Learn to Spot Phishing, Scams, and Other Fake Messages

The Problem

In the course of my work, many clients have asked me:

• Before the problem: “Is this particular email (or text message or website) fake or legitimate?”
• After the problem: “I think I’ve been scammed. I got a scary email (or text message or on-screen pop-up) and then I clicked a link or called the number, or I received a phone call. They convinced me to give them access into my computer or information about me or money.”

No matter how good the security software on your Windows or Macintosh computer may be, a message from a clever scammer might still trick you into revealing confidential information or performing some action that they request, most often calling some phone number, clicking a link to a website, or opening an email attachment.

Some scammers try to get you to do something quickly, while others take longer to draw you in over time. Some focus on individuals, others target employees of large organizations, government, or the military.

You may feel confident that you can easily spot a fake message, but in my experience even the smartest people can be fooled, especially if the claim is urgent or upsetting or both, and if the message contains elements that are personalized for you.

Recent estimates put the number of people successfully tricked into giving money to scammers each year in the hundreds of millions, and the reported losses at over a trillion dollars.

A little terminology

Phishing: The practice of sending fraudulent emails, texts, or other electronic or on-screen or voice messages, or setting up fake websites, all of which pretend to be from legitimate or reputable people or companies. They try to trick the recipients into revealing private, personal, or financial information, including social security, bank, or credit card numbers, passwords, etc. The term is derived from “fishing” in the sense of using lures to “fish” for private information.

Spear phishing: A phishing attack that targets a specific person or organization, often using the recipient’s personal information to create customized messages that statistics show significantly increase the likelihood of successfully fooling the target.

Smishing: A phishing message that arrives in a text message. The term derives from “SMS” (Short Message Service), the name of the protocol used by many texting services.

Scamming: Messages intended to convince the recipients to do something specific, like sending money or providing information that may enable the scammer to steal money or valuable information.

General advice for spotting fake emails and websites

In general, I recommend learning about common (and not-so-common) scams and how to spot them. I suggest being skeptical and vigilant, even with messages that are apparently sent from people or organizations that you know.

Here are common things that might indicate a fake email or text message or on-screen pop-up:

• Urgent or threatening tone, e.g., “You will be locked out of your email, bank account, etc., click here or call this number immediately”
• Vague or ambiguous, e.g., “Dear Customer,” “Your cloud account,” “Your package delivery,” etc., which trick you into imagining what is not stated
• An offer that sounds too good to be true, e.g., free or massively discounted products or services
• Asking for something unusual, like a payment or a password or other information
• They started the conversation, not you
• Inconsistencies between the From address, the subject, and the body, e.g., a supposedly urgent notice from Norton or Xfinity or your bank, but it was sent from a personal Gmail address

Here are common things that might indicate a fake website:

• You landed on the site after clicking a link in a suspicious email
• No “Contact Us” page
• No security certificate, which usually triggers an error in most modern web browsers
• Doesn’t accept credit or debit cards, only bank transfers
• Quickly opens a pop-up window asking for personal information

Going beyond the general advice

The FTC (Federal Trade Commission), FBI, Postal Service, and many others post helpful descriptions of scams that you might encounter. That general material can be interesting to read, but since there are so many different things that can indicate a message or a phone call is fake, I believe that specific examples as well as self-paced tutorials and quizzes can also be helpful.

Self-paced tutorials, Part 1: Short online phishing quizzes

Here are some helpful online resources where regular computer users can learn from interactive, educational tests or quizzes.

Each of these websites presents a series of 8 to 10 examples, asking you to decide whether they’re legitimate or phishing. Some of them tell you what you missed if you answered incorrectly. A few ask for a name and email address as you start, which they only use to make the examples more compelling. For those, fictional answers like “Mary” and “mary@mary.com” are sufficient. A few ask for your real email address at the end in order to send you more details about your test results.

• http://www.phishingbox.com/phishing-test - Can you spot the fake emails?
• http://www.sonicwall.com/phishing-iq-test - Can you spot the fake emails?
• http://phishingtackle.com/phishing-quiz - Asks a combination of “Is this email legitimate?” and “Is this a good habit regarding online security?” questions
• http://phishingquiz.withgoogle.com - Google Phishing Quiz: Presents both email and text message examples
• http://www.opendns.com/phishing-quiz - Presents a series of possibly fake websites
• http://www.egress.com/blog/phishing/spot-the-phish - Presents both emails and websites

Self-paced tutorials, Part 2: More in-depth online phishing awareness courses and services

In the course of researching this topic, I tried to find free online courses for individuals that go beyond just 8 or 10 examples. Here’s one that I found so far:

• http://public.cyber.mil/training/cyber-awareness-challenge - The U.S. Department of Defense Cyber Awareness Challenge, a free, self-paced online course on a variety of topics, their “Social Engineering” topic covers phishing; it does not ask you to create an account

I also found a number of companies that offer platforms to employers that deliver two services:

• Online courses to teach their employee about phishing and other cyber threats
• “Campaigns” which employers can run to test their employees. The service sends unannounced and carefully crafted fake (but safe) email messages. If an employee gets fooled and clicks a link in such a message, they (and their employer) learn that they made a mistake, and they can get further training.

Here are some of those companies, all of which have a free “starter” level, plus higher-level paid options:

• http://www.phishgrid.com
• http://www.caniphish.com

Where to go from here

As always, if this seems too difficult to understand on your own, I recommend that you talk to someone you know and trust who can help you review the messages or pop-up or phone calls you’ve received and determine whether they are fake or legitimate.

• google: phishing education
• google: free phishing awareness self test
• google: free phishing security test
• google: free phishing online course
• google: online scams
• http://www.hivesystems.com/blog/thinkyoucanspotphishing
• http://apwg.org/blog-2 - articles from the Anti-Phishing Working Group
• http://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
• http://www.fbi.gov/how-we-can-help-you/scams-and-safety
• http://www.uspis.gov/news/scam-article/fake-usps-emails - United States Postal Inspection Service
• http://en.wikipedia.org/wiki/Phishing

How to contact me:

email: martin@kadansky.com

phone: (617) 484-6657

web: http://www.kadansky.com

On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to martin@kadansky.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter

Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter

Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.

Copyright (C) 2025 Kadansky Consulting, Inc. All rights reserved.

I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.