The holidays are an important season for hackers, too.
Phishing attempts typically jump during the holiday season, according to the Federal Bureau of Investigation, which means online shoppers scouring for gift deals need to be on the lookout for scammers in their email inboxes.
You might be among the many people who received an email offer that sounds too good to be true — for a free Yeti cooler, perhaps. Or, you could be suspicious of a message from a major retailer or financial institution asking you to supply your login credentials or credit card information.
Either way, it pays to be vigilant. Phishing attacks are the No. 1 way scammers get to people these days, and they can be very clever, says Kevin Mitnick, a former hacker who’s spent the past two decades as a computer security consultant.
Your best defense: knowing the tricks they typically use, Mitnick tells CNBC Make It.
Here are six “red flags” that should trigger phishing alarm bells in your head, broken down by where you might find them in your inbox, according to Mitnick and online security platform KnowBe4, where he works as “chief hacking officer.”
Start with the email’s sender. Do you recognize the email address as one you’ve communicated with in the past?
Check the email address and URL for misspellings that might be easy to miss at a quick glance, like “micorsoft-support.com,” Mitnick says. Those are likely from a scammer who’s hoping you won’t look too closely.
If you don’t know the sender personally, and they haven’t been vouched for by someone you trust, proceed with caution.
Look closely at any other recipients of the email: Scammers will sometimes spam multiple email addresses at once to save time, Mitnick says.
If there are other recipients listed on the email and you don’t recognize any of their email addresses — or if they all have names that start with the same letter as yours — that’s another potential red flag.
Hyperlinks and attachments
If you’re suspicious of an email, be wary of clicking on any links contained in the message.
You can try to confirm your suspicions by hovering your mouse over the hyperlinks to see where they’d lead. If the URL that pops up is from a different website than what the email claims, or it contains misspellings of a known site, that’s a “big red flag,” says Mitnick.
Another red flag: if the email contains an unexpected attachment, or an attached file that seems unrelated to the subject of the email. Don’t click links or download attachments unless you are absolutely sure they’re legitimate.
Say your work email receives a message sent well outside of regular business hours — like 3 a.m. — and it’s not from someone who you know is in another time zone. That’s a reason to be wary.
Be suspicious if the email’s subject line is irrelevant or doesn’t match the message in the body of the email. Similarly, if the subject line makes the email look like a reply to a previous message that you never sent, proceed with caution, Mitnick says.
Be on the lookout for messages attempting to get rise out of you, either by offering something of value for free or threatening negative consequences. Around the holidays, that could mean a free gift offer or a message from a retailer or your bank claiming that one of your purchases didn’t go through, and you need to re-enter your credit card information.
Scammers often try creating a “sense of urgency” to get you to ignore other suspicious signs and comply with their requests, Mitnick and other cybersecurity experts note.
Be extra suspicious if the email is unexpected or unusual looking, perhaps with poor grammar and spelling mistakes. Representatives of a major retailers or financial institutions are likely to only send highly polished messages.
If all else fails, trust your gut, and don’t download anything unless you’re expecting it, Mitnick says.
“Never click a link and put your username and password in something that you didn’t initiate,” he adds. “That’s a simple rule set that people should have.”