How to Spot a Phishing Email: With examples for 2023

ByJon Cosson Posted on Updated on
A young girl frowning whilst trying to spot a Phishing email on her laptop

We may earn a small fee from the companies mentioned in this post.

Phishing attacks are on the rise, and with their increasing sophistication, it’s more important than ever to learn how to identify and protect oneself from phishing email scams. These scams prey on unsuspecting victims by posing as otherwise legitimate companies or entities and tricking them into providing sensitive information or even money.

In this guide, we’ll delve into the world of phishing email attacks, exploring their various types, techniques, and warning signs. By understanding the ins and outs of these scams, you’ll be better equipped to spot phish email attempts and safeguard your personal and financial information.

Short Summary

  • Understand phishing attacks and recognise red flags such as discrepancies in the email sender and domain, suspicious attachments, and links.

  • Take proactive measures to protect yourself from phishing emails by using security software, keeping systems updated, and reporting/responding to suspicious attempts.

  • Learn about three real-world examples of tax refund scams, job offer scams & password reset scams to help identify potential threats.

  • Discover how the rise of AI in Phishing emails has created a new threat landscape.

Understanding Phishing Attacks

A Hackers working on a computer creating a phishing email

Phishing attacks are fraudulent attempts to deceive victims into divulging confidential information, often through deceptive phishing messages. These phishing scams are designed to trick users into providing sensitive information such as login credentials, bank account details, other account numbers and even credit card numbers.

By understanding the different types of phishing attacks and the techniques used in these scams, you’ll be better equipped to identify phishing emails and protect yourself from falling prey to these cyber criminals.

Types of Phishing Attacks

Phishing attacks come in various forms, each with its own method of targeting victims. Some phishing attack examples include Spear Phishing, CEO Fraud, Vishing, SMiShing, and Pharming.

In spear phishing attacks, cyber criminals use previously collected data about the victim or their employer to craft targeted, urgent, and familiar emails.

CEO fraud, on the other hand, involves an attacker impersonating a high-ranking company official, such as the CEO or HR Manager, using a recognisable email address to make fake emails to deceive the victim.

Vishing is a form of phishing, that uses urgent voicemail messages to trick victims into calling a different phone number, often requesting personal information or payment.

SMiShing utilises text messages to deceive victims into clicking on malicious website links.

Finally, pharming attacks involve redirecting users to a fake website by altering DNS settings on a router, allowing criminals to collect all the data entered on that site.

By being aware of these different types of phishing attacks, you can better recognise and avoid falling fall victim to to them.

Checkout our blog on Smishing a comprehensive guide

Techniques Used in Phishing Emails

Phishing emails employ various techniques to manipulate victims into taking action. Some of these techniques include using social media, engineering, creating a sense of urgency, and impersonating trusted entities.

The poor writing often found in phishing emails may be a result of scammers using spellcheckers or translation machines, which provide correct words but not necessarily in the appropriate context.

One of the most dangerous aspects of phishing emails is the presence of infected attachments, which appear harmless but actually contain malicious software. Opening such an attachment can release malware onto the victim’s computer, potentially leading to identity theft, data breaches, or other malicious activities.

If you receive a pop-up warning regarding the authenticity of an attachment in a phishing email, it is recommended that you do not proceed and instead contact the sender through an alternate channel to verify its authenticity.

Recognising Red Flags in Phishing Emails

A latop being used by a man, warning him of a potential phihsing email

Recognising the red flags in phishing emails is crucial for avoiding these scams. Some common signs include email sender and domain discrepancies, suspicious attachments, and links.

By being aware of these warning signs, you can better protect yourself from falling victim to phishing attacks and safeguard your sensitive account information.

Email Sender and Domain Discrepancies

Email sender and domain discrepancies can be a strong indication of a phishing attempt. This may include:

  • The use of public email domains, such as “@gmail.com”

  • Domain names with spelling errors, as was the case in the Gimlet Media podcast ‘Reply All’ where a hacker purchased the domain ‘gimletrnedia.com’ and impersonated a producer

  • A “domain not found” error

  • A sender email address that does not correspond to the site domain

These warning signs should be taken seriously and can help you identify potential phishing attempts.

