The main red flags if you receive a phish:
- If the email seems too good to be true, or seems suspicious – it probably is. Trust your intuition.
- Criminals will often add a sense of urgency to their phishing campaigns – the language will push for you to react quickly before deadline.
- The email will be requesting money or sensitive information such as credentials – official sources will never ask you to supply these via email so don’t give them out.
- Criminals pretend to be an authority figure or reputable company to gain your trust. Hint: don’t trust them.
- Poor grammar or spelling may be the most obvious red flag – if it’s badly written, it’s bad news.
- Suspicious links or attachments may be included. Don’t click – you can see what the real website is by hovering over the URL, and don’t open any attachments unless you are absolutely sure they are legitimate.
- The email address used is public domain or misspelt – an official source would never have a normal gmail account associated, and double check that it’s not from something like “Microsuft” instead of Microsoft.
- Whilst you’re looking at the email address, does it match the sender’s name or the company they’re purporting to be from? If not, you’ve probably caught a phish.
- The final red flag would be threatening language – aka “Do this or else”. No reputable company would speak to their customers like this – if your back’s up, it’s probably for good reason.
If you’re still not sure, it’s best to verify independently of the original source – so if you’ve got an email, give the person or company a phone call to see if they did send the message. Use the number from their official website, rather than any included in the message.
Never respond or react to the phish – just ignore it and delete it.