attempts where the scammer will ask you to click on a link and enter your sensitive information. Once you have given the information over, the scammer will use this in identity theft.

4. Emails with grammar and spelling errors

One of the main inconsistencies you’ll notice with a phishing email is spelling and grammar mistakes. Reputable and legitimate businesses will double, and triple-check all outgoing emails for spelling and grammatical errors since mistakes like those can create an unprofessional perception of their company.

On the other hand, most phishing attacks are made by a single person whose main goal is to target as many online accounts and people as possible. As such, they’re often not as diligent with typos and grammar mistakes, making it an easy way to spot phishing scams.

5. Emails with suspicious links

A common theme you may have noticed is the use of malicious links. Most phishing scams involve redirecting you away from your email client to a malicious site called a phishing site.

Phishing email scam with a suspicious attachmentThese phishing sites often appear to be the same as the website they’re impersonating, which is why people fall for the trap. However, these websites have nothing in common with the real thing, and any information entered there will be given straight to the scammer.

6. Emails with suspicious attachments

Similarly to the point above, you may receive suspicious attachments – typically files in the form of .zip, .exe, .scr, etc. If you download these files, they will install malware on your device, which will then be used to monitor your activity and keystrokes, thus, gaining access to your accounts.

7. Emails that offer rewards and prizes

It would be silly to say no to a free prize, right? This is exactly what scammers hope for when they send you these emails.

Suppose you receive a random email about how to claim your free reward. In that case, there’s a good chance it’s a phishing email and cannot be trusted – if it sounds too good to be true, it probably is.

What are some examples of common phishing scams?

As internet users become smarter, so do phishing scammers. That’s why creating a complete list of phishing methods they use is difficult. However, there are some common emails you’ll come across. They’ll typically impersonate the following:

  • A ‘friend’ asking for financial help
  • Your bank provider notifying you of a security breach that requires your verification
  • A government agency informing you of a tax rebate
  • A charity asking for donations
  • An investment platform with an investment opportunity
  • A lottery association telling you to claim your prize

How to avoid phishing scams?

The quantity and frequency at which you receive phishing emails are largely out of your control – it’s simply bound to happen. However, there are some things you can do to minimise how many you receive and how to avoid falling victim to them.

1. Know what a phishing scam looks like/know the signs

phishing scam with unknown filesOne of the best things you can do to protect yourself from phishing scams is to be educated on the topic. We’ve already gone through how to spot them and some common examples of what they look like, but that doesn’t mean you shouldn’t keep up to date on current phishing tactics.

Scammers are constantly evolving the methods by which they look to trick people. Therefore, the best way to prevent phishing scams is to know what to look for, and you can do this by keeping tabs on new phishing trends.

2. Use multi-factor authentication

Multi-factor authentication is when a user must pass two or more security checks before access to an online account is granted. The most common example is when you try to log in with a username and password. Then a one-time passcode or PIN is sent to the email address or phone number to verify the login attempt.

Due to fraud-prevention laws and regulations, multi-factor authentication is standard practice for online transactions. However, it’s now being used by websites and apps.

If you have the option to do so, it’s highly recommended to use multi-factor authentication on all of your online accounts, as this will prevent scammers from gaining access even if they know your login details.

3. Take advantage of a password manager

Many websites ask you to make an account before making a purchase or accessing its content. For that reason, it can be hard to keep track of all your username and passwords.

Some people make the mistake of using the same password across multiple websites or making their password incredibly easy to remember – and in some cases, both. However, this makes it easy for scammers to access your accounts and information. To remedy this, use a password manager.

A password manager stores all your usernames and passwords in one place. It also recommends complex passwords that would otherwise be impossible to remember, ensuring your account is extra secure.

In addition, password managers will automatically fill in your login details when you access that particular site. Therefore, if you visit a website and your login details aren’t auto-populated, it’s a good sign that you are on a phishing site.

