Making sure the sender is actually the sender is the first step. What does that mean? The sender is actually the sender? Well with email, the person sending the email is not always the same as the reply-to, and the sender name. Let's look at this example email below:
This email is from a large phishing ring that pretends to be many different companies including Terminix, ADT, and many more. As you can see in the top left of this image, the from name and actual sender is quite different than the claimed origin. This is a fast check that you should always do when starting an email chain. For more information you can find the "Show Original" option to look at much more technical data:
What is probably the most suggested means of checking for phishing is to make sure the links go where you expect. Is the email from a company? Well the links should probably go to the company's website, the same domain that the email came from. Let's take a look at the same example again:
As you can see in this image, the link from a button is far different than the sender's email. Furthermore, it does not go to Terminix's website. Many emails may use url shorteners in their links to try to make the email smaller, and do some fancy click tracking. If you come across one of these, google "URL shortener checker" or "URL expander" and use a website like http://www.getlinkinfo.com/ to see what is on the other side of a link before clicking on it. Here is an example of what you may find:
As you can see, we discovered that from this tinyurl, we would actually get directed to an evil website, all without clicking on the link.
While this happens less and less typos, errors, terrible design, and illiteracy can be obvious signs of phishing. Let's take a look at this painfully obvious example of a phishing email:
In this example, you can see poor design, language that doesn't make sense, and plenty of syntax errors like capitalization make this email obviously phishing.
One thing that people tend to forget when looking at a potential phishing email is:
"Does it make sense that I got this email?"
Too often people overlook the fact that there is no reason that someone would be offering them something over email, or getting something from work that it outside your job description. Does your CEO really need to email you? Does an African prince really want to send you $108 million? If you don't think the email makes sense for you to get, then you are probably right. If you have any questions of validity from someone you work with, call, text, Skype, Slack, etc. them and ask them if you sen't you an email. If they are asking for any sensitive or internal information, definitely ask them over another communication platform first.
Now you should feel pretty confident in your ability to protect your self from phishing. Good luck out there!