5 Signs You Just Got a Phishing Email

On: June 26, 2017
Phishing emails come in many flavors, but here are five common clues someone's trying to scam you or your employees.

“I don’t know why you unethical f–kers think you can get away with this.”

Pretty shocking, right? That was one of the more memorable phishing email subject lines my colleagues recently spotted in their work inbox.

This particular attempt went on to ask why the sender wouldn’t pay an “invoice” attached to the email. Our IT staff later confirmed this attachment carried a ransomware payload.

Learn how to spot a phishy email with MediaPro's free phishing resources.Like the confusing influx of different Oreo flavors in recent years (cotton candy Oreos, really?), the variety of phishing email attempts has blossomed.  The “shock and awe” method described above is not a new tactic, though the use of vulgarity seems to be a relatively new variation.

Fake shipping confirmations. Tax-related W-2 requests. Emails requesting password resets for social media accounts, online banking, you name it. These are just a few ways scammers use social engineering to bypass technological safeguards and compromise sensitive data.

Same Goal, Different Wrappers

No matter the method, each phishing email shares the same goal: Get a human to grant a cybercriminal access where a piece of malware alone could not do the job. Recent industry research continues to show how effective these attacks are.

Last year, according to the 2017 Data Breach Investigations Report, one in 14 users was tricked by a phishing email into following a link or opening an attachment. Overall, 43% of the thousands of data breaches analyzed in the report were the result of phishing.

Fortunately, just as these attacks share the same goal, many share the same signs revealing their true nature as a phishing attempt. Here are five common signs to keep an eye out for:

Look out for misspellings in emails, especially from large companies, as that's likely a sign of a phishing attempt.

Chances are LinkedIn can afford to spell check their emails.

1. Spell Check to the Rescue

One of the most obvious giveaways in a phishing email is incorrect spelling in the body or the subject line. This becomes especially significant when the mail purports to be from a larger corporation, like LinkedIn or T-Mobile. You can bet that multimillion dollar corporations have the resources to spell check all customer-facing communications, even if they’re automated.

2. Hover Before You Click

The highlighted blue text of a hyperlink in an unexpected email should automatically raise a red flag. Phishers often try to conceal URLs leading to malware this way, so a good rule of thumb is to always hover over hyperlinks in emails before you click them. This will reveal the true destination of the URL, no matter what the linked text says. On mobile devices, carefully long-pressing on a suspicious hyperlink will reveal the link destination and other options. Does the destination URL look suspicious? Time to delete that email, or report it to your IT staff.

Phishers will also try to masquerade phishy URLs as legitimate ones by including some or all of an actual brand name.  For example, “http://www.paypal@playpaysite.com/34-1e.php” will direct clickers to “playpaysite.com” and is not affiliated with the legitimate PayPal site in any way. The dead giveaway here is the @ symbol. All a browser will see is the root domain before the first, single forward slash (/). The “www.paypal” might as well not be there.

Any messages addressed generically, especially ones regarding financial transactions, are suspicious

Legitimate messages from banks and other financial institutions should come addressed directly to you.

3. “To Whom It May Concern”

Any messages addressed generically, especially ones regarding financial transactions, are suspicious. A common phishing tactic includes blasting out generic emails to thousands, sometimes millions, of email addresses, often gleaned from a compromised or stolen database. All it takes is one user to click on one of these emails for the cycle to repeat itself.

The same caution should be exercised if suspicious emails come to an email alias address that includes multiple individual email addresses. Examples of these include HR@companyXYZ, or payroll@companyXYZ. My own company had a close call a few months ago with a ransomware-carrying email sent to a sales alias email address.

4. Be Wary of Attachments

Though it’s almost reached “old-fashioned” status in favor of URLs leading to downloads, the malware-carrying file attachment is still a common tactic for phishers. The 2017 Verizon data breach report found that 66% of malware installed in 2016 got on to machines and networks via a malicious attachment.

Many email systems will flag or altogether block attachments for this reason. But when they don’t, it’s up to the person receiving the file to decide what to do. In all circumstances: unexpected attachments should not be opened. The risk is simply not worth it.

5. Are You Threatening Me?

As the opening line of this article points out, phishing email attempts will often seek an emotional response from the recipient using inflammatory or threatening language. These tactics take advantage of the ancient human tendency to take quick, unthinking action in the face of danger. In this scenario, this means clicking a link you may not have given much thought to.

Banks, phone companies, even the federal government are not in the habit of threatening account closure or arrest via email. If the subject line or body of the email tells you to do something right now, or else, chances are it’s not what it seems.

The You Factor

The methods listed above are good overall points to look for when scrutinizing a suspicious email. However, they do not represent all the ways in which scammers will attempt to phish you or your employees. That’s why a vitally important sixth way of spotting a phishing email should be pointed out. And it’s sitting right where you are.

That’s right, it’s you.

You have the best understanding of what sort of emails you usually get at home and at work. If an email just feels off for any reason, that’s enough to be wary of it. Any legitimate email request can be followed up with a phone call or separate email.

Odd-looking financial request from your boss? Call him or her or, if possible, stop by his or her office. An email that looks to be from your bank, but is asking for something that makes you uncomfortable? That’s what customer service representatives are for. Give them a ring and ask about the topic of the email over the phone.

The sheer ingenuity of cybercriminals almost guarantees the coming years will bring phishing attempts no one has ever seen before. Just look at the Google Docs phishing scam from last month. That’s why a healthy dose of security awareness, with some skepticism and situational awareness thrown in, can go a long way.

Want to keep your employees’ phishing email knowledge up to snuff? Request a demo of our Phishing Simulator and ask about teaming our tool with industry-leading anti-phishing training

Share this Article

Schedule Demo

Related Articles

Want to get the most out of a simulated phishing email campaign targeting your employees? Check out our list of phishing best practices.
How to Get the Most Out of Simulated Phishing Campaigns
Join us for our free webinar February 23 discussing email phishing simulation best practices and the importance of a holistic approach to security awareness.
On-Demand Webinar: Phishing Simulation Best Practices
In the darkness of fake news and phishing, it’s our job to shed a little light and equip employees with the skills to navigate treacherous waters.
In the Darkness of Fake News and Phishing, It’s Our Job to Shed a Little Light
Phishing simulations without a larger cybersecurity awareness program are not all they're cracked up to be
White Paper: Drowning in Phishing