4. Don’t delete phishing emails

When you encounter an email you suspect to be a phishing attempt, it can be tempting to mark it as junk or simply delete it. However, a better alternative is to report it as ‘phishing’. This informs the email client to add the sender’s email domain to a blocked list, which means you will not receive any subsequent emails from that domain name again.

Reporting emails as phishing also provides data to the email client, which is then used to further improve its phishing prevention filters, ensuring you aren’t sent similar emails in the future.

5. Set up a private email address

A simple and effective tool to prevent phishing scams – but one that’s often overlooked – is to set up a private email address for all your important websites, such as online banking and bills.

Many people use the same email address for all their online accounts, which is dangerous. An email address that’s used on social media platforms, forums, and other websites can easily end up in an online directory, and phishing scammers often scour these directories for email addresses to send phishing messages to.

By keeping all your important emails restricted to a separate and private email address, you’ll significantly reduce the chance of it falling into the hands of a phishing scammer. Also, if you still end up receiving a phishing email, it will be easier to identify and block.

6. Don’t click on suspicious links

It’s fine to follow through on links when you’re 100% sure it’s from a trusted sender. However, if you have even the slightest suspicion, don’t click on it – it’s better to be safe than sorry. Instead, you can go to the website via a search engine, as this will ensure you aren’t redirected to a malicious site.

7. Verify a website’s security

You can verify if a link will take you to a secure site by hovering over it. Suppose the URL does not start with “https://”. In that case, the connection won’t be secure, and you should not enter any sensitive information on the website.

Another way to check whether a website is secure is to see if it has a closed padlock sign next to the URL. Checking whether the website you’re visiting has a closed padlock and “https://” in its URL is a good habit to get into, and you should do it before submitting any kind of information on all websites.

This is particularly relevant for when you’re shopping online as you’ll be entering your debit or credit card details onto the website.

For additional security and protection against payment fraud and data leaks on the internet, you can use a virtual card. Virtual cards have tokenization, meaning the card number is obscured, making it impossible for scammers or hackers to acquire your card details.

8. Utilise anti-phishing tools

You can now download free anti-phishing add-ons to your browser to help identify online scams. Anti-phishing add-ons will flag a website if they believe it exposes you to a phishing attempt, which can act as an extra layer of protection.

9. Install antivirus software

On a similar note to the point above, installing antivirus software can help you identify when you’re on a malicious website, or when a program or website has attempted to download suspicious software onto your device. As such, it provides yet another layer of security as you browse the internet.

10. Update your browser immediately

Requests to update your browser can come at an inconvenient time, and we’ve all been guilty of ignoring them every now and then. However, they’re essential for your cyber security.

Most browser updates improve their ability to detect and prevent phishing attacks, viruses, spyware, adware, trojans and more. Thus, they improve the overall security of your device.

By not updating them on time, you could open yourself up to phishers and hackers who have found a way to exploit the browser’s system.

11. Leave the pop-ups alone

This advice has been around since the start of the internet, but don’t interact with pop-ups. Although pop-ups can just be advertisements, they are used for malicious purposes in many cases.

They either masquerade as legitimate websites to entice users into entering personal or financial information, or they can often result in malware being downloaded onto your device – both of which can be equally damaging. Therefore, it’s best to steer clear of pop-ups and click the ‘x’ button to close them.

To avoid pop-ups being shown in the first place, there are many well-known and reputable ad-blockers that you can download as an add-on for your browser.

Scroll back to the top ▴

Final thoughts

Whether we like it or not, we will be on the receiving end of a phishing scam. It’s just one of the many ways in which scammers try to deceive users into revealing sensitive information, such as bank and card details.

By posing as a legitimate business and often asking you to take urgent action, they attempt to use your trust and good nature against you. However, these scams aren’t foolproof.

In recognising the tell-tale signs outlined in this article, you’ll be able to identify a phishing scam and prevent yourself from falling victim to them.