Think you can spot a scam? Phishing messages are getting sneakier every day.
During phishing, attackers send scam emails containing links to malicious websites. The websites may contain malware (e.g., ransomware) to sabotage systems and organisations. Alternatively, they might aim to trick users into revealing sensitive information (e.g., credit card numbers). Scammers often impersonate brands and entities you already trust, such as Amazon, Netflix, or banks. Such attacks can result in huge financial losses and identity theft.
Before you click on any link, check out these 10 red flags that could save you from becoming a victim.
Key Takeaways
- Common types of phishing messages include email phishing, smishing (SMS), social phishing, and vishing.
- Some red flags can signal a phishing scam. These include generic greetings, requests for sensitive information, overly generous, tempting offers, suspicious unsubscribe links, etc.
- Impersonation of well-reputed brands is another key element of phishing scams and a useful red flag.
- Some real-world examples of phishing scams include fake DocuSign requests, Amazon order confirmation scams, and IRS tax refund fraud.
- Advanced threat protection tools, email authentication, and MFA can help businesses stay protected.
Common Types of Phishing Messages
There are various types of phishing messages, some more common than others.
Email Phishing
This is the most pervasive type of phishing. In email phishing, cybercriminals send emails from seemingly legitimate entities, like online services, banks, well-reputed brands, etc. These emails might contain fake invoices and password reset requests, often accompanied by a sense of urgency. They prompt the victim to click a malicious link or download an attachment that can, in turn, lead to devastating consequences.
Smishing (SMS)
The name suggests the meaning: a mix of “SMS” and “phishing.” During such attacks, the threat actors send deceptive text messages that manipulate the recipient into taking a self-damaging action. This might include inputting sensitive details, clicking harmful links, or installing malicious software. An example might be a “Your package is delayed—click here!” SMS, where the recipient is prompted to click a potentially malicious link.
Social Phishing
Social media phishing is an attack conducted through social media platforms like Facebook, Instagram, LinkedIn, X, or others. The message might come across very friendly, taking the form of free giveaways. Alternatively, it might ignite fear, such as “Your account has been locked.” In all cases, it’s often hard to distinguish between such fake messages and real ones.
Vishing (Voice Calls)
Vishing (i.e., voice phishing) refers to the phishing attack in which cybercriminals leverage phone calls to manipulate the victim into providing important personal or business information. A common vishing example is the “Your SSN is suspended,” which immediately provokes fear and pushes the victim to take action as soon as possible.
10 Red Flags: What Might Be a Phishing Message?
There are red flags that you should always pay attention to if you want to protect yourself from phishing attacks.
1. Urgent threats
Examples of urgent threats include: “Your account will be closed in 24 hours!” “Your account has been breached.” “Pay now to keep your Business account.” A sense of urgency is one of the most common elements found in phishing attempts. But no matter how urgent the situation seems, always take a step back, reflect, and see if it’s truly as urgent as it appears at first sight.
2. Generic greetings (“Dear Customer” instead of your name)
Hackers often target multiple recipients simultaneously. As a result of this, the message might often come across as generic and be void of any personalized elements. For example, instead of your name, you might see a “Dear Customer” or a “Mr.”, with no accompanying identifier. Always approach such generic messages with caution.
3. Mismatched sender addresses
Pay attention to the sender’s address and see if it corresponds to the legitimate one. For example, look at this one: “[email protected].” If you are not attentive enough, you might dismiss that the letter “o” has been replaced by the number “0.” Such tricks are quite common among hackers. To spot them, you just need to be more careful and attentive, and double-check everything before taking action.
4. Suspicious links (Hover to check URLs)
You can check whether a link is legitimate by hovering over the URL. While this will not provide you with the complete picture, you will at least get a basic idea of the pattern. You can also use an online URL checker for more accurate results.
5. Requests for sensitive data (passwords, SSN, credit cards)
Would you give your child to a stranger just because they asked you? Most likely, you wouldn’t. Then why do we trust strangers with our passwords, SSN, and credit cards, and other sensitive information so easily? Whenever you are asked for sensitive information, practice extra caution; otherwise, the consequences might be detrimental to your business.
6. Poor grammar/spelling
Spotted several stylistic, grammatical, or orthographical errors in a single paragraph? Or does the message just not sound right in your native language? This is a good sign to double-check the source before clicking any links.
7. Unusual attachments
Always look for unusual attachments, like .exe or .zip files. If you spot these, know that the message might as well be a phishing scam.
