...
- The recipient (To:) does not have your actual e-mail address. While this example has undisclosed recipients as a means of a BCC method of delivery, some phishing methods are not as smart to avoid this
- The sender (From:) comes from a weird domain. In this example, wfarg.com is NOT an actually a wellsfargo domain, it belongs to someone else. (You can use http://whois.domaintools.com/ to look up domains and who owns them)
- Any links on the message will not go to the company's site in question. The link in this example is going to http://mhgmichigan.com/we, which is definitely not a Wells Fargo website.
- Does it actually have any information you recognize? Most phishers have no idea of any of your actual information. As you can see here in this example, no real information is put in here, not even a Name or the last 4 digits of the account. While this is meant to be a generic message, a generic message telling you your account is suspended is often a fake message. Most businesses will help you identify, properly, who they are trying to contact, and to go one step further, use a part of actual information, such as the last 4 digits of your account, to help make sure this is you and them talking.
- Is it too good/bad to be true? Another common phishing method is the 'Nigerian Prince' scam or 'I need help' scam. Where they want personal information or bank information to route money to you or get money from you to bail them out.
For more information, please refer to UC Santa Barbara IT - Identify Phishing Scams.
What you can do to protect yourself...
...