If you have ever seen an email in your inbox that makes you scratch your head, you’re not alone. Phishing, an act of social engineering that attempts to deceive through email, can affect anyone. In 2021, 80% of reported security incidents and 90% of data breaches were caused by phishing emails. What’s more, a breach caused by a phishing email cost companies $4.65 million on average. 

And phishing is on the rise. According to the Federal Bureau of Investigation, there have been an average of 4,000 cyberattacks a day since the onset of the COVID-19 pandemic. This is a 400% increase of what they had seen pre-pandemic.

But the good news is that you are in full control of your emails and what you click on. By looking for these red flags, you can protect yourself and your practice from harmful cyberattacks.

Bad grammar and spelling errors

One could argue it is because most people who attempt to phish are not great writers. But many experts claim most of the grammatical errors and misspellings you see in spam emails are intentional. Why? There are a few reasons:

• Email providers have gotten more sophisticated and know to look for certain words that appear in phishing emails. Therefore, many phishing emails will end up in your spam folder. By misspelling some of those trigger words or using bad grammar, phishers try to trick the spam filter into allowing their emails to pass through.
  
  
• Phishers send emails en masse, knowing that a vast majority of them will be ignored. Grammatical and spelling mistakes are a strategy that narrows the field to those who are more likely to respond to the email. Think of a fishing lure: many fish will swim past the hook, but only one needs to take the bait.

Discrepancies in email addresses and domains

Another piece of the puzzle to look for is where the email is coming from. Most reputable organizations will use an email domain tied to their business, not a mainstream email provider like Gmail or Yahoo. For example, Google will use “google.com,” not “gmail.com”

Also, pay attention to domain names or if the email address has strange combinations of letters and numbers. Let’s look at this example: “IT-Team-234@outlok.com.” Here, the sender is trying to use the term “IT” to look legitimate, but the random numbers should be a tip-off that this isn’t right. In addition, Outlook, a popular email platform, is misspelled.

Strange salutations

A legitimate business will call you by your name, not address you by part of your email address. So, if your email is Dental.Dentist@email.com, you should be suspicious if the email begins with “Dear Dental” or “Dear Dental.Dentist.”

Also be mindful of emails that use generic terms like “customer” or “account holder,” especially if they are asking you to click on a link or provide personal or financial information.

Shady links

Be especially mindful of any email that contains links, even from sources that may appear trustworthy on the surface. You could be taken to a website that will try to collect your information or encourage you to download harmful malware or ransomware, which could have dire financial consequences for you and your practice.

But you are in full control of the links you click on, so it is always important to look at the URL to see if it looks suspicious. You can do this by hovering your cursor over the link on a desktop computer or laptop. On mobile devices, you can press and hold a link to trigger a pop-up containing the link.

Look for “https” to signal that the site is secure and if the link doesn’t seem correct or match the email context, do not click on it.

Emails as images

A legitimate company will never force you to click anything on their emails. But some phishers will try to get you to accidentally click by turning their entire email into a single image that can be clicked on as a link.

You can sometimes spot this if the email itself has a low picture quality and looks fuzzy on your screen. But to be safe, keep an eye on your courser on desktop and press and hold an email on mobile. If the entire email is a linked image, you will notice your cursor change or see a pop-up containing the link the image is leading to.

Suspicious attachments

A tell-tale sign of a phishing email is an attachment. If you did not conduct business with the company or ask for anything that would be attached to an email, such as an invoice or budget, do not click on the attachment. Be especially wary of files that have extensions like “.exe” or “.zip,” which likely contain dangerous malware or ransomware.

If the suspicious email comes from a company you do business with, reach out to the company yourself using verified contact information, not the email information on the message you received.

Emails requiring immediate action

Remember, phishers are trying to get your attention and hope their message will be strong enough to have you ignore the other red flags outlined in this article. That is why phishing emails frequently use language that triggers urgency in hopes of getting you to click.

Be wary of emails that:

• Threaten access to services
• Claim an account has been locked out
• Offer a limited amount of time to react
• Encourage you to click on a suspicious link or attachment
• Intimidate you with consequences for not acting

What to do when you see a phishing email

This all might sound scary but phishing only succeeds when the user falls for its schemes. That is why it is so important to remain vigilant of any suspicious email that ends up in your inbox. If you come across one, here are some things you can do:

• Use your email provider’s “Mark as Spam” feature to flag any future emails from that sender as spam
• If your organization has its own IT department, follow their protocol for reporting spam emails
• Report the email to the Federal Trade Commission at ReportFraud.ftc.gov

The bottom line: When it comes to phishing, you are your practice’s first line of defense. Look for red flags before opening any email that looks suspicious.