10 ways to spot a phishing email and avoid scams online

Email is one of the most common targets for hackers, malware, phishing and so on. Possibly the biggest security flaw is you, the user, so learn how to improve email security and safety.

Your email account is most likely under attack from bad actors on the internet right now. They want to fool you with scams, infect your computer with malware or adware, or even encrypt your disk and hold you to ransom. They want to steal your login details for online accounts, services and stores, and they want to empty your bank account. Beware of bad emails and don’t get caught by phishing and scams with these tips and techniques.

Here’s what you need to know to avoid the worst on the internet.

1 Delete emails not addressed to you

Why would you receive an email that is not addressed to you? Spot phishing scams and malware emails that begin with ‘Dear customer‘, ‘Dear you@somehere.com‘, ‘Dear client‘ and similar general greetings that could apply to anyone.

Not using your name is one of the easiest ways to recognise fake emails and it is a dead give-away. Delete these emails.

If Apple, Amazon, PayPal, your bank and other places email you, they always include your name, so when an email does not use your name, it makes it very suspicious. There is a very small chance it could be legitimate, but it almost certainly isn’t.

2 Beware of emails stressing urgent action

Phishing email with obvious fake parts highlighted
Fake emails have obvious errors and problems

Phishing emails and those spreading malware often tell you to click a link or button and sign in as soon as possible. Urgency is a common theme. Often a time limit is mentioned in the message and if you do not do what it asks immediately or in the next day or two, there will be dire consequences.

A typical phishing email will say that your account, wherever it is, will be suspended, locked, blocked or something like that.

Malware delivered by email may ask you to open an attached file. Spam asks you to click a link and sign in to your account somewhere. Don’t!

Be very suspicious of any email that asks you to immediately take action. It can be difficult because some legitimate emails ask you to click something to perform an action like checking your account, which can be confusing, but even if they do, you should avoid doing so if at all possible.

Always type the URL of a website like your bank, into the browser’s address box, making sure you do not make any typing slips, and log in. If there are problems, you will be notified.

3 Badly written text signals warnings

That phishing email in the screenshot above is a typical example and there are numerous errors that a company the size and reputation of Apple would not allow. ‘Informations’ in the title should be Information, ‘your Apple ID temporarily disabled..’ should say is, has or will be, “this account is belongs to you…’ should not have is, ‘Once you have update it…’ should say updated.

This email would never get past Apple’s quality control and so would never have been sent out, so even without the other highlighted items, the mistakes in the English/American is sufficient for you to recognise this as a phishing email.

4 Beware of email attachments

This attachment to an email may be malware. Beware.
Invoices and receipts for things you did not buy are fake

Phishing emails and scams, such as those that are spreading malware or attempting to steal information like login details for online accounts, often have attachments – a file attached to the message. If you do not know the sender of the message or if you are not expecting an email attachment, be very suspicious of it.

Quite often the message tells you to view the attachment, open it, click it and so on. It often stresses some urgency to make you do it straight away. Sometimes there is no message body in the email and there is just an attachment, usually with a filename that makes it sound like something you should open.

A receipt for a purchase is common trick, even though you have made no purchases. It makes you curious to know what it could be and makes you want to open it. Don’t!

If you are sure an attachment is safe and is from someone you know, like a friend, family or co-worker, do not open it directly, save it to disk instead. This is so that antivirus software on the computer can check it. You should right click the saved file in the Downloads folder on the disk and scan it with security software.

Think very carefully before opening an email attachment. Sometimes other things tip you off that this is probably a phishing email, scam or malware.

5 Beware of clicking links in emails

A fake Netflix email phishing for your login details
Don’t click links or buttons in emails, they may be fake

Phishing emails and other bad messages containing malware often contain links to fake websites with fake logins. This is so they can steal your username and password when you log into the fake site. Links in emails can also take you to websites containing malware or begin a download containing malware.

If at all possible, do not click links in emails.

For example, if an email seems like it is from a company you know and you have an account with them like PayPal, Amazon, Netflix, Apple or elsewhere, you can open a new browser window or tab, type the URL of the site and log in. There is no need to click the link in an email. Once logged in, you can check for notifications or messages.

6 It’s too good to be true scams

Email offers that sound too good to be true may be fake or phishing
Beware of offers that seem too good to be true

Emails not addressed to you and emails that require you to perform an action are just two ways to spot bad emails. Also use your common sense. If you get an email saying you have won the lottery, the odds of it being real are anything up to 100 million to one against, and even higher if you can’t remember buying a lottery ticket in the first place.

Requests to accept money from Nigerian princes who died and need to move money out of the country are still going around. They say they need your help moving money out of the country and promise a huge payment for this. Don’t let greed get the better of you.

Emails telling you to buy company shares because they will skyrocket in the next few days are also still used. This pump and dump strategy pushes up the price of the shares, the perpetrators sell at the high price and the share price drops, leaving you with worthless shares and no money.

Use your common sense. You know the old saying, if it sounds too good to be true…

7 Get a second email account

Having a second email account is a great way to detect phishing emails because often the fake will arrive at the wrong address. For example, if you use bobsmith@… to log into your PayPal account and you get an email warning of a PayPal problem on your second account, bobbysmith92@… then you instantly know it is a fake. That’s not the address you use.

Email services often let you create an email alias and this is an extra email address that you can use instead of your real one. Use it for signing up to email newsletters and other unimportant things. Use your real email address with things that matter, like online stores, banks, and so on.

Here is a guide I wrote showing how to add an email alias on an iPhone. Using an Android phone or a computer isn’t much different.

8 Scan emails with antivirus

Bad emails can contain malicious attachments like viruses, Trojans and other types of malware. It is therefore best to use an email service that automatically scans incoming emails for malware.

Gmail and Outlook will not let you download emails with malware or save attachments that are malicious for example. Does your email service check emails for malware? Get a second email account at somewhere that does.

9 Beware of unsubscribe links

This is a very tricky one because all marketing emails must contain an unsubscribe link, so one is expected at the bottom of an email. Clicking it unsubscribes you from the email list.

However, phishing emails and fake messages can contain fake unsubscribe links. Clicking them may take you to a website that has malware or a fake login to confirm your request unsubscribe.

Is the unsubscribe link real or fake? If the email has other signs of being fake or wrong in some way, do not click the unsubscribe link. An email addressed ‘Dear customer‘ is fake and this means that the unsubscribe link is probably fake too.

Only unsubscribe if you are sure you signed up to the email newsletter or update, and the message contains information that lead you to believe it is real, such as including your name. It is better to log into the service sending the emails, like Netflix, Facebook, Quora, and so on, and unsubscribe from there.

10 Too many email recipients

Too many email recipients is a sign of a fake email

Fake messages, phishing emails and malware is sent to multiple email addresses and they are not targeting you specifically. You are just part of a bulk mailshot.

A large number of recipients in an email is a strong indication that the message is fake or there is something wrong with it. Often the number of people the email has been sent to is hidden, but occasionally it can be seen in the message as in the screenshot above.

If the email has been sent to hundreds of other people, it is probably a bad one and should be avoided. For privacy and security reasons, bulk emails should Bcc and not stuff all the email addresses in the To box.