By being alert to these discrepancies, you can better identify phishing and scam emails, and avoid providing sensitive information to cyber criminals. Always double-check the sender’s email address and domain, and if something seems suspicious, contact the company or organization through a known and trusted channel before responding to the email.

Suspicious Attachments and Links

Suspicious attachments and suspicious links in phishing emails can pose significant risks to your personal and financial information. These attachments and links may contain malware or direct you to malicious websites designed to steal sensitive data. Scammers often use urgency to pressure victims into clicking on these links or opening attachments before they have time to consider the potential risks.

To protect yourself from these threats, follow these precautions:

  1. Be cautious when clicking on links or opening attachments in unsolicited emails.

  2. Always hover your cursor over a link to reveal the destination address.

  3. Verify the source of the attachment before opening it.

  4. If in doubt, contact the sender through an alternate channel to confirm the legitimacy of the attachment or link.

How to Protect Yourself from Phishing Emails

Man using a laptop with protective software that detects malware and phishing emails

Protecting yourself from phishing emails involves using security software, keeping your systems updated, and knowing how to report and respond to phishing attempts. By taking these proactive measures, you can stay one step ahead of cyber criminals and safeguard your sensitive information from being compromised.

Security Software and Updates

Security software and updates play a vital role in detecting and blocking phishing attempts. Using a reputable security software, such as Aura’s identity theft protection, can help you prevent phishing and safeguard your identity from potential scammers. Additionally, regularly updating your operating system, web browser, and other software ensures that the latest security patches and features are in place.

By staying informed about the latest threats and maintaining your security software and updates, you can better protect yourself from phishing attacks and minimise the risk of falling victim to these scams. Remember, knowledge is power when it comes to cyber security.

You may find our blog on how to prevent viruses on your computer

Reporting and Responding to Phishing Attempts

Reporting and responding to phishing attempts is crucial in helping authorities track and shut down phishing operations. By reporting suspicious emails to the Federal Trade Commission or other federal agencies, you can contribute to the ongoing battle against cyber crime.

In addition to reporting phishing attempts, educating others about the risks can raise awareness and prevent further victimization. If you suspect a phishing attempt, do not respond to the email. Instead, report it to the appropriate authorities and alert your colleagues or friends to the potential phishing scam. By sharing your experience, you can help others avoid falling prey to these malicious attacks.

The Rise of Artificail Inteligence in Phishing: A new threat landscape

Artificial Intelligence (AI) has been a game-changer in many fields, including cybersecurity. However, as much as it has been a boon for defenders, it has also opened up new avenues for cybercriminals. One such area is phishing, where AI is being used to create highly believable phishing emails that are much harder to detect.

AI and Phishing: A Dangerous Combination

Phishing, at its core, is a social engineering attack that relies on deception to trick victims into revealing sensitive information. Historically, phishing emails had relatively easy to spot due to their poor grammar, spelling mistakes, and generic greetings. However, with the advent of AI, this is no longer the case.

AI has enabled cybercriminals to create phishing emails that are highly personalised, contextually relevant, and grammatically correct. These emails can mimic the writing style of a trusted individual or organisation, making them extremely convincing. This is possible because AI algorithms can learn from large amounts of data, including email communication patterns, to generate text that closely resembles human-written content.

Moreover, AI can automate the process of sending phishing emails, allowing cybercriminals to target a larger number of potential victims at a faster rate. It can also adapt the phishing strategy based on the victim’s response, making the attack more effective.

