Anyone who uses a work email address needs to be wary of email phishing scams, a common tool used by cybercriminals to prey on businesses, government entities, and other employers. Phishing emails are a common form of social engineering used to impersonate the email of a legitimate sender – such as a company or colleague – to trick employees into providing sensitive information or downloading malicious software.

Employers are frequently targeted by phishing email scams because they have a lot of valuable information, such as customer data or financial records. They also have a lot of email addresses, and it only takes one employee to open an attachment or send sensitive data for the damage to be done.

While the goals of the scammer may vary – they might want to install ransomware on your employer’s network or get you to send your account login details – there are common ways to spot them.

5 Ways to Spot an Email Phishing Scams at Work

1. There is a request to provide sensitive information.

Any email that asks you to provide personal or sensitive information, such as bank account numbers, client records, or account logins, could be a phishing attempt. Most companies will never email or call you to solicit this data. You should contact the company separately through official channels to verify any request.

Even if the email appears to come from a colleague, you’ll want to check that it’s legitimate before you share information. Cybercriminals have ways to impersonate fellow employees, so make sure to verify any sensitive request before you respond or follow a link.

2. The identifying information doesn’t match up.

Phishing emails may try to impersonate a real contact, like a company you do business with or an executive at your employer. The goal is to get you to complete an action because you believe the sender is legitimate.

Even if you recognize the sender, review the identifying information in the message before you open any attachments, click a link, or respond to an email. Some red flags include:

  • You recognize the sender’s name, but he or she isn’t using his or her typical email address
  • The domain in the sender’s email doesn’t match the real company’s website
  • The name in the email doesn’t follow the naming convention your employer typically uses

3. The email is poorly written.

Scam emails are often full of spelling errors, poor grammar, and strange turns of phrase. Legitimate company emails should always be professionally written and checked for errors. Even if the email appears to come from an employee who doesn’t have the strongest writing skills, it should at least meet some level of professionalism.

4. There is a suspicious link or attachment.

You may send and receive web links and attachments with coworkers all the time. But phishing emails often include dangerous links and attachments that could be used to steal information, infect your employer’s networks, or hold sensitive data for ransom.

If you receive an unsolicited attachment or link from a random email address, don’t open it. Even if you believe the sender to be legitimate, you may want to verify with your IT department before you open any file you weren’t expecting to receive.

5. The message is written to create urgency.

Phishing emails often try to impart a sense of urgency to get the recipient to throw caution to the wind, without asking questions that will expose the scam. For example, a phishing email may impersonate your boss and request an urgent bank transfer or claim that you’ve been the victim of a hack and you need to confirm login details ASAP.

No matter the content of the message, make sure to think through what you’re doing. If something seems off, don’t comply until you’re verified that the email is legitimate.