Most tech-savvy people think they’re clever enough to recognize a phishing attempt—and they should think again. Cyberattacks are getting smarter and criminals’ phishing skills are getting better. Here are some tips that can help you avoid a costly (and embarrassing) error.

Sharon Florentine writes, “No one wants to believe they’d fall for a phishing scam. Yet, according to Verizon’s 2016 Data Breach Investigations Report, 30 percent of phishing e-mails get opened. Yes, that’s right—30 percent. That incredible click-through rate explains why these attacks remain so popular: it just works.

“Phishing works because cybercriminals take great pains to camouflage their ‘bait’ as legitimate e-mail communication, hoping to convince targets to reveal login and password information and/or download malware, but there are still a number of ways to identify phishing e-mails. Here are five of the most common elements to look for.

“1. Expect the unexpected. In a 2016 report from Wombat Security, organizations reported that the most successful phishing attacks were disguised as something an employee was expecting, like an HR document, a shipping confirmation or a request to change a password that looked like it came from the IT department.

“Make sure to scrutinize any such e-mails before you download attachments or click on any included links, and use common sense. Did you actually order anything for which you’re expecting a confirmation? Did the e-mail come from a store you don’t usually order supplies from? If so, it’s probably a phishing attempt.

“Don’t hesitate to call a company’s customer service line, your HR department, or IT department to confirm that any such e-mails are legitimate—it’s better to be safe than sorry.”

Read the full article for more tips.