Why AI-Generated Phishing Emails are Harder to Detect

AI-generated phishing emails are harder to detect for several reasons:

  1. Personalisation: AI can use data from various sources to personalise the phishing email, making it appear as if it’s coming from a trusted source. This can include using the victim’s name, referencing past interactions, or mimicking the writing style of a known contact.
  2. Contextual Relevance: AI can generate content that is contextually relevant to the victim, increasing the chances of the phishing attempt being successful. For example, it can create an email that appears to be a follow-up to a recent transaction or an update on a current event.
  3. Grammatical Accuracy: Unlike traditional phishing emails, AI-generated emails are less likely to contain grammatical or spelling errors, making them harder to spot.
  4. Adaptive Strategy: AI can adapt the phishing strategy based on the victim’s response, making the attack more effective. For example, if a victim doesn’t click on a link in the email, the AI can follow up with a more enticing message.

Protecting Yourself from AI-Generated Phishing Emails

Despite the sophistication of AI-generated phishing emails, there are still ways to protect yourself:

  1. Be Skeptical: Always be skeptical of unsolicited emails, especially those that ask for sensitive information. Even if the email appears to be from a trusted source, it’s better to verify independently.
  2. Check the Email Address: Look at the sender’s email address carefully. Often, cybercriminals will use an email address that closely resembles a trusted one, but with slight alterations.
  3. Don’t Click on Suspicious Links: If an email contains a link, hover over it to see the actual URL before clicking. If it looks suspicious, don’t click on it.
  4. Use Two-Factor Authentication: Two-factor authentication adds an extra layer of security by requiring a second form of verification in addition to your password.
  5. Keep Your Software Updated: Regularly update your software, including your operating system, browser, and antivirus program, to protect against the latest threats.
  6. Educate Yourself: Stay informed about the latest phishing tactics and how to spot them. Remember, knowledge is your best defense.

In conclusion, while AI has made phishing attacks more sophisticated, being aware of the threat and taking the necessary

While AI has made phishing attacks more sophisticated, being aware of the threat and taking the necessary precautions can significantly reduce your risk of falling victim to these attacks. As AI continues to evolve, so too will the tactics used by cybercriminals. Therefore, it’s crucial to stay informed and vigilant in the face of this ever-changing threat landscape.

Real-World Phishing Email Examples

Keyboard with Phishing Scam button in Red

Real-world phishing email examples can provide valuable insights into the tactics and techniques used by cyber criminals. By examining these examples, you can learn how to recognize common scams and spot the red flags that indicate a phishing attempt.

In the following sections, we will discuss three real-world phishing email examples, including tax refund scams for credit card details, job offer scams, and password reset scams.

Tax Refund Scam

A Woman on the laptop receiving a tax credit scam email and handing over credit card details to cyber criminals online

Tax refund scams are a common type of phishing attack that impersonates tax authorities, claiming that the victim is eligible for a refund and tricking them into providing personal and financial information. These scams often involve emails or messages that appear to be from a government agency, requesting personal information or payment in exchange for a purported tax refund.

To avoid falling victim to tax refund scams, follow these tips.

  1. Always confirm the origin of any emails or messages claiming to be from the government or tax authorities.

  2. Do not share any personal or financial details unless the source can be verified as reliable.

  3. Be cautious of any requests for payment or sensitive information in exchange for a refund.

Job Offer Scam

A jublient Woman recieving a fake job offer over email by scammers trying to extract senstive informaiton from her

Job offer scams target job seekers with fake job offers, often requesting sensitive information or payment for non-existent services. These scams may involve fraudulent emails or messages advertising job opportunities that seem too good to be true, with the ultimate goal of obtaining the victim’s personal information or funds. One such example is the Google Docs scam, where scammers use the platform to share seemingly legitimate documents containing malicious content.

To protect yourself from job offer scams, follow these steps:

  1. Conduct thorough research on the company and the job offer before providing any personal information.

  2. Be wary of job offers that require payment for services such as background checks or training materials.

  3. Always verify the legitimacy of the company and job offer through trusted sources.

By following these steps, you can reduce the risk of falling victim to job offer scams and gain access to legitimate opportunities.

