5 Ways to Detect a Phishing Email and What Should Do About It

Phishing is by far the most common method of a cyberattack, despite that, many of us still fall victim to one of these emails. According to FBI, phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020. Meanwhile, Verizon’s latest Data Breach Investigations Report found that more than two thirds of data breaches involved social engineering attacks such as phishing.  

In this blog, we use real phishing email examples to demonstrate five clues to help you spot phishing emails. 

Clue #1 – The message is always sent from a public email domain 

No legitimate company will send an email from an address that ends with “@gmail.com”. Most organizations, barring a few small concerns, will have their own domain. For instance, an email from CSG Technologies will end with “@csgtechnologies.net”. If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate. The best way to check an organization’s domain name is to type the company’s name into a search engine. Oftentimes, the display name in the inbox will look like it is from an important source such as “IT Governance” and this will also reflect in the local address part of the email.  

How to identify a phishing email mimicking to be legitimate ?

A phishing email imitating PayPal
Image source: WeLiveSecurity 

The image above is a flawless example of a phishing email. Because, a professionally styled Paypal logo is used. But as much as it attempts to replicate a genuine email from PayPal, there is one significant red flag: the sender’s address is ‘[email protected]’. A genuine email from PayPal would have the organisation’s name in the domain name, indicating that it had come from someone at (@) PayPal. That PayPal isn’t in the domain name is proof that this is an attempt at an attack. Unfortunately, simply including PayPal anywhere in the message is often enough to trick people. Unfortunately, seeing Paypal in email addresses satisfies people in turn tricking them . This is because you are simply not able to comprehend the difference between the domain name and the local part of an email address.

Clue #2 – The domain name is misspelle

There is another way to spot a phishing email from the domain name, however it’s the complex version of the first one.  The problem is that anyone can buy a domain name from a registrar. Even though, domain names should be unique there are numerous ways to create indistinguishable addresses. These addresses sets them apart from spoofed ones. The Gimlet Media podcast ‘Real Me’ aired an episode What Kind Of Idiot Gets Phished ?. The episode focuses on the difficulty of spotting a spoofed domain. Phia Bennin, the show’s producer, hired an ethical hacker to phish various employees. The hacker bought the domain ‘gimletrnedia.com’ (that’s r-n-e-d-i-a, rather than m-e-d-i-a) and impersonated Bennin. His trick was so successful that he tricked the show’s hosts, Gimlet Media’s CEO and its president. 

Text Box

Why is it important for your employees to be confident in their abilities ?

Phishing emails provide a link or a set of instructions for the user to follow. Many of us when reading them often become sceptical to follow the steps. However, simply by clicking on the email, we provide valuable information to the hackers of the way we think.  Therefore, in many ways, criminal hackers often still win even when you’ve thwarted their initial attempt. That is to say, indecisiveness in spotting a phishing attack provides clues to the scammer about where the strengths and weaknesses in your organization are. It takes very little effort for them to launch subsequent attacks that make use of this information, and they can keep doing this until they find someone who falls victim. Remember, criminal hackers only require one mistake from one employee for their operation to be a success. As such, everyone in your organization must be confident in their ability to spot an attack upon first seeing it. 

Clue # 3 Email is poorly written 

You can often tell if an email is a phishing attempt if it contains poor spelling and grammar. Many people will tell you that such errors are part of a ‘filtering system’ in which cyber criminals target only the most gullible people. This is not true in the case of phishing emails. So why are so many phishing emails poorly written? The most obvious answer is that the scammers aren’t very good at writing. Remember, many of them are from non-English-speaking countries and from backgrounds where they will have limited access or opportunity to learn the language. 

Text Box

When crafting phishing messages, scammers will often use a spellchecker or translation machine, which will give them all the right words but not necessarily in the proper context 

How to look out for grammatical errors in phishing emails ?  

A phishing email claiming that there has been "unusual sign-in activity"
Image Source: KnowBe4 

A message contains numerous grammatical errors. Even though, there is correct spellings of individual words. Thus, native speakers are unable to pick up on clues, such as “We detected something unusual to use an application”. Likewise, there are strings of missed words, such as in “a malicious user might trying to access” and “Please contact Security Communication Center”. These are consistent with the kinds of mistakes people make when learning English. Any official message written in with a sense of urgency are most likely to be linked to an attack.

Phishing emails come in many forms. We’ve focused on emails in this article, but you might also get a malicious text messages, phone calls or social media posts. Any Phishing email contains payload regardless of their email delivery. It could be an infected attachment that you are supposed to download or a link to a fake website.  The purpose of these payloads is to capture sensitive information, such as login credentials, credit card details, phone numbers and account numbers. 

What is an infected attachment? 

An infected attachment is a seemingly benign document that contains malware. In a typical example, like the one below, the phisher claims to be sending an invoice: 

A phishing email containing a malicious attachment

It doesn’t matter whether the recipient expects to receive an invoice from this person or not, because in most cases they won’t be sure what the message pertains to until they open the attachment. When they open the attachment, they’ll see that the invoice isn’t intended for them, but it will be too late. The document unleashes malware on the victim’s computer, which could perform any number of nefarious activities. 

You can spot a suspicious link if the destination address doesn’t match the context of the rest of the email. For example, if you receive an email from Netflix, you expect the link to direct you towards an address that begins ‘netflix.com’. Unfortunately, many legitimate as well malicious emails hide the destination address in a button, so it’s not immediately apparent where the link is redirected. 

A phishing email imitating Netflix
Image Source: Malware Traffic Analysis

In this example, you would probably know that something was suspicious if you saw the destination address in the email. However, the rest of the message is pretty convincing, and you might click the link without giving it a second thought. To ensure you don’t fall victim to such attacks, you must train yourself to check where links are redirected before opening them. This is straightforward: on a computer, hover your mouse over the link, and the destination address appears in a small bar along the bottom of the browser. On a mobile device, hold down on the link and a pop-up will appear containing the link. 

Clue # 5 – The message creates a sense of urgency 

Hackers know that most of us procrastinate. We receive an email giving us important news, and we decide we’ll deal with it later. But the longer you think about something, the more likely you are to notice things that don’t seem right. Maybe you realize that the organization doesn’t contact you by that email address, or you speak to a colleague and learn that they didn’t send you a document. Even if you don’t get that ‘a-ha’ moment, coming back to the message with a fresh set of eyes might help reveal its true nature. This why so many phishing emails request that you act now or else it will be too late. This has been evident in every example we’ve used thus far. PayPal, Windows and Netflix all provide services that are regularly used, and any problems with those accounts could cause immediate inconveniences. The manufactured sense of urgency can also come from immediate superiors. Criminals know that we’re likely to drop everything if our boss emails us with a vital request, especially when other senior colleagues are supposedly waiting on us. 

A typical example looks like this: 

A phishing email imitating the recipient's boss
Source: MailGuard 

Phishing attacks like these are particularly dangerous because, even if the recipient did suspect foul play, they might be too afraid to confront their boss. However, organizations that value cybersecurity would accept that it’s better to be safe than sorry and perhaps even congratulate the employee for their caution. Using the guide above, organizations will be able to more quickly spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot each and every phish. Phishing is constantly evolving to adopt new forms and techniques. When you find yourself becoming the target of a phishing email, you must report it to your in-house IT team or managed service provider. They will quickly be able to alert other employees in the organization and become more vigilant with their protocols. With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.

Matt Parks

Matt Parks

About the Author: President & CEO, Matt has over 20 years building and leading high functioning teams
delivering exceptional results