Suspect every email.

That’s the only way to protect yourself from spear-phishing scams like the one that has reportedly hit White House officials. A U.K. prankster supposedly tricked members of the Trump Administration by posing as Washington insiders such as First Son-in-Law Jared Kushner, and was even able to get Homeland Security Adviser Tom Bossert to reveal his personal email address, CNN reported.

The scammer even posed as ex-Chief of Staff Reince Priebus to bait the recently-fired White House Communications Director Anthony Scaramucci – and got the Mooch to actually respond.

 

This is far from an isolated incident. Identify theft hit an all-time high last year, with an estimated 15.4 million victims losing $16 billion, according to Javelin Strategy & Research. That’s up from 13.1 million the year. And increasingly sophisticated email scams are tricking consumers.

Former Hillary Clinton campaign chair John Podesta fell for a similar spear-phishing trap last year, which is when scammers pose as a friend, associate, familiar company or financial institution to dupe victims into giving out personal information, either through fear mongering or an urgent request. A similar scheme hacked the Democratic National Committee’s emails last year, and many of Google’s 1 billion Gmail users in a massive phishing attack in May.

See also: Take these 5 steps immediately if you clicked that Google Docs phishing email

“It’s not hard for scammers to figure out the email address of people who work in a company, since these addresses are often found on the company website, and they typically follow a formula like first initial, last name,” Susan Grant, director of consumer protection and privacy at the Consumer Federation of America, told Moneyish.

And armed with that information, the cyber crook can send spoofed emails that look like they are coming from the CEO to the accounting office, and ask payroll to email over personnel files, or send employees an attachment that unleashes malware on their computers.

“There are often telltale signs that one can look for to determine if an email communication is real or fake – but nine out of 10 times, nobody’s looking for these red flags,” Robert Siciliano CEO of IDTheftSecurity.com, told Moneyish.

The warning signs that an email be a targeted phishing scam include:

*It’s an unsolicited message from a coworker you don’t email much. “Be really careful of emails that come from someone – especially a senior office – out of the blue,” said Grant.

*There’s something “off” about the email address. The domain reads “.com” when your bank’s emails tend to end in “.org,” or there’s an extra numeral or letter in a familiar friend’s address. “Hackers can now fake emails to look like people you know,” a rep from Reason Core Security told Moneyish, “but if you fully expand the contact preview, you will see the true email address. This is often times extremely similar to your organization’s address, but could a completely different domain.” Or sometimes, as in the case of the Gmail phishing attack, when users hovered over the emails that appeared to be from Google, the address read “hhhhhhhhhhhhhhhh@mailinator[.]com.”

See also: Americans have to stop doing this idiotic thing with their personal information

*The email is riddled with grammatical errors or misspellings. In Homeland Security Adviser Bossert’s case, the body of the emailed included, “food of at least comparible (sic) quality to that which we ate in Iraq,” which should have raised his suspicions.

*It makes an unusual request. “If you’re not normally asked to send personnel files or make a money transfer, but you get an email request to do so, check with that person directly,” said Grant. “Don’t respond to that email. And don’t send that information.”

*The request requires immediacy or makes threats of any kind. “Emails that are toying with emotions, pushing buttons, getting you all riled up, should always be suspect,” said Siciliano.

*Links don’t go where they appear. Siciliano suggest hovering your cursor over any links included in an email – but not clicking on them! – seeing if they’re going where they are supposed to.  “A highlighted, likable link like bankofamerica[dot]com could easily go to anyscam[dot]com,” he said.

See also: Take this quiz and find out if you’re going to get hacked

*The email ends up in the spam folder. Trust your spam catcher to pick up on something wrong, even if it comes from a legit-looking place.

*The email is sent to “customer” or a nondescript recipient. If it’s meant for you, especially when coming from a friend or colleague it should be addressed to you personally.

*Scope out the signature. “The majority of business professionals have a set signature that is sent on every email,” noted Reason Core Security. “If the scam email is posing as someone in your address book, the signature may not be there, or could look slightly different.”

But what if you’re not sure whether an email is legit or not? Here are some additional security steps to take, from the U.S. Securities and Exchange Commission.