10 Ways to Spot Phishing Email Scams in 2022

By now, you probably know that a Nigerian prince isn’t offering to pay you millions in exchange for helping him get his royal fortunes out of the country — as long as you supply your bank routing number.

To many, the absurdity of this classic email hoax is laughable, but some studies have shown that people may be overconfident in their ability to detect phishing scams. Nearly all phishing attacks happen by email, and hackers are becoming more cunning and sophisticated as they evolve their tactics to deceive unaware businesses and individuals.

Keep these 10 ways to spot the latest phishing email scams for 2022 in mind:

1. COVID-19 or Economic Quick Fixes
2.  Unexpected Attachments
3. Inconsistent URLs
4. Action Required: Requests to Update Information
5. Misspellings and Poor Grammar
6. Something’s “Off”
7. W-2 Form Requests
8. An Email from the CEO
9. You’ve Won a Contest
10. A Tone of Desperation

1. COVID-19 or Economic Quick Fixes

Have you heard of this quick and easy cure for COVID-19? Or a super easy way to get money fast in these difficult days?

Probably not — and that’s likely because they simply don’t exist. Unfortunately, in tumultuous times like we’ve had the last few years, scammers are going to attempt to prey on people who are struggling, using enticing language and promises to lure them in. Watch for subject lines promoting vaccine registration or new “treatments” for COVID-19. Also, look out for any promises offering fast cash or questionable investments. Do not click on any links or fill out any official-looking forms. 

Instead, go directly to your healthcare provider or the Centers for Disease Control and Prevention (CDC) website for the most current and accurate information about COVID-19, and continue to follow well-known and legitimate financial advice from real experts and any advisors you may already speak to.

2. Unexpected Attachments

An email with an attached fake invoice or other such suspicious attachment is a common type of phishing scam. Never open an attachment you weren’t expecting, even from someone you know. Don’t click, don’t tap, just close it and delete it.

3. Inconsistent URLs

If the web address URL within an email displays differently when you hover over it or appears to be misspelled based on your experience with the correct URL, it’s likely an attempt to lead you to a malicious site and hack your device.

4. Action Required: Requests to Update Your Information

Emails claiming that you need to update your account are classic attempts to obtain access to personal information and should raise red flags. They may appear to come from your social media accounts, credit card companies, online shopping services, payment apps, the IRS, a bank or other institution. Most institutions will never request login credentials, account numbers, financial information and other personal data via email.

Some examples of these common phishing subject lines might look like:

• Security Alert: new or unusual login
• Your Amazon Prime account: Action required
• Important security update required

5. Misspellings and Poor Grammar

We all make spelling errors on occasion, but when an email is riddled with obvious grammar mistakes and poor sentence structure, it’s a clue that an email was written either by a computer program or a foreign hacker who’s not associated with a professional organization and may be making a poor attempt at using Google translate.

Look for legitimate company contact information and confirm it by separately typing it into Google (never by clicking within the email). Don’t click on any shortened links which may be trying to fool Secure Email Gateways.

Learn More: Top 10 Cybersecurity Facts

6. Something’s “Off”

Is the formatting of the email different than usual with strange spacing or margins? Is the company logo pixelated or are the colors off? If you’ve subscribed to an email list from a reputable company and regularly receive correspondence from them, be wary if those emails suddenly show up in your inbox looking differently than they normally do.

Aside from obvious visual cues, if anything at all is giving you bad vibes — such as an unrecognized sender name or a peculiar though not obviously malicious subject line — don’t click anything or respond. When in doubt, close it out.

7. W-2 Form Requests

This scam is especially prevalent around tax season. The email may appear to come from a company’s internal HR department or high-level executive requesting an employee’s W-2 form. When released, the scammer can file fraudulent tax returns and claim any potential refunds. No one legitimate will be sending you an email requesting your W-2 form.

8. An Email from the CEO

“Oh wow, the CEO themselves is asking me personally for a favor!” Who wouldn’t want to comply with a request from the “CEO?” Chances are, though, that request to transfer funds, pay an invoice or release sensitive information on their behalf is really coming from a scammer.

Hackers are becoming masters at researching a company’s high-level personnel and then impersonating them. 

Ask yourself: Would the CEO really send a direct email asking for something like this? The answer is almost certainly “no.”

9. You’ve Won a Contest!

Did you actually enter a contest? No? Then, sorry to break it to you, but you’re not actually a contest winner. Don’t let whoever sent this to you win by falling for their scam.

10. A Tone of Desperation

Don’t fall for emails with a sense of urgency claiming that your “immediate action is required.” If the email claims that your account has been compromised or that the account will be closed unless you respond right away, it’s a sure sign something’s up. Instead, try logging into the account from a separate browser using your normal means of accessing it.

What to Do If You Receive a Phishing Email

If you receive an email that looks suspicious, follow these phishing email best practices:

• Don’t open the email
• Immediately delete the email
• Do not click on or download any attachments
• Whatever you do, don’t click any internal embedded links
• Don’t reply to the sender
• Inform your IT department and others (consider taking a screenshot to help others identify potential scams)

If an email appears to come from someone you know, or from an organization you’ve dealt with before, don’t reply. Instead, contact the individual or company some other way to follow up, or manually access your online account by separately entering a known URL into your browser.

Also, don’t forward a suspicious email to ask if it’s legitimate, even to your own IT department. Instead, pick up the phone or send a separate email explaining your concern. Then, delete the email, empty your trash and carry on.

What to Do If You Suspect You’ve Taken the Bait

Think you might have fallen for an email phishing scam? Here are some immediate steps you should take:

• Immediately turn off Wi-Fi and disconnect from the internet in hopes you can limit a hacker’s access to your network
• Contact your IT department or technology management provider
• If you clicked on a link to a fraudulent website, write down any information you entered (username, password, address, etc.)
• Change your passwords
• Scan your device for viruses or malware
• Report incidents of successful breaches to the Federal Trade Commission (FTC)
• Improve your security posture by working with an experienced technology management provider

Elevity and Cybersecurity

Better yet — avoid these attacks in the first place. At Elevity, we use our own 4S approach to protecting your technology and assets: Strategy, Security, Solutions and Support.

One such tool we have for this is our free Cybersecurity Risk Assessment. To see how prepared you are for a cyberattack, we encourage you to take the assessment. Simply click the link below and you’ll be guided through 15 critical questions and provided a security score at the end to help you figure out your next steps.