How to Know if an Email is a Phishing Scam or Not

November 20th, 2018

Phishing scams are a major threat to all email users, especially businesses. The scary part is that they are becoming increasingly sophisticated. Phishing emails popped up sometime in the early 90s. However, back then, they weren’t too hard to detect. For instance, typos were commonplace in old-school phishing mail, which was a dead giveaway.

Of course, this was long ago, when email was still in its infancy. Times have changed, and today’s cybercriminal has changed with the times. Their tactics have evolved, and phishing emails are far more convincing than they used to be. They are well-written and personalized. Hackers and cybercriminals already have a rough idea of who you are, which means today’s phishing emails are targeted.

Today’s phishing emails also look authentic; they replicate the design and aesthetics of legitimate emails. In fact, at first glance, you wouldn’t know the difference between an actual email from your bank and a fraudulent version. This makes fighting phishing scams a significant challenge.

On the rise

According to data from the RSA, phishing attacks are only growing, despite an increase in user awareness. One primary reason for this growth is the simplicity of executing such scams. Malware developers now offer automated toolkits that scammers can use to create and host phishing pages with the utmost ease.

It is estimated that each phishing attack manages to extract an average of $4500 in stolen funds.

So, the big question is – how does one protect their email, especially when phishing scams are evolving? Well, here is what the experts have to say.

Never trust just a name

 A common tactic scammers use is spoofing the display name in an email. According to a study done by ReturnPath, around 50% of 760,000 email threats targeting some of the world’s biggest businesses used this tactic.

This is how it works – let’s say a scammer spoofs a brand name such as “Nike.” The sender’s email address may look something like “Nike” But, even if Nike doesn’t own the domain “,” DMARC and other email authenticity and anti-fraud tools will not block the mail. This is because the email is legitimately from, even though this domain has nothing to do with Nike. There is no authentication for the “comment” that goes along with the email address (in this example, that is the word “Nike”).

Anyway, the actual problem begins when the user receives the mail. You see, most inboxes are designed to show only the display name (Nike, in this case), which creates an illusion of legitimacy.

So, what’s the solution to phishing scams?

Make sure you always check the actual address and research it on Google to determine its legitimacy. Also, you can configure your email viewers to show you the full email address of message senders. LuxSci supports this as a preference in its WebMail interface. By seeing the full email address, you can be more skeptical when that address looks “phishy.”

Never click a link

If you see links in an email, do not click them without running an investigation first. Start your investigation by hovering over the link to see if it directs to the correct domain. If it doesn’t, you can be sure you’re being scammed.

Of course, you might wonder how one differentiates between a legitimate and fraudulent domain. If it’s a business that you patronize, you’re probably already aware of the legitimate domain name. However, if it isn’t a vendor, brand, or name that you recognize, there is no need to bother with that mail anyway. Just put it in the trash.

You don’t have to respond to random marketing campaigns. The same applies to downloading attachments. If it’s from a business or person you don’t know, don’t download it. If it is, investigate first. As a best practice, don’t open or click on anything that you are not expecting without asking or investigating.

Nothing is immediate when it’s via email

Email isn’t the first choice when it comes to urgent communication. If you find a mail that asks you to act immediately, you can often ignore it. Phishing scams often involve emails that induce panic and stir up your need to respond right away. The response here often involves giving away sensitive information. It’s a form of social engineering.

Legitimate mailers will not usually do this (unless you have ignored previous less time-sensitive warnings). If you are still concerned, install anti-malware solutions that send out in-app or in-program notifications. These programs will also monitor your email, web browser, or messaging apps for threats.

In other words, those panic-inducing emails can often go straight to the trash. Contact the sender if you are uncertain if the urgent warning is real. However, don’t use the information provided in the email if you can help it. Call a phone number that you have or can look up on the web. If you are skeptical, do not trust the questionable email’s phone numbers and email addresses.

Be skeptical

Identifying phishing scams isn’t always easy because they evolve rapidly and can be very targeted. So, it’s best to be generally skeptical. When it comes to information security, a healthy dose of skepticism is necessary.

If you aren’t 100% sure about the mail you’re receiving, it is best to put it in the trash or reach out directly to the sender via another communication channel to check. It is always better to err on the side of safety and security.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization? Interested in more information about “smart hosting” your email from Microsoft to LuxSci for HIPAA compliance? Contact Us