Money Report

In partnership with CNBC

Former Hacker: 6 Email ‘Red Flags' That Can Mean Someone's Trying to Scam You Over the Holidays

By Tom Huddleston Jr.,CNBC

Boonchai Wedmakawand | Moment | Getty Images

The holidays are an important season for hackers, too. 

Phishing attempts typically jump during the holiday season, according to the Federal Bureau of Investigation, which means online shoppers scouring for gift deals need to be on the lookout for scammers in their email inboxes.

You might be among the many people who received an email offer that sounds too good to be true — for a free Yeti cooler, perhaps. Or, you could be suspicious of a message from a major retailer or financial institution asking you to supply your login credentials or credit card information.

Either way, it pays to be vigilant. Phishing attacks are the No. 1 way scammers get to people these days, and they can be very clever, says Kevin Mitnick, a former hacker who's spent the past two decades as a computer security consultant.

We're making it easier for you to find stories that matter with our new newsletter — The 4Front. Sign up here and get news that is important for you to your inbox.

Your best defense: knowing the tricks they typically use, Mitnick tells CNBC Make It.

Here are six "red flags" that should trigger phishing alarm bells in your head, broken down by where you might find them in your inbox, according to Mitnick and online security platform KnowBe4, where he works as "chief hacking officer."

'From'

Money Report

18 mins ago

Deutsche Bank reports 10% profit rise in first quarter, beating expectations

47 mins ago

Japanese yen hits fresh 34-year low despite verbal intervention from authorities

Start with the email's sender. Do you recognize the email address as one you've communicated with in the past?

Check the email address and URL for misspellings that might be easy to miss at a quick glance, like "micorsoft-support.com," Mitnick says. Those are likely from a scammer who's hoping you won't look too closely.

If you don't know the sender personally, and they haven't been vouched for by someone you trust, proceed with caution.

'To'

Look closely at any other recipients of the email: Scammers will sometimes spam multiple email addresses at once to save time, Mitnick says.

If there are other recipients listed on the email and you don't recognize any of their email addresses — or if they all have names that start with the same letter as yours — that's another potential red flag.

Hyperlinks and attachments

If you're suspicious of an email, be wary of clicking on any links contained in the message.

You can try to confirm your suspicions by hovering your mouse over the hyperlinks to see where they'd lead. If the URL that pops up is from a different website than what the email claims, or it contains misspellings of a known site, that's a "big red flag," says Mitnick.

Another red flag: if the email contains an unexpected attachment, or an attached file that seems unrelated to the subject of the email. Don't click links or download attachments unless you are absolutely sure they're legitimate.

'Date'

Say your work email receives a message sent well outside of regular business hours — like 3 a.m. — and it's not from someone who you know is in another time zone. That's a reason to be wary.

'Subject'

Be suspicious if the email's subject line is irrelevant or doesn't match the message in the body of the email. Similarly, if the subject line makes the email look like a reply to a previous message that you never sent, proceed with caution, Mitnick says.

Content

Be on the lookout for messages attempting to get rise out of you, either by offering something of value for free or threatening negative consequences. Around the holidays, that could mean a free gift offer or a message from a retailer or your bank claiming that one of your purchases didn't go through, and you need to re-enter your credit card information.

Scammers often try creating a "sense of urgency" to get you to ignore other suspicious signs and comply with their requests, Mitnick and other cybersecurity experts note.

Be extra suspicious if the email is unexpected or unusual looking, perhaps with poor grammar and spelling mistakes. Representatives of a major retailers or financial institutions are likely to only send highly polished messages.

If all else fails, trust your gut, and don't download anything unless you're expecting it, Mitnick says.

"Never click a link and put your username and password in something that you didn't initiate," he adds. "That's a simple rule set that people should have."

Sign up now: Get smarter about your money and career with our weekly newsletter

Don't miss:

These cybersecurity tips from a former hacker can make you 98% less vulnerable: 'You're raising the bar'

Watch out for Black Friday and Cyber Monday scams—here's how to avoid 5 of the most common ones

Also on CNBC

Subscribe to the CNBC YouTube ChannelSubscribe to the CNBC YouTube Channel
Copyright CNBC
Local Northern Virginia Prince George's County Subscribe to The 4Front Weather Changing Climate See It, Share It Videos Investigations Consumer Submit a tip The Scene Subscribe to The Weekend Scene Entertainment News 4 Your Home U.S. & World Money Report Politics Health Changing Minds
About NBC4 Washington Our news standards Our apps Submit photos and video Submit a consumer complaint Take our survey Promotions Newsletters Cozi TV
Contact Us