Phishing emails vary widely, but many hackers make the same basic mistakes. You can follow these guidelines to help identify potential phishing attacks.
Not every phishing email will contain these warning signs, but many do. Exercise caution when dealing with email; if something seems suspicious or unusual about a message, report it or try to verify its legitimacy. Don't automatically trust every email. And if it feels like the person emailing you is trying to manipulate or take advantage of you, trust your instincts and tell us.
1. Check the sender. If the “from” address doesn’t match the alleged sender of the email, or if it doesn’t make sense in the context of the email, something may be phishy.
2. Don’t open suspicious attachments. Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be phishy.
3. Check the links. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like http://bit.ly, http://goog.le, and http://tinyurl.com. If an email links to a suspicious website, something may be phishy. Hover functionality is not supported on mobile touch screen devices, but you can often use a “long press” or “long click” technique to reveal a link’s identity. Please see How to check suspicious email links on your Mobile device for more information
4. Don’t believe names and logos alone. Cyber criminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn’t mean that it’s trustworthy. If an email misuses logos or names, or contains made-up names, something may be phishy
5.Check for (in)sanity. Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email's content is nonsensical or doesn't match the subject, something may be phishy.
6. Check the salutation. Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be phishy.
If you still aren't sure, verify!
If you think a message could be legitimate, but you aren't sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings (e.g., log in to Facebook and navigate to your settings instead of opening a suspicious-looking link that claims to go to your account page).