Password Reset Scam

A Man recieving a fake password reset on his desktop computer which has been sent by cyber criminals to extract his current password

Password reset scams are a particularly insidious type of phishing attack, in which cyber criminals impersonate popular online services and claim that the victim’s email account has been compromised.

The scam email urges the victim to reset their password through a malicious link, which leads to a phishing site that appears to be a legitimate login page. Once the victim enters their login credentials, the attacker gains access to their account and personal information.

To safeguard against password reset scams, follow these tips.

  1. Be cautious when clicking on links in unsolicited emails, especially those that claim your account has been compromised.

  2. Always check the sender’s email address and domain.

  3. If something seems suspicious, contact the company or organization through a known and trusted channel before responding to the email.

Summary

In today’s digital world, phishing attacks are an ever-present threat. By understanding the different types of phishing attacks, the techniques used by cyber criminals, and the warning signs of phishing emails, you can better protect yourself and your sensitive information from these malicious attempts. Remember, vigilance and education are your best weapons against phishing scams.

Stay informed about the latest phishing threats, maintain your security software and updates, and report any suspicious emails or phishing attempts to the appropriate authorities. By working together and sharing knowledge, we can build a safer digital environment for everyone.

Frequently Asked Questions

What is a Phish email?

Phishing is a criminal activity in which fraudsters attempt to steal sensitive information by sending emails, text messages or phone calls that disguise malicious links as trusted ones. This phishing technique is used to make victims download malware onto their devices or disclose personal information.

What are 3 signs of a phishing email?

Watch out for emails with suspicious senders, implausible offers, and requests for personal information; these are common signs of a phishing email.

What are 3 types of phishing emails?

Phishing attacks come in many forms, including spear phishing, clone phishing, business email compromise (BEC) attacks, clickjacking and website forgery. All of these are designed to deceive users and lead to the loss of data or financial gain.

What is the main goal of phishing attacks?

The main goal of phishing attacks is to obtain confidential information by deception through phishing messages.

What measures can I take to protect myself from phishing emails?

Keep your systems updated, use security software, and know how to report and respond to phishing attempts to protect yourself from phishing emails.

External Reference Websites

  1. National Cyber Security Centre (NCSC): The NCSC is a UK government organisation that investigates and takes down scam email addresses and websites. They provide advice on how to spot and report scam emails, texts, websites, and calls.
  2. GOV.UK: This is the official UK government website where you can report misleading websites, emails, phone numbers, phone calls, or text messages that you think may be suspicious.
  3. MoneyHelper: This website provides information on how to spot and report fake websites and pharming scams.
  4. FENSA: FENSA provides five clues to detecting a modern phishing email, including tips on identifying public domains, misspelt domain names, and poorly written emails.
  5. SWGfL: This website offers resources on how to spot phishing emails, with a focus on the tell-tale signs that an email might be a phishing attempt.

Remember, it’s important to stay vigilant and always double-check any suspicious emails you receive.

Jon Cosson
Website | + posts

With over three decades of experience in the heart of London’s financial sector, I have dedicated my career to the pursuit of robust cybersecurity practices and IT leadership. As a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Chief Information Security Officer (C|CISO), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI), I bring a wealth of knowledge and expertise to the table.

My journey in the field of cybersecurity has not only been about personal growth but also about sharing my insights with others. As an international speaker, I have had the privilege of addressing audiences worldwide, discussing the importance of cybersecurity in today’s digital age. My passion for knowledge sharing extends to my work as an author and blogger, where I delve into the complexities of cybersecurity, offering practical advice and thought leadership.

In my role as a CISO and Head of IT, I have overseen the development and implementation of comprehensive information security and IT strategies. My focus has always been on creating resilient systems capable of withstanding the evolving landscape of cyber threats.

My Master’s degree in Cybersecurity has provided a solid academic foundation, which, when combined with my practical experience, allows me to approach cybersecurity from a holistic perspective.

I am always open to connecting with other professionals in the field, sharing knowledge, and exploring new opportunities. Let’s secure the digital world together.