8. Too-good-to-be-true offers
Many of us have seen the message “You won a free iPhone!”. Such a message is quite tempting to click on. It was the case for my younger sister, who was so convinced that she had won an iPhone that it took my mom and me several hours to convince her otherwise. But really, why would someone give you an expensive gift, like an iPhone, for no reason? Unless you believe in the “Santa will reward you if you behave well throughout the year” story, you should understand that “too-good-to-be-true” offers are often not true.
9. Impersonation of trusted brands
Did you get a message from Microsoft, PayPal, Amazon, or your trusted bank? Does it prompt you to input sensitive information or click a link? Check twice to see if it’s actually your trusted entity or just an impersonator threat actor.
10. Unsubscribe threats
Unsubscribe links are a fruitful, easy-to-leverage ground for hackers. People usually trust unsubscribe links, and threat actors know this well. They may include malicious links and files in this field. Another example is a “Click here or be charged $50/month” type of message, where you are prompted to take action to avoid paying money. In reality, you end up paying more if you click the link.
Real Phishing Message Examples
Here are some real-life examples of actual phishing emails.
Fake DocuSign request
Understanding the prevalence of security concerns, DocuSign published an article with useful information on how to spot fake requests sent on their behalf. They recommend that you always search for the unique security code at the bottom of the DocuSign envelope notification email.
Fake DocuSign request example
Amazon “order confirmation” scam
In the email example below, there are many errors you can spot if you read through the email carefully. For example, the “Call our Toll-Free” line cuts off abruptly, in terms of both logic and punctuation. Then the next line prompts you to call a number. Also, the address of the package misses the street name and is formatted oddly. The email also includes typos that the actual Amazon company would not allow. In brief, there are too many red flags in this single email.
Amazon order confirmation scam example
IRS tax refund fraud
The email below aims to convince you to click the “Check Your Refund” link to check on your tax refund e-statement. While the email seems legitimate at first sight, the real IRS would never contact you by email, text message, or social media to ask for sensitive details. This is something only hackers would do on the IRS’s behalf.
IRS tax refund fraud example
How to Protect Yourself
There are many steps you can take to protect yourself from phishing attacks.
General Tips
Here are some general tips that everyone can follow:
Don’t click on unknown links
Instead of clicking on a link, visit the corresponding website directly. This will ensure you access the legitimate source of information instead of the fake, malicious one.
Use multi-factor authentication
Multi-factor authentication and 2FA encompass a multi-step login process. With MFA, you need to enter other information (e.g., a passcode) in addition to the password to access your account. This adds a layer of security, making it harder for hackers to access your account.
Keep software and browsers updated.
Outdated software and browsers create an open room for hackers to exploit and access sensitive data. Keeping your systems up to date can ensure maximum security and push hackers away.
Tips for Businesses
Here are useful tips specifically for businesses:
Regular phishing simulations and awareness training
Prevention is better than a cure. Preparation is a form of prevention. Prepare yourself and your fellow staff members for such situations. Whether it’s providing training or conducting regular phishing simulations, preparing your team can help you effectively avoid successful phishing attacks.
Advanced threat protection tools
Online platforms like PowerDMARC offer a range of advanced threat protection tools to help you stay protected online. Given PowerDMARC’s integration with SecLytics, you can benefit from:
- Comprehensive predictive threat intelligence
- Measure the risk security score of your IP addresses
- Obtain insights into your current as well as potential cyber threats
- Track attack patterns
Email authentication (SPF, DKIM, DMARC)
SPF, DKIM, DMARC, and other email authentication protocols provide verifiable information about an email message’s origins. They help providers verify whether a given source is legitimate and reliable. As a result, they are a core, indispensable component of email security and should be leveraged to the maximum. If you haven’t yet set up email authentication, you can use the tools below:
If you already have these in place, but would like to check if they are set up correctly, PowerDMARC also has corresponding checkers for each. You can find this in our Tools section.
What to Do If You Clicked a Phishing Message
Here are some steps you can take if you have already clicked a phishing message:
- Disconnect from the internet.
- Change passwords immediately.
- Scan for malware.
- Report to Anti-Phishing Working Group.
Conclusion
Phishing messages rely on trust and urgency. Many red flags can help you understand if an email is legitimate or just a phishing scam. These may include urgent threats, mismatched sender addresses, suspicious links, unusual attachments, etc. Whenever you’re in doubt, don’t click.
Protect your domain from phishing today with PowerDMARC. Get started with a free DMARC analysis and see how easy it is to secure your email—no technical skills required!
- All My Emails Are Going to Spam — Here’s What You Can Do About It - May 1, 2025
- What Might Be a Phishing Message? 10 Red Flags You Shouldn’t Ignore - May 1, 2025
- Email Health Checklist: How to Boost Inbox Placement - April 24, 2025