How to Know if an Email is a Phishing Scam or Not

November 20th, 2018

Phishing scams are a major threat to all email users, especially businesses. The scary part is that they’re becoming increasingly sophisticated. Phishing emails popped up sometime in the early 90s. However, back then, they weren’t too hard to detect. For instance, typos were commonplace in an old-school phishing mail, and that was a dead giveaway.

Of course, this was a long time ago, when email was still in its infancy. Times have changed and today’s cybercriminal has changed with the times. Their tactics have evolved and phishing emails are far more convincing than they used to be. They are well written and personalized. Hackers and cybercriminals already have a rough idea of who you are, and that means today’s phishing emails are targeted.

Today’s phishing emails also look authentic; they replicate legitimate emails in terms of design and aesthetic. In fact, at first glance, you wouldn’t know the difference between a real email from your bank and a fraudulent version. Needless to say, this makes fighting phishing scams a major challenge.

On the rise

According to data from the RSA, phishing attacks are only growing, and this is despite an increase in user awareness. One major reason for this growth is the simplicity of executing such scams. Malware developers now offer automated toolkits that scammers can use to create and host phishing pages with the utmost ease.

It is estimated that each phishing attack manages to extract an average of $4500 in stolen funds.

So, the big question is – how does one protect their email, especially at a time when phishing scams are evolving? Well, here is what the experts have to say.

Never trust just a name

 A common tactic used by scammers is spoofing the display name in an email. According to a study done by ReturnPath, around 50% of 760,000 email threats targeting some of the world’s biggest businesses had made use of this tactic.

This is how it works – let’s say a scammer spoofs a brand name such as “Nike.” The email address of the sender may look something like “Nike” But, even if Nike doesn’t actually own the domain “,” DMARC and other email authenticity and anti-fraud tools will not to block the mail. This is because the email is legitimately from, even though this domain has nothing to do with Nike.  There is no authentication for the “comment” that goes along with the email address (in this example, that is the word “Nike”).

Anyway, the actual problem begins when the user receives the mail. You see, most inboxes are designed to show only the display name (Nike, in this case), which creates an illusion of legitimacy.

So, what’s the solution?

Make sure you always check the actual address and research it on Google to determine its legitimacy.  Also, you can configure your email viewers to show you the full email address of message senders.  LuxSci supports this as a preference in its WebMail interface.  By seeing the full email address, you can be more skeptical when that address looks “phishy”.

Never click a link

If you see links in an email, do not click them without running an investigation first. Start your investigation by hovering over the link to see if it directs to the right domain. If it doesn’t, you can be sure that you’re being scammed.

Of course, you might wonder how one differentiates between a legitimate and fraudulent domain. If it’s a business that you patronize, you’re probably already aware of the legitimate domain name. However, if it isn’t your vendor or brand or name that you recognize, there is no need to bother with that mail anyway. Just put it in the trash.

You don’t have to respond to random marketing campaigns. The same applies to downloading attachments. If it’s from a business or person you don’t know, don’t download it. If it is, investigate first.  As a best practice, don’t open or click on anything that you are not expecting without asking or investigating.

Nothing is immediate when it’s via email

Email isn’t the first choice when it comes to urgent communication. If you find a mail that asks you to act immediately, you can often ignore it.   Phishing scams often involve emails that induce panic and stir up your need to respond right away. The response here often involves giving away sensitive information. It’s a form of social engineering.

Legitimate mailers will not usually do this (unless you have ignored previous less time-sensitive warnings) and if you are still concerned, install anti-malware solutions that send out in-app or in-program notifications. These programs will also monitor your email, web browser or messaging apps for threats.

In other words, those panic-inducing emails can often go straight to the trash.  If you are uncertain if the urgent warning is real … contact the sender.  However, don’t use the information provided in the email, if you can help it.  Call a phone number that you have or can look up on the web.  If you are skeptical, do not trust phone numbers and email addresses provided to you in the questionable email itself.

Be skeptical

Identifying phishing scams isn’t an absolutely cut and dried process, because they evolve at a rapid rate and can be very targeted. So, it’s best to be generally skeptical. When it comes to information security, a healthy dose of skepticism is necessary.

If you aren’t a 100% sure about the mail you’re receiving, it is best to put it in the trash or reach out directly to the sender via some other communications channel to check. It is always better to err on the side of safety and security.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Interested in more information about “smart hosting” your email from Microsoft to LuxSci for HIPAA compliance? Contact Us