Spot the signs of a phishing scam

Aqua’s new brainteaser challenges you to spot the signs of a phishing email, and shares expert advice on how to avoid getting scammed

Written by Team Aqua

Published: 28/03/24Published on March 28th, 2024

Last reviewed: 28/03/24Last reviewed on March 28th, 2024

7 mins read

If you have an email account, it’s likely that you’ve been targeted by a phishing scam before. They’re the most common type of cybercrime around the world, with an estimated 3.4 billion emails a day sent by fraudsters looking to scam people.

Phishing involves cybercriminals posing as a legitimate organisation, most often by email, in an attempt to ‘fish’ for sensitive information. The email will often ask you to click on a link that takes you to a fake website, where you’ll be encouraged to enter details such as login credentials or bank details.

Given how common phishing scams are, it’s vital that you know how to identify and avoid them. That’s why we’ve created this brainteaser to put your scam-spotting skills to the test and share some expert tips to avoid getting phished.

Can you spot the phishing scams?

Three of the emails below contain a tell-tale sign of phishing. Can you spot them all?

The most common signs of a phishing scam

1. It doesn’t address you by name. Phishing emails are usually sent to thousands of people at a time, meaning they aren’t personalised. Instead of addressing you by name, the email might say ‘Dear Sir/Madam’ or ‘Dear Customer’.

1. The sender’s email address looks suspicious. A very long or unusual email address is a red flag — as is one sent from a service like Gmail or Hotmail. Legitimate organisations usually have their own email domain; for example, a message from Amazon will come from ‘@amazon.com’.

It’s important to note that it sometimes won’t be obvious that the email address is fake. Make sure you’re checking it aligns with the site’s domain name, and you can also check the site’s ‘contact’ page to ensure the email matches.

1. It sounds urgent or threatening. Scammers often try to create a sense of urgency to pressure you into responding quickly. They want you to rush into giving them the information they want before you have time to realise you’re being scammed. If the email says something like ‘urgent action required’ or threatens negative consequences if you don’t respond now, it’s likely to be phishing.

1. It’s full of spelling and grammar mistakes. Poor spelling and grammar, or mistakes to the company’s name (such as a misspelt brand name or one with no capitalisation), are classic signs of a phishing scam.

1. It includes unclear links. Phishing emails will almost always encourage you to click on a link (or alternatively download an attached file). Often, the link will be shortened or scrambled so it isn’t clear where it’s taking you. If you’re ever unsure where a link leads, play it safe and don’t click on it.

1. It asks you for personal or sensitive information. The aim of a phishing scam is to steal sensitive information from you, such as login details or bank information. It might ask you to visit a link, where you’ll be directed to a fake landing page asking you to log in to your account or provide payment details. A genuine organisation will never ask for personal information such as your password, card number or address like this.

Top tips to avoid getting phished

Danny Clark, Head of Fraud at Aqua says, “Phishing scams are more sophisticated than they used to be, and it can be hard to identify a malicious email at first glance. It’s important to read all emails carefully and look out for the tell-tale signs of phishing to avoid falling victim to a scam.

“If you do receive an email that looks suspicious, always take the following steps to protect yourself and stay safe online:

1. Don’t rush to act

“If you receive an urgent message or email that demands immediate action, resist the impulse to act hastily. Phishing attempts often create a sense of urgency to manipulate individuals into making impulsive decisions. Take a moment to carefully evaluate the situation, independently verify the request, and reach out to the supposed sender through trusted communication channels to confirm the legitimacy of the message.”

2. Check the sender’s email address

“Phishers often use email addresses that may look like legitimate ones but have subtle variations or misspellings. Be wary of generic or suspicious email addresses, as reputable organisations usually use official domains. When in doubt, look up the contact information of the organisation and check if it matches the email you received.”

3. Don’t click on any links

“Instead of clicking on any links directly, open a new browser window and manually search for the official website of the supposed sender. Or, look at any official letters you’ve received, such as a bank statement, to find the website and type it directly into the address bar. This way, you can ensure you’re accessing the authentic website and not falling prey to a phishing link.”

4. Trust your gut

“If an email appears too good to be true or raises suspicions, trust your instincts. Phishers often use enticing offers, fake rewards, or false claims to lure individuals into their scams. Take a step back and critically evaluate the content of the message. If something feels off or the email triggers a sense of unease, it's better to play it safe.”

5. Delete and mark the email as a scam

“If you think you are being targeted by phishing, you should mark it as a phishing scam, if possible, and delete the email. This not only helps protect you but also helps improve the email filtering systems, preventing similar messages from reaching others.”

Other types of scam to watch out for

Smishing

Smishing (or ‘SMS phishing’) is a type of scam similar to email phishing, but carried out over text messages. Cybercriminals send fraudulent texts designed to steal your personal data, which — just like phishing — often claim to be from a reputable organisation.

Key signs of smishing to watch out for include:

• Suspicious links, which may be shortened or scrambled to make it unclear where they’re taking you
• A number you don’t recognise, especially if it includes an unfamiliar area code
• Poor spelling and grammar
• Sense of urgency
• Requests for sensitive information – real organisations like banks would never ask for this over a text message

If you receive a suspicious text message, never click on any links or attachments. If the text claims to be from an organisation such as your bank, contact them independently using the contact details on their official website.

Vishing

The name vishing is a combination of ‘voice’ and ‘phishing’. It describes a type of scam that takes place over a phone call. Just like phishing and smishing, these scams aim to manipulate you into sharing sensitive information.

Vishing can be more difficult to spot than other types of scam, as it can be very convincing. However, there are some tell-tale signs to look out for:

A call from an unknown number, or a number that you don’t recognise

Poor audio quality, or a voice that sounds fake or robotic

Asking you to share sensitive information – real organisations like banks or the government would never ask for this over the phone

Asking you to download software or grant remote access to your device(s)

Using threatening or intimidating language to pressure you into sharing information

If you receive an unsolicited call from someone claiming to be from your bank, or a similar organisation, always be vigilant. If in doubt, hang up and call the company back from the number listed on their official website.

What to do if you think you’ve been phished

If you suspect that you have fallen victim to a phishing attempt, it's essential to take immediate steps to mitigate potential damage. Firstly, change your passwords for the affected accounts. Use strong, unique passwords to enhance your account security.

Next, inform your bank if any financial transactions were involved, and follow their guidance on securing your accounts. You should also report the phishing attempt to the legitimate organisation being impersonated, as they may take measures to alert other users and enhance their security protocols.

Brainteaser answer

Think you managed to spot all the signs of a phishing scam hidden throughout our brainteaser? Take a look at the answers below to see how you did.

1. Text written with a sense of urgency = middle
2. A misspelt brand name, or no capitalisation of the brand name = top right
3. Grammar and spelling mistakes = top left
4. It comes from a long or unusual email address = bottom left
5. It asks you for personal/sensitive information = bottom middle

Contributors

Team Aqua

Aqua’s contributors are experts in their field, from a range of backgrounds including banking and lending.