Avoid Phishing Attacks: Seven Red Flags to Watch For

As you've probably heard, phishing is one of the most often-used techniques hackers use to break into devices or computer systems to steal sensitive data like credit card numbers, login credentials, or other valuable information. And as you've also probably heard, the best defense against phishing attacks is to use "common sense." But what does that actually look like? Phishing attacks come in a variety of ways. It can be hard to identify exactly what's a phishing scam and what's just a regular email or phone call. This article will show you some specific, tell-tale signs that the message you received might be a phishing scam.

What is phishing?

Phishing is a cybercrime that targets individuals via email, phone, text message, or social media direct message. It is a form of social engineering. The goal is to lure victims into giving up their personal information or sensitive data like bank account logins, credit card details, passwords, or Social Security numbers. The messages are disguised in order to appear legitimate. Victims often don't realize that they are interacting with a hacker rather than a legitimate organization.

Once the cybercriminals have the information, they can use it to access victims' personal accounts, commit identity theft, or drain their bank accounts. These phishing campaigns are successful before the victim even realizes that they have been phished, which makes it harder to get back assets or keep information safe.

What is spear phishing?

Spear phishing is a specific, targeted phishing attack against one person or a few select people. Hackers send phishing messages out en masse to all groups of people. But they direct spear phishing attacks towards an individual. The attacks can be via text, telephone call, or email, but the intent is, as with general phishing, to get information from a target.

These spear phishing attacks are typically more target-specific. They may appear as an email from an individual's CEO or boss. It could be a text from a sender who appears to be Amazon. With spear phishing, the fact that it's an attack may be less obvious, so users must practice extra vigilance. Don't be afraid to confirm that the sender is who they say they are. Email your CEO (from a new email thread - don't just respond back) asking them to confirm the information in the suspicious email. Check your Amazon account to get the tracking link from there instead of the text. As always, prevention is key.

What is vishing? How is it different from phishing?

Vishing is not entirely different from phishing; rather, it's a specific subcategory of phishing attack. It refers to voice phishing, or phishing via phone calls. Vishing attacks involve a caller claiming to be from some sort of authoritative agency, whether it be your bank, the government, or the IRS. They insist that you give personal information over the phone in order to check on fraudulent activity, but these claims are entirely false. Just like with traditional email phishing, the cybercriminal wants to bait information from the victim in order to get access to their personal information and accounts.

Smishing, which refers to text message or SMS phishing, works the same way. The victim gets a text message asking for information or with a link to click, which then leads to a malicious website or downloads a virus onto the device. Vishing and smishing are both variations of phishing that serve the same general phishing purpose: information theft.

Email phishing red flags

96% of all phishing attacks are via email. This means that though robocalls and fake websites do need to be on Internet users' radars, suspicious emails are the biggest threat. Though many email servers have services that block spam emails and email spoofing, according to a survey in 2020, 1 in every 4,200 emails is a phishing email, meaning that there are still messages that make it through to users' inboxes.

This means Internet users need to be aware of what a phishing email looks like in so that they aren't successfully phished. Below are the seven most common red flags to be aware of when it comes to a potential phishing email.

Irrelevant or unexpected subject line

Be wary if the subject line of the email is odd or doesn't pertain to the body of the email. Take note if you don't know what the subject means, or if it's related to something you never requested or purchased. Cybercriminals will put an unexpected subject line in hopes that victims will click out of curiosity. Opening one of these emails is the worst course of action; sometimes, with phishing emails, all the user has to do in order to download a virus is open the message.

Unknown sender

If you're unfamiliar with the sender, or if the identity of the sender is hidden, it's a red flag. You should only ever open and read emails from people or organizations that you're familiar with. The rest are likely spam messages or scams, neither of which you need to interact with.  If the sender really needs to reach you, they will find another method of communication.

Unknown CC'd email addresses

Similarly, if you are unfamiliar with the email addresses being CC'd on any email, it's a red flag. Watch out for this even if you are familiar with the sender. Email spoofing and fake email addresses can allow for a cybercriminal to disguise their real identity and make it seem as if the sender is someone that can be trusted, when, in reality, it's a scammer.

Email sent out of "normal" hours

If you receive an email in the middle of the night, it could be a red flag. Note that this is not necessarily always the case. Some businesses have automated emails that may be sent out very late at night or early in the morning. However, you should definitely pay closer attention to the details in these emails to make sure they aren't phishing attacks.

Unexpected attachments

Any email containing attachments that you weren't expecting to receive is a red flag. Never open email attachments unless you know the contents of the attachment. Some malware automatically downloads when users download or open attachments.

Hackers will often create a sense of urgency for victims in order to move them to action. They will make it seem as if you have to click a link or open an attachment in order to avoid some negative consequence. They may threaten jail or monetary loss - but these are empty threats. Nothing that serious will hinge upon your action, or inaction, when dealing with an email.


Lastly, look for typos in the subject, body, and in any hyperlinks found in the email. Misspellings are another red flag for phishing scams. Hackers may be in a rush or not the best at spelling when they attempt to create a phishing email. If the email claims it's from an organization, like Citizens Bank, make sure the company and email address are spelled correctly too. Hackers often have to misspell big-name companies in order to pose as them.

Also, before you click on any link, mouse over the link. Make sure it will take you to where you think it will take you. If it shows a different website, this is another big red flag.


As you can see by the tell-tale signs outlined above, one of the main techniques to spot phishing emails is to be able to spot suspicious information in email headers. If you notice anything "phishy" in an email, you can contact your email provider to assist in putting an end to the hacker, and even be able to trace an email address.