Last year, I received an email from my “bank” alerting me to suspicious activity on my account. The layout and logo matched other official communications I had received from the bank, and I was naturally alarmed.

But a few things just didn’t add up. Instead of using my name, it addressed me as “Dear valued customer.” After that, I was supposed to verify my account details, which seemed contrary to bank security advice. The brightest red flag, though, was the email address that didn’t match the bank’s domain.