10 Ways to Identify a Phishing Email

July 20, 2021 | By IANS Faculty

Digital thieves use phishing email or text messages to trick victims into clicking on malicious links, opening/downloading malicious files, or giving away sensitive information. Crooks often update their tactics, but some common telltale signs can help users recognize a phishing attempt. In this piece we highlight 10 ways to identify a phishing email and avoid falling victim to an attack.

Although a number of global law enforcement and public/private initiatives work to reduce phishing and other online criminal activity, it remains incumbent on the victim company to educate and defend itself against these digital thieves.

How to Identify a Phishing Email

The first step is to educate employees to recognize and avoid falling victim to phishing attacks. To that end, the following are 10 ways users can identify a phishing email.

1. Odd Sender Address

Phishing emails may initially look like they come from a company or person you know or trust. Sophisticated attackers will identify where you shop or when you leave reviews online and use that to target you, knowing you really use that site. The “from” field in an email can always be faked. To determine the real sender, look at the email message header and check to see if it is from an unknown address. Examples include:

  • Name of a boss, a friend or a coworker, but from an email you don’t recognize
  • A credit card company or bank you may use
  • A social networking site
  • An online store you may use

2. Common Phishing Subject Lines

Look at the subject line. Is it similar to one of the common phishing subject lines below? Does it make you curious or grab your attention? There are many beyond this short list so think before you click – and be suspicious:

  • Stricter face mask policies
  • Job application
  • Payroll
  • Password verification
  • Agenda
  • A delivery attempt was made
  • Change of password required immediately
  • W-2
  • Company policy update
  • UPS label delivery ####
  • Revised vacation and time policy
  • Staff review schedule
  • Urgent press release to all staff
  • Deactivation of (email) in process
  • Please read: Important from HR

3. Awkward Body Text

English may not be the attacker’s first language, making it easier to identify some phishing messages if they read awkwardly. Things to check:

  • Does the subject line make sense?
  • Are there typos?
  • Were you expecting it?
  • Is it urgent?

4. Generic Greetings and Signatures

A generic greeting, like “Dear Customer” or “Most Valued Sir,” along with a lack of contact information is a red flag. An organization you deal with on a regular basis will have your name in its customer relationship management (CRM) software and will end the message with official corporate contact information.

5. Spoofed Hyperlinks and Websites

Check the email yourself by hovering over (but not clicking) on images and links. If the URL revealed doesn’t match the URL you were expecting, it may be a spoof to a fake site. This is not always effective, because many companies will use a content delivery network (CDN) or the link may come from the CRM (i.e., Salesforce). But if it does not look normal, don’t click on it.

6. Poor Spelling, Grammar and Layout

Poor grammar and sentence structure is an indication the sender is a non-native speaker. Reputable companies take pains to ensure their messages are correctly drafted in the native language of the recipient.

7. Unsolicited Attachments

Always be suspicious of emails instructing you to open attachments. Malicious code and macros can be executed by opening the attachment, even if it only looks like a PDF or text file.

8. Urgency

Frequently, attackers will create a false sense of urgency to get victims to open the message or attachment without thoroughly examining the message first. Such messages may include statements like:

  • ALERT! Notice of suspicious activity or log-in attempts
  • Problem identified with your account or your payment information
  • Need to confirm some personal information
  • An invoice is past due
  • Request to click on a link to make a late payment

9. Requests for Username, Password, Email or Sensitive Info

Unexpected requests for sensitive information rarely come through email or other digital means. When they do, it should be easy to call back and confirm the sender. If something doesn’t look normal, be suspicious. Scammers will create fake login pages that look legitimate and then ask you to enter your credentials to “confirm” them in their system. Don’t fall for it.

10. Hooks

Emails that tug on your emotions are “hooks.” These scams will say something like “you have been selected a winner” or “click here for a free iPad.” They will also often tug on your heart strings with appeals for help or assistance from an unrecognized charity.

 

RELATED CONTENT:  How to Create an Effective Anti-Phishing Program

 

Additional Anti-Phishing Resources

Remember that with phishing, the best defense is your own suspicion. If you think something is too good to be true, it is. To ensure you keep ahead of the scammers, check out these resources:

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Find additional resources from our security practitioners.


Learn how IANS can help you and your security team.