With email phishing, deciphering what’s real from what’s fake can be a challenge. Our inboxes are stuffed with emails fighting to get our attention and get us to take some action. But how to ferret-out what’s legitimate takes some cyber-smarts. Research shows email is the primary method of spreading 92% of all malware, and the U.S. is the target of 86% of all email phishing attacks. Whether at home or at work, email phishing is relentless, but being aware of characteristics they have in common can be a powerful tool. The ability to spot those familiar traits before it’s too late can be the difference between a good day and a bad nightmare.

Make no mistake, phishing targets credentials like passwords, account numbers, and payment methods. Phishers even have seasonal campaigns throughout the year that take advantage of times like holidays and tax season. Nothing is off limits for dedicated cyberthieves and the levels they stoop to have no bottom. A look at their favorite “go to” exploits is a great way to sharpen your phishing cyber-smarts.

It’s important to remember, phishing emails often have two traits in common:

Trusting the sender

Phishers disguise themselves as legitimate senders like Microsoft and Dropbox, or someone you work with or a friend you know or trust. The idea is to gain your confidence, especially for those who have work related contacts or use every day trusted businesses like Amazon and FedEx.

Urgency or immediate action required

The subject lines and messages are designed to be compelling and require some type of action from the recipient. Lines like “Your account needs verification” and “Your delivery requires further action” are common ploys. They can also target your personal interests to tug on your heart strings with information easily found on social media.

Knowing if an email is for real can be as simple as going directly to the source for verification. Never follow URL links or use phone numbers in an email because likely a phisher is on the receiving end. Type the real URL yourself or use a previously trusted bookmark and check your account. Once there, you’ll be able to see if further action is truly needed.

Since phishing remains one of the most effective tools in a hacker’s arsenal, they are continually tweaking and improving their tactics to be more potent. When you see that overflowing inbox, remember that with email phishing “know first and act last.” Know for sure the sender is legitimate and don’t act until you’re absolutely sure it’s necessary.