There’s one phishing red flag that stands above the rest: a sense of urgency. Phishing messages are designed to make you feel like you must act right now, whether your account is seemingly in jeopardy or there’s an instant reward to claim. 

When you see phrases like "Immediate Action Required," "Account Suspension Warning," or "Your Package is On Hold,” the cybercriminals are attempting to create a sense of panic (or excitement) to momentarily overrule your critical thinking. You don’t bother to question the message's legitimacy, check the sender's details, or ask a friend for a second opinion. The cybercriminals are banking on your exploited trust. 

Here’s a common phishing example that emphasizes urgency: an email claims your bank account has been locked due to suspicious activity, and you have one hour to click a link to restore your access. 

There are a few obvious red flags here. This bogus urgency is a classic phishing attempt to make you sweat and click the link. Nobody wants the hassle of a locked bank account. From a broader POV, sending personally identifiable information (PII) via email doesn’t align with highly regulated legal and compliance frameworks that financial institutions adhere to, like the Gramm-Leach-Bliley Act. This puts them at risk of non-compliance for failing to safeguard customer data. 

When you get suspicious messages like this, take a moment and investigate, no matter how pressing it seems. If you're worried, it might be legitimate, contact the company directly through their official website or phone number. Never use the contact information embedded in a suspicious message!

Cybercriminals use a variety of tricks to make their scams convincing. Beyond creating a false sense of urgency, here are red flags to help you spot phishing attempts.

1. Links and attachments
A core component of any phishing attempt is a malicious link or attachment. Scammers often use URL shorteners or create links that look similar to genuine ones, but with subtle changes (e.g., "Paypal-login.net" instead of "Paypal.com"). Don’t click on suspicious links without first hovering your mouse over them to see the actual URL. Be wary if the destination URL gives you a weird vibe or doesn't match the company it claims to be from. The same rule applies to unsolicited attachments or files, especially those with file extensions such as .zip, .exe, or .scr. Somebody is probably phishing in your inbox, and they want access to your sensitive information. 

2. Generic greetings
Legitimate companies will usually address you by name in an email. But, phishing emails are more impersonal with intros like "Dear Customer," "Valued Member," or even "Hi." This is because scammers send out these messages in bulk and don't have your personal details (yet!). 

3. Lackluster grammar and spelling
Even with AI and more sophisticated phishing techniques, hackers still make grammatical errors, spelling mistakes, and awkward phrasing blunders. An email from a major bank or tech company filled with typos is a clear sign that something is amiss and your credentials are at risk. 

4. Requests for personal information
If your bank, the IRS, or big companies (think: Apple or Amazon, for example) ask you for sensitive information like your password, Social Security number, or credit card details via email, it’s a phishing attempt. Requests to "verify" your account by entering personal data are a direct attempt to steal your credentials, not the company updating your account details. 

5. Mismatched sender email address
Always check the sender's email address. At first glance, it might look real, but on closer inspection, you'll often find inconsistencies. For example, an email pretending to be from Netflix might come from "support@net-flix-billing.com" instead of an official "@netflix.com" domain. Scammers often create domains that are just one or two characters off from the real thing, making it tougher for end-users to spot the difference. Check out this video to learn more.

6. Unusual formatting
The message design, logo, or layout isn’t quite on point with the organization’s official communications. The colors might be slightly different, there might be missing or fake contact details in the layout, or the logo might be lower-resolution than normal. Pay attention to subtle formatting differences that tip you off to malicious behaviors. 

7. Offers or rewards that are too good to be true
You've won a contest you don’t remember entering, there’s a mega discount, or an exclusive opportunity...if you just click the link. Scammers use prizes and rewards as bait in phishing scams to steal personal information. If it seems too good to be true, unfortunately, it probably is.

Real phish, real consequences

Here are a few types of phishing scams to look out for. 

• Voicemail luring: Attackers exploit missed phone calls and voicemails to lure victims. They trick you into clicking a link to “hear the voicemail” or “read a transcript.” In reality, this leads to a nasty landing page that steals your credentials or drops malware.
• QR codes: To avoid security scrutiny around malicious links, we’ve seen attackers pivot to QR codes instead. There’s less end-user awareness about QR code security, and they often scan with personal devices, outside of organizational security controls.

• E-signature impersonation: Attackers use malicious e-signing document links, especially dupes that look like Docusign and Adobe. When victims click to ‘review document,’ they’re redirected to a malicious site that steals credentials or launches malware. 

The human element in cybersecurity is your first line of defense and your strongest. By staying up-to-date about the latest phishing tactics and being ready to question unsolicited communications, you can significantly reduce your risk. When you receive a suspicious message, know how to spot shady tactics and shut down a potential cyberattack. 

Learn more about phishing or start a free trial today.