Cybercriminals are constantly devising new ways to trick unsuspecting individuals into falling for their scams or disclosing sensitive information. Being able to identify and verify suspicious emails is essential to protect yourself from phishing attempts, malware infections, and financial loss.
In this blog we explore the importance of looking out for suspicious emails and the alarming statistic that highlight the prevalence of email scams.
I get a lot of forwarded emails from clients ask if they are “real” or not. Mostly are for domain renewals, google notifications or other website related emails.
No matter what type of emails you receive, being website related or otherwise, it is always advisable to keep vigilant. In today’s digital age, where communication is primarily conducted through emails, it has become increasingly crucial to stay vigilant and cautious when it comes to suspicious emails.
According to recent data from the Australian Competition and Consumer Commission (ACCC), email scams continue to pose a significant threat to individuals and businesses in Australia. In the past year alone, there has been a staggering increase in the number of reported email-related scams.
In 2023, the ACCC reported that over 26,000 Australians fell victim to email scams, resulting in a financial loss of more than $35 million.Scamwatch
This alarming statistic underscore the urgent need for individuals to be proactive in verifying suspicious emails and taking necessary precautions to safeguard their personal information and financial well-being.
Below are 10 steps on ways to help identify a suspicious email.
1. Examine the sender’s email address
When examining the sender’s email address, look for any suspicious variations or misspellings. For example, if you receive an email from “[email protected]” instead of the official “paypal.com” domain, it’s a clear red flag. Always double-check the sender’s address to ensure it matches the legitimate organisation.
What if the email address looks legitimate? Can it still be suspicious?
Absolutely! Hackers can use sophisticated techniques to make an email address appear legitimate. They might create an address that closely resembles a well-known organisation’s domain. In such cases, proceed with caution and consider the other points mentioned here to make a more informed judgment.
2. Be cautious of urgent or threatening language
If an email contains urgent or threatening language, it’s important to exercise caution. Legitimate organizations typically maintain a professional tone and do not use fear tactics. For instance, an email claiming your account will be closed within hours if you don’t provide personal information immediately should raise suspicions.
So, if an email seems urgent, what should I do?
Take a step back and resist the urge to act impulsively. Instead, scrutinise the email further using the other steps mentioned here. If it’s a legitimate concern, you can always contact the organisation independently through their official channels to clarify the situation.
3. Review the email content
Phishing emails often contain errors in grammar, spelling, or formatting. Hackers may not pay close attention to these details, leading to inconsistencies that can raise suspicions. Keep an eye out for anything that seems unprofessional or poorly written.
Can you give an example of what to look for?
Sure! Let’s say you receive an email from a well-known online retailer. However, the email is riddled with spelling mistakes, odd sentence structures, and awkward phrasing. It’s a good indicator that the email may not be legitimate. Legitimate organisations usually have quality control measures in place to ensure their communications are well-crafted.
4. Check for generic greetings
Phishing emails often use generic greetings like “Dear Customer” instead of addressing you by name. Legitimate organizations usually have your personal information on file and address you by your name or username.
What if the email does address me by name? Does that mean it’s safe?
Not necessarily. Some phishing attempts can personalize their emails using information gathered from data breaches or public sources. While addressing you by name adds a layer of credibility, it doesn’t guarantee the email’s authenticity. You should still consider the other aspects mentioned here to assess its legitimacy.
5. Hover over links
Hovering over links without clicking them allows you to see the actual URL where the link leads. Phishing emails often disguise their links by displaying a legitimate-looking text but directing you to a malicious website.
How can I tell if the URL is suspicious?
Look for inconsistencies between the displayed text and the actual URL. For example, an email may claim to be from a banking institution and display a link that says “Click here to log into your account,” but when you hover over it, you see a different URL that doesn’t match the bank’s domain. That’s a warning sign to avoid clicking the link.
6. Avoid providing personal information
Legitimate organizations typically do not request sensitive information like passwords, social security numbers, or credit card details via email. They employ secure methods for handling such information. If an email asks for personal information, especially sensitive data, it’s a significant red flag.
What should I do if an email asks for personal information?
In such cases, it’s best to err on the side of caution. Avoid providing any personal information directly through email. Instead, contact the organization independently using their official website or verified contact information to verify the legitimacy of the request.
7. Verify with the organisation directly
If you are unsure about the authenticity of an email, the best course of action is to reach out to the organization directly. Look up their official contact information from their website or other trusted sources. By contacting them independently, you can confirm whether the email is genuine or a phishing attempt.
How can I be sure I’m contacting the real organisation?
It’s important to independently verify the contact information, rather than relying on the details provided in the suspicious email. Use a search engine to find the organisation’s official website and look for their contact information there. Be cautious of phone numbers or email addresses mentioned in the suspicious email itself, as they may be fake or controlled by scammers.
8. Search online
If you encounter a suspicious email, you can copy a few lines of text from the email and search for them online. This can help you identify if the email is a known phishing attempt. Often, if the email is part of a widespread phishing campaign, you may find warnings or reports from other users who have encountered it before.
How do I search for specific lines of text from the email?
Simply select a unique phrase or sentence from the suspicious email, enclose it in quotation marks, and enter it into a search engine. The search engine will look for exact matches or similar content, which can provide insights into the legitimacy of the email.
9. Consult with IT or security professionals
If you are in a professional or corporate setting, it’s advisable to involve your IT department or security professionals. They have expertise in handling security threats and can assist in analyzing the email, determining its legitimacy, and guiding you on appropriate actions to take.
Should I contact them for every suspicious email?
While it may not be necessary to involve IT or security professionals for every suspicious email, it’s a good idea to consult them for emails that raise significant concerns or appear to target your organization specifically. They can provide valuable guidance and help protect the entire organisation from potential threats.
10. Report and delete
If you determine that an email is suspicious or a phishing attempt, it’s important to report it to your email provider or the organisation being impersonated. Reporting helps protect others who might also receive the same malicious email. After reporting, delete the email from your inbox and trash to prevent accidental clicks or further interactions.
Is it necessary to report every suspicious email?
While reporting every suspicious email is not mandatory, it’s helpful to report emails that appear to be phishing attempts or other malicious activities. Reporting allows email providers and organisations to track and take action against such threats, ultimately safeguarding their users and customers.
You can report suspicious emails or text SMS scams to ACCC Scamwatch.
I hope this provides you with a better understanding of each step in verifying a suspicious email.
Stay safe out there!