How to identify a phishing email?

Written in


In today’s times, Phishing does not need introduction. Most, if not all of us have either heard or been a target or even a victim of a Phishing attack. Such is the rate of growth of cyber crime. While there are different types of Phishing (e.g., email-based, phone based, text based), in this article we will explore how one can identify and hopefully, protect themselves against an email-based phishing attack.

The techniques used by attackers today is increasing in ingenuity. Here’s a recent example, wherein Amazon’s order notification page is spoofed to phish users. This attack uses a combination of email-based phishing and vishing (voice phishing via phone call) to steal users’ credit card information.

These attacks have become even more sophisticated and impactful in a corporate setting. Attackers target employees with an intention to gain access to a company’s internal network and steal sensitive internal company information for financial or competitive gain. Below are a few simple, yet effective tips for telling a phishing email from a genuine one. Here’s a sample phishing email:

Fake or unofficial From address

This should be the first telltale sign. If the From address on the email is not from a known or trusted address or domain, it needs to be treated with caution. Attackers use clever tactics here such as using domain names with subtle changes such as adding an underscore or hyphens or creating subdomains which matches with the enterprises actual domain to trick users. So firstly, start with the From address and validate if it’s known and trusted.

Generic or no greeting

Attackers usually send Phishing emails to large groups of potential victims to increase their chances of success. They either harvest these email addresses from the Internet or buy them from underground forums. In most cases, these emails are not personalised as attackers are attempting to cast a wide net. All they need is for one person to take the bait (e.g. click on a link or download and open the attachment). Most corporate emails, use our first names to address us. Therefore, this is another sign to consider.

Sense of urgency

Another very common tactic is to create a sense of urgency. They make it evident that the said action has to be taken immediately otherwise user will face some dire consequences (e.g. unable to access emails or unable to enter office). This creates a sense of panic in the uninitiated and hence causes them to ignore reason and follow the instructions provided in the email.

Spelling and grammar mistakes

This is another very obvious but usually ignored sign. Sometimes, attackers are from non-english speaking countries and/or are poorly educated. They’re a bunch of script kiddies who’re looking to make a quick buck and therefore, do not pay attention to spellings or grammar or do not have the knowledge to correct them. Of course, we see such mistakes in genuine corporate communications as well but we can use the other signs noted here to determine if the email is malicious or not.

Unsolicited attachments

This is a big one and usually easy to spot. Let’s say, you receive an email from a purportedly HR’s email address that has an attachment with a filename “CorporateSalaryStructure2022.xlsx”, would you open it? I hope you said No. This is an unsolicited attachment and moreover, this is unusual. However subtle, if the email looks unusual to you, it’s highly likely that it’s a malicious one. In this specific case, you can check with your HR if they’d indeed, by some long shot, sent you an email with such an attachment. I think you know what their answer is going to be.

Always report such emails to your IT department or security operations centre for further action.

Request for personal or sensitive information

Usually the objective of targeting corporate employees (by sending phishing emails to their corporate email addresses) is to obtain access to internal corporate network so that they can exfiltrate sensitive corporate data or intellectual property for competitive gain or even infect the corporate machines with ransomeware or other malware for financial gain. Therefore, such emails often ask employees to either submit their corporate credentials (which attacker will use to masquerade as the employee and access internal network / resources) or download the attachment and open it which in turn will infect the machine with malware. Therefore, any email that urges you to immediately download the attachment or share sensitive information is worth a second look and is most likely malicious.

Links to unknown websites

This is a common modus operandi. Attackers embed links in such phishing emails and urges employees to click on them and follow instructions. These websites look and feel like an internal corporate website and would even have your company’s logo. But note that such pages are very easy to recreate and therefore, one sure shot way to identify such fake websites is to look at the URL. Closely study the URL, especially, the domain name to see if it matches your standard corporate domain. We will do another article on how to check the validity of a domain in the URL and some of the commonly employed tactics in creating fake domains.

Of course, there is no silver bullet for protecting against phishing attacks. Attacks are constantly evolving. The only weapon with the highest chance to success against phishing attacks is awareness. So when it comes to security, err on the side of caution. Being paranoid is the only way to remain secure in the cyber world.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: