How to recognize a phishing scam?

Phishing is not a new phenomenon – it has been the most common attack vector for cybercriminals for several years – but, due to the increasing complexity of phishing scams, knowing how to spot email phishing is becoming more important than ever before.

Phishing messages can be sent through emails, websites, text messages, or even through social media. These messages are often designed to appear like legitimate communications from banks, government agencies, online service providers, or other known organizations.

According to the Federal Trade Commission (FTC), some common phishing stories include:

  • Your payment is past due.
  • You need to verify the information to get your tax refund.
  • There has been suspicious activity or log-in attempts on your account.
  • Claim your coupons, discounts, or free stuff.

Phishing emails are frequently constructed to trigger emotions such as curiosity, sympathy, and fear. However, they often have common characteristics. Let’s go through them:

1. Emails Demanding Urgent Action

Emails threatening a negative consequence, or a loss of opportunity unless urgent action is taken, are often phishing emails. Attackers often use this approach to rush recipients into action before they have the opportunity to study the email for potential flaws or inconsistencies.

Whenever you see a message calling for immediate action take a moment, pause, and look carefully at the message. Are you sure it's real? Slow down and be safe.

2. Emails with Bad Grammar and Spelling Mistakes

Professional companies and organizations usually have an editorial and writing staff to make sure customers get high-quality, professional content. An email message with obvious spelling or grammatical errors might be a scam. These errors are sometimes the result of awkward translation from a foreign language, and sometimes they are deliberate in an attempt to evade filters that try to block these attacks.

3. Emails with an Unfamiliar Greeting or Salutation

An organization that works with you should know your name and these days it is easy to personalize an email. If the email starts with a generic "Dear sir or madam", “To whom it may concern,” or “Dear customer/ user,” that is a warning sign that it might not really be your bank or service you use.

4. Inconsistencies in Email Addresses & Domain Names

Another way to spot phishing is by finding inconsistencies in email addresses and domain names. Does the email originate from an organization that you work with often? If so, check the sender’s address and name against previous emails from the same organization. If an email allegedly originates from (say) Google, but the domain name reads something else, report the email as a phishing attack. Also, be watchful for very subtle misspellings of the legitimate domain name. Like micros0ft.com where the second "o" has been replaced by a 0, or rnicrosoft.com, where the "m" has been replaced by an "r" and a "n". These are common tricks of scammers. 

When it comes to any link in an email, it is wise to live by the “hover before you click” rule. If you are tempted to click on a link that leads to a gift, that is asking for some information from you, or a link that the email asks you to click in general, be very wary. Before clicking the link, make sure it contains a security certificate, that the domain itself appears correct, and that it does not otherwise look “off.”

Tip: On Android long-press the link to get a properties page’s details. If you see something you are not familiar with in the sender’s details or different domains in the from, reply-to, and mailed-by sections, contact the company using their verified channels, like the phone number on the official website to verify its legitimacy.

Here you may see an example of the REAL sender’s details in the email from TenantCloud Support Team:

6. Too Good to Be True Emails

Too good-to-be-true emails are those that incentivize the recipient to click on a link or open an attachment by claiming there will be a reward of some nature. If the sender of the email is unfamiliar or you did not initiate the contact, the likelihood is this is a phishing email.

What to do in case I receive a phishing email?

If you see at least one match with the points provided above in any email with mentions of our system, please be sure to contact us directly from your account or via phone (contact a verified number and do NOT call any numbers contained in the email). Attach a screenshot of the received email to your request and we will assist you with further steps.

Please note!
We do NOT request any sensitive information via email. All such requests can be made via either your system account or Support Tickets. The only case when we might ask for the identity information via email is when you lost access to your account. Even in this case, the email thread will be initiated by you, not by our request.

It is always better to double-check the legitimacy of the email than to provide your personal or company information to fraudsters. 

Tip: We strongly recommend setting up Two-Factor Authentication (2FA) to add one more security layer to your account. Once the 2FA is enabled, you will be asked to provide your account credentials along with the one-time code generated in the 2FA mobile app on your device during the login process.

Here you can read more:
How do I use Two-Factor Authentication?

Keep your data safe!

 

Last updated:
Feb. 2, 2024