Skip to main content
Skip to main navigation
Illinois State University

How to Recognize Phishing Emails

What is a Phishing Email?

Phishing emails are emails that are intentionally designed to trick the recipient of the email to give out as much personal information as possible to the sender. The email can be a spoof of an email people might receive everyday, such as a credit card statement email or an email from their bank. If the sender receives that person’s information, they can open credit card applications, mark large purchases on that person’s existing credit cards, steal money from bank accounts, and much more. Read below on how to prevent this from happening to you!

Phishing emails are becoming increasingly sophisticated, which means you need to know what to look for when determining if an email is legit or a scam.

How can you tell the difference between a legitimate email and a phishing email?

At a glance, you might assume a phishing email is legitimate. If it looks real and has an urgent, ominous message, you might be coerced into acting before you think, and that’s exactly what the scammers want. No matter how good the disguise, though, phishing emails always have tell-tale signs that something is not right. The signs aren’t always easy to spot—you need to look for them.

Since it can be tricky, we’ll examine an actual phishing email so you can learn what to look for. The image below is a copy of a real phishing email. Please continue to read on to find out how we know it’s a phishing scam.

An example of what a phishing email may look like.
Image Description: An example of what a phishing email may look like.

  1. PayPal - The example phishing email appears to be sent from PayPal. Of course, if you don’t have a PayPal account, that should be a big tip off that this is a phony. Even if you don’t use PayPal, the steps to identifying a phishing scam are the same no matter what company logo appears in the email.

  2. To: unlisted-recipients - The top of the email shows who it’s From: and To:. The email appears to be sent From: service@paypal.com (which is not suspicious by itself), but it is sent To: no To-header on input <“unlisted recipients;”>.

    • This doesn’t jibe with the rest of the email, which is a warning about your personal account. If this was a real PayPal email, we’d expect the To: line to contain your email address, not “unlisted recipients.”
  3. Ominous Warning - Phishing emails try to incite worry and fear. In our example, the email begins, “Notice of account temporary suspension.” It goes on to talk about fraud and ends with a red, time-sensitive warning, “If this situation is not solved in 24 hours your account will be permanently suspended.”

    • First, you should be skeptical about any “account suspension” warning. This is a trick phishing scammers use all the time to make you worry. Second, you are given 24 hours before your account will be permanently suspended. This doesn’t make much sense—businesses like PayPal want to make money and that’s hard to do when they ban their customers.

    • A more reasonable response to suspected fraud would be to limit or lock the account until the issue can be investigated and resolved—something the email actually mentions. It’s the permanent ban that stands out as an unlikely overreaction on PayPal’s part which tips us off that this is a phishing scam.

  4. Suspicious Links - When you move your mouse over a link, the web address is displayed at the bottom of the window. This is a great way of checking things out before you click. When we move our mouse over the first link, “Travelling confirmation Here,” it displays the address, “ftp://april:april@209.202.224.140/update.htm”, at the bottom of the window.

    • There are a couple reasons why this link is suspicious. First, the spelling is odd. In America, we spell it “traveling” with one “L,” but in the email it’s spelled “travelling” with two "L"s, which is generally more common in England. Second, the link’s address is a big clue. It contains an IP address (209.202.224.140) instead of a web address (like www.paypal.com).

    • Also, the beginning of the address is “ftp://” instead of “https://”. You should be in the habit of looking for signs of security. Any time you are asked to log in or provide your credit card information, you should expect the site to use “https://”. The “s” in https:// means the site is secure. If you are asked to visit a site that uses “ftp://” or “http://”, you should stop and consider that the site and email might be fraudulent.

    • Mousing over the second link, “Re-activate your account Here,” reveals the same link address, “ftp://april:april@209.202.224.140/update.htm”. Why would PayPal include two apparently different links that point to the same address? This is yet another sign of something fishy going on.

  5. More Links - There are three other links in the email: TRUSTe Privacy Program, User Agreement, and Privacy Policy. Mousing over all three links reveals they all point to real web addresses, like “http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/privacy-outside”. This is a real PayPal link, and if you click it, the web page actually talks about customer privacy.

    • This is rather ingenious on the part of the scammers. They included links to the real PayPal website to make their email seem legit. By mixing the truth with their lies, they are trying to make it harder for you to identify the email as a phishing scam. It’s ironic that the email also contains information on “How to protect your account,” when it is, in fact, a phishing scam that is ultimately trying to trick you into giving away your PayPal account information.

    • If you were to click the suspicious links in a phishing email, you may be taken to a web page that looks like the real PayPal log in page. But when you enter your user name and password for PayPal, you’re not actually logging in at all. Instead, the web page sends your user name and password to the scammers.

    • You may also be asked to “verify” or “update” your personal account information. Scammers want as much data as you’re willing to give them, including bank account numbers, PIN numbers, credit card numbers, your Social Security number, and more.

    • To avoid getting caught by a phishing scam, you must stay on guard. Look for signs in the email that something just isn’t right. If you have any doubts, don’t click any links or log in. It’s always better to call the company and speak with someone over the phone.

Back to Overview

How to Get Help

For technical assistance, you may contact the Technology Support Center at 309-438-4357, or by email at SupportCenter@IllinoisState.edu.