Cofense Email Security

10 Signs of a Phishing Email

How to Identify Phishing Attacks

Phishing continues to be the number one attack vector for threat actors, and it is important that your entire workforce knows the signs of a phishing email. Everyone is a target in today’s cyberwar climate, and email security is usually the first line of defense. Organizations of all sizes experience frequent, extremely sophisticated phishing attacks, and it is unrealistic to expect IT and security teams to identify all phishing attacks and fight that battle alone using just technology. The reality is, as humans are the ones being targeted, humans must be the primary defense against attackers trying to gain access to information systems.

What is Phishing?

Let’s start with the basics. The definition of phishing is an email designed to trick the recipient into sharing sensitive information, usually by impersonating a company or trusted individual. These emails often contain a sense of urgency or fear, prompting the recipient to act quickly without fully thinking it through. The goal of the attacker is to have the recipient click on a link, entering their login credentials or other sensitive information into a fake webpage, or downloading a malicious attachment that can install malware on the victim’s device.

Why Phishing Awareness is Vital to Organizations

Successful phishing attacks give attackers a foothold in corporate networks, access to vital information such as intellectual property, and in some cases, money. The question is how to generate phishing awareness and train your team to spot a phishing email. There are numerous types of phishing, but ultimately it is any type of attack by email that is designed to result in the recipient taking a specific course of action. This could be clicking a link that leads to a compromised website, opening a malware-laden attachment, or divulging valuable information such as usernames and passwords.

Look for a Hook in Phishing Emails

Increasingly, phishing emails are carefully researched and contrived to target specific recipients. Given the number and intensity of data breaches in recent years, there is a wealth of information available to phishers to use when honing their prose, making it even tougher to spot signs of a phishing email and discern fact from fiction.

The increasing sophistication of phishing attacks makes it difficult for technology to identify and block email-borne threats. However, phishing emails typically have a range of “hooks,” which, if spotted by the recipient, can prevent the attack from being successful. The following are some of the hooks – or signs of a phishing email – that can indicate an email is not as genuine as it appears to be.

10 Most Common Signs of a Phishing Email

1. An Unfamiliar Tone or Greeting

The first thing that usually arouses suspicion when reading a phishing message is that the language isn’t quite right – for example, a colleague is suddenly over familiar, or a family member is a little more formal. For instance, if I personally were to receive an email from Cofense’s CTO that began with “Dear Scott,” that would immediately raise a red flag. In all of our correspondence over the years, he has never begun an email with that greeting so it would feel wrong. If a message seems strange, it’s worth looking for other indicators that this could be a phishing email.

2. Grammar and Spelling Errors

One of the more common signs of a phishing email is bad spelling and the incorrect use of grammar. Most businesses have the spell check feature on their email client turned on for outbound emails. It is also possible to apply autocorrect or highlight features on most web browsers. Therefore, you would expect emails originating from a professional source to be free of grammar and spelling errors.

3. Inconsistencies in Email Addresses, Links & Domain Names

Another simple way to identify a potential phishing attack is to look for discrepancies in email addresses, links and domain names. For example, it is worth checking against previous correspondence that originating email addresses match. If a link is embedded in the email, hover the pointer over the link to verify what ‘pops up’. If the email is allegedly from PayPal, but the domain of the link does not include “,” that’s a huge giveaway. If the domain names don’t match, don’t click.

4. Threats or a Sense of Urgency

Emails that threaten negative consequences should always be treated with suspicion. Another tactic is to use a sense of urgency to encourage, or even demand, immediate action in a bid to fluster the receiver. The scammer hopes that by reading the email in haste, the content might not be examined thoroughly so other inconsistencies associated with a phishing campaign may pass undetected.

5. Suspicious Attachments

If an email with an attached file is received from an unfamiliar source, or if the recipient did not request or expect to receive a file from the sender of the email, the attachment should be opened with caution. If the attached file has an extaension commonly associated with malware downloads (.zip, .exe, .scr, etc.) – or has an unfamiliar extension – recipients should flag the file to be virus-scanned before opening.

6. Unusual Request

Leading on from the point above, if the email is asking for something to be done that is not the norm, then that too is an indicator that the message is potentially malicious. For example, if an email claims to be from the IT team asking for a program to be installed, or a link to patch the PC followed, yet this type of activity is typically handled centrally, that’s a big clue that you have received a phishing email and you should not to follow the instructions.

