Identify the warning signs

Identify the warning signs

People may fall for phishing attacks if they don't realize in time that an email is malicious. If an email seems suspicious, scrutinize it to determine if it's a potential phish. Don't be tricked or scared into giving up your information or surrendering control of your accounts or devices!

Never trust an email just because you know the person or group that claims to have sent it or because you recognize logos or information in the email. As hackers get more sophisticated, so do their tactics. Cybercriminals know they can fool people by faking names, stealing logos, or doing research on their victims. Don't fall victim!

Learn more below:

How can I spot a phishing email?

Phishing emails vary widely, but many hackers make the same basic mistakes. You can follow these guidelines to help identify potential phishing attacks.

Not every phishing email will contain these warning signs, but many do. Exercise caution when dealing with email; if something seems suspicious or unusual about a message, report it or try to verify its legitimacy. Don't automatically trust every email. And if it feels like the person emailing you is trying to manipulate or take advantage of you, trust your instincts and tell us.

Annotated phishing examples are available at the Secure UD Threat Alerts blog.



Check the sender.
Sometimes, cybercriminals will fake (or "spoof") the sender of an email. If the "from" address doesn't match the alleged sender of the email, or if it doesn't make sense in the context of the email, something may be phishy.

  • An email claims to come from the University, but it's from "" instead of an "" address.
  • An email claims to come from your friend John Doe, but the sender is ""

Check for (in)sanity.
Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email's content is nonsensical or doesn't match the subject, something may be phishy.

  • An email has the subject "Important documents," but the message itself is about your email account running out of storage.
  • An email has a generic subject like "warning" or "FYI" and the message is a request for you to enter personal information or click on a suspicious link.
  • An email contains a 2FA code that you did not request.

Check the salutation.
Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be phishy.

  • An email claiming to come from the University is addressed "Dear webmail user" instead of "Dear Jane Doe."
  • An email claiming to come from one of your favorite stores is addressed "Dear customer," but the store's emails are normally addressed "Dear John Doe."

Check the links.
A large number of phishing emails try to get victims to click on links to malicious websites in order to steal data or download malware. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like, http://goog.le, and Additionally, a site using https:// (with a green padlock icon) should not be automatically trusted. You should not visit a website if your browser warns you about dangerous or deceptive content. If an email links to a suspicious website, something may be phishy.

  • An email tells you to click on a link to "" to reset your password, but you were expecting a link to a "" address.
  • When hovering over a link to "," you notice that the link actually goes to ""

Don't let them scare you.
Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, something may be phishy.

  • An email warns, "confirm your account password or your account will be shut down."
  • An email promises a reward to the first 100 takers and urges you to "click now to claim your prize."
  • An email tells you to pay the attached "invoice" or "face legal action."

Don't give up personal data.
Some phishing emails will ask for your sensitive personal data, such as your account password or your Social Security number. Legitimate organizations will not ask you to provide this information over email. If an email demands sensitive information, something may be phishy.

  • An email asks you to verify your account by typing in your username and password.
  • An email asks you to provide W-2s, tax information, or other personal documents.

Don't open suspicious attachments.
Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be phishy.

  • An email instructs you to open the attached "court summons," but you aren't expecting a summons and you know that such a document would be delivered in paper.
  • An email tries to deliver an attached "invoice" for your "recent purchase."

Check for poor spelling and grammar.
Typically, official emails from organizations you trust will not be rife with spelling and grammar errors. If an email claims to come from a legitimate organization but contains numerous errors, something may be phishy.

  • An email reads, "Click to verify now you're account."
  • An email claims to come from the "Univercity of Deloware" and asks you to "open imporant document imediately."

Don't believe names and logos alone.
With the rise in spear phishing, cybercriminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn't mean that it's trustworthy. If an email misuses logos or names, or contains made-up names, something may be phishy.

  • An email includes the UD logo, but it makes a suspicious request for your account information.
  • An email claims to come from your bank, but uses an old logo.
  • An email claims to come from the dean of your college, but the sender is a "" address.

If you still aren't sure, verify!
If you think a message could be legitimate, but you aren't sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings (e.g., log in to Facebook and navigate to your settings instead of opening a suspicious-looking link that claims to go to your account page).

  • You get a request from a coworker for files that person doesn't normally use, so you walk to her office to check whether she really sent the request.
  • An unexpected email claiming to come from a social media site tells you that you need to change the password to your account. Instead of following the password reset link in the email, you open the site in a new browser tab and manually log in to check your settings.

More information is available at the following resources:

Avoiding Social Engineering and Phishing Attacks (US-CERT)
Explains what phishing is and offers tips for avoiding becoming a victim.

Phishing (OnGuard Online)
Explains briefly how to deal with phishing scams, including how to avoid them and how to report them.

Phishing scams (
Provides examples of common phishing scams and how to spot them.

How can I verify if an email is legitimate?

If you aren't sure whether an email is be legitimate, contact the alleged sender through a separate channel, such as over the phone or in person. If the email you received claims to come from an organization, look for that organization's official contact information.

If you want to verify whether a link is legitimate, hover your mouse over the link text and check its true destination. In many web browsers, a link's destination will appear in the lower left corner of the window. Watch out for spelling mistakes, missing or extra dashes, and fake domains (such as ""). Your device won't know the difference between a legitimate link and a malicious one!

If you get an email stating that you need to log in to update or verify your settings, review information related to your account, or confirm something, it's recommended that you log in to your account the same way you normally would—don't follow links in a suspicious email. Use official login pages on the organization's real website.