7. Short and Sweet

While many phishing emails will be stuffed with details designed to offer a false security, some phishing messages have also been sparse in information hoping to trade on their ambiguity. For example, a scammer that spoofs an email from Jane at a company that is a preferred vendor emailing the company once or twice weekly, has the vague message ‘here’s what you requested’ and an attachment titled ‘additional information’ in hopes they’ll get lucky.

8. Recipient Did Not Initiate the Conversation

Because phishing emails are unsolicited, an often-used hook is to inform the recipient he or she has won a prize, will qualify for a prize if they reply to the email, or will benefit from a discount by clicking on a link or opening an attachment. In cases where the recipient did not initiate the conversation by opting in to receive marketing material or newsletters, there is a high probability that the email is suspect.

9. Request for Credentials, Payment Information or Other Personal Details

One of the most sophisticated types of phishing emails is when an attacker has created a fake landing page that recipients are directed to by a link in an official looking email. The fake landing page will have a login box or request that a payment is made to resolve an outstanding issue. If the email was unexpected, recipients should visit the website from which the email has supposedly come by typing in the URL – rather than clicking on a link – to avoid entering their login credentials of the fake site or making a payment to the attacker.

10. See Something, Say Something

Identification is the first step in the battle against phishers. However chances are if one employee is receiving phishing emails, others are as well. Organizations need to promote phishing awareness and condition employees to report signs of a phishing email – it’s the old adage of “If you see something, say something,” to alert security or the incident response team.

A complication of this is then sifting through the various reports to eliminate false positives. So, how can an organization stop phishing emails and identify phishing attacks? One method is to prioritize alerts received from users who have a history of positively identifying phishing attacks. These employee-sourced, prioritized reports provide the incident response (IR) team and security operations analysts with the information needed to rapidly respond to potential phishing attacks and mitigate the risk from those that may fall prey to them.

10 Most Common Signs of a Phishing Email Infographic

10 Most Common Signs of a Phishing Email Infographic

Which of the following is not a suspicious email characteristic? 

Emails have become an essential part of communication for almost everyone, including both individuals and organizations. However, with the ease of sending emails, comes the increasing risk of spam and phishing activities.

To protect yourself from falling victim to scams, it’s key to know how to identify suspicious emails and what signs to look out for. While scammers may use various tricks to deceive their victims, there are some common red flags that can give them away. These include suspicious links, poor grammar and spelling, and urgent demands.

On the other hand, a professional and informative tone of voice is not a suspicious characteristic at all. In fact, it is a standard practice in most legitimate emails and should not raise any alarms.

In addition to being aware of suspicious email characteristics, it is helpful to know what content is not associated with suspicious emails. Examples of non-suspicious content include providing relevant information, offering helpful guidance, and ensuring clarity in the message. It is important to remember that legitimate emails often contain valuable content that assists and informs the recipient.

By being attentive to both suspicious email characteristics and non-suspicious content, you can enhance your email security and protect yourself from potential scams.

Frequently Asked Questions

The most common indicators of a phishing attempt usually involve tone, grammar and urgency in an email message and subject line. Major warning signs in an email are:

  • An unfamiliar greeting
  • Grammar errors and misspelled words
  • Email addresses and domain names that don’t match
  • Unusual content or request – these often involve a transfer of funds or requests for login credentials
  • Suspicious attachments

All phishing is potentially very dangerous but one type is particularly serious. It’s known as BEC, or business email compromise. These emails are usually more carefully crafted and are often difficult to spot. They target small, select groups with messages that seem legitimate. A successful attack can result in lost revenue and seriously compromised or stolen data.

Phishing awareness and user conditioning are critical defenses against phishing email. Train your employees to spot phish. Real-world phishing simulations are an effective means of conditioning users against threat actors. Also, investigate solutions that combine crowdsourced phishing detection with advanced software and intel to block and quarantine phish.

Learn more about phishing detection and response?

Explore our Resource Center for our latest content

Explore our database of phish found in environments protected by SEGs

Share This Article

Download our latest Phishing Review to learn about threat landscape trends.


We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.