Phishing continues to be one of the largest threats facing enterprises and a malicious email is just the starting point for a cyberattack. Once inside, threat actors can deploy the next stage of an attack, such as ransomware or data theft. Fortunately, user education can go a long way in helping to reduce the risk of these scams. The more users that are aware that these types of attacks exist, the more examples they see and the more tips they receive for how to identify them, the less likely they are to fall victim.
Here are 11 tips to spotting malicious emails:
- Does the email address seem suspicious?
- What is the content of the email?
- What’s the subject line?
- Are there any grammar and spelling mistakes?
- Have you checked the links?
- Is there a lack of personalization?
- How much detail is included in the email?
- What is the name of the file received?
- Does the email signature match the sender details?
- Be wary of ‘false legitimisers’
- Is the email digitally signed?
1. Does the email address seem suspicious?
This is one of the most important steps you can take when identifying phishing emails. Before you go diving into the email contents, take a step back and look at the source. Who sent the email? Is it someone you are familiar with?
If you’re not familiar with the sender, take a hard look at the from address. And, this doesn’t just mean the display name; look at the actual email address and domain as well. Does it look suspicious? Of course, “suspicious” can be pretty objective, but some common red flags include misspelled words, nonsensical strings of letters and numbers and display names that don’t match the mailto address.
2. What is the content of the email?
Okay, so what if you get an email from someone you don’t know, but the sender address isn’t throwing up any red flags? Depending on your role and the type of organization you work for, it might not be that uncommon for you to receive legitimate emails from new contacts.
There’s a couple of things you can do in this instance:
- Do a search on the company – jump off the email and do a Google search on the company. Are they who they say they are? Are they selling what is being outlined in the email you received?
- Ask yourself, ‘was I expecting this email?’ – you may have recently connected with someone at an exhibition or conference and so receiving an email from someone you haven’t interacted with before via email isn’t unheard of.
- Don’t click any links or attachments without doing prior checks – this might seem obvious but you want to have a bit of a better background on the email you’ve received before clicking any links or attachments within the email (but more on this shortly).
3. What’s the subject line?
If you have recently placed an order with a company or enquiring about a specific product, this is usually outlined in the emails subject line. Threat attackers can be known to keep subject lines quite vague and mysterious. Don’t let curiosity get the better of you, follow some of the other checks mentioned, or even better get in touch with the company directly to follow up on whether the email was sent by them. The likelihood is that the organization may not be aware of emails being sent on their behalf from attackers.
4. Are there any grammar and spelling mistakes?
Phishing emails often are lacking in grammar and full of spelling mistakes, including in the email address it was sent from. There is often a repeated use of “please” in the body of the email, and sentences are awkwardly worded.
5. Have you checked the links?
ALWAYS check the link before you click.
Phishers love to hide malicious links in hypertext. You should always view the destination address (e.g. by hovering your cursor over it) before clicking anything. Is it a legitimate property for the company the email was received from?
6. Is there a lack of personalization?
There are different types of email attacks, with the most common not personalized at all and often uses greetings such as “Hi”, which is somewhat strange for such a specific email (i.e. not a mass send).
7. How much detail is included in the email?
Malicious emails are very simply stated, and don’t typically include details to product or service details, nor do they reference to a mutual contact.
8. What is the name of the file received?
Let’s say for example, that you have received an email with an invoice which you have already established was not one you were expecting and no other red flags have been raised so far. Before you open the attachment to view the invoice, have you called the organization in question to check? And if not, take a look at the name of the file. The name of the invoice isn’t specific to a project or company with no details given.
Another thing you can do if it’s a company you place orders with regularly is check the file name against previous invoices/files you’ve received from them. It’s not likely to follow their naming structure or unique references that may be used.
Sanity Check Any Attachments, Even If They’re Internal
It’s helpful to take a step back and ask yourself if it makes sense for this person to be sending you this type of file. You got an email from “HR” with an attached PDF outlining your company’s new health insurance plan…when you know you just switched plans a couple months ago? “Finance” sends out a spreadsheet detailing first quarter results…when they’ve never sent them in that format before? This kind of logic check can go a long way in combating some of these types of targeted attacks.
9. Does the email signature match the sender details?
This one might seem obvious but can be easily missed. If the email signature does not match the sender’s details, it would raise a red flag to whether the email is legitimate.
10. Be wary of ‘false legitimisers’
Phishing attacks have grown increasingly sophisticated in recent years, and there are a number of factors designed to make the email seem more legitimate:
- A domain was registered (virus-control.com) to imply that the malicious URL belongs to an authentic anti-virus company
- A real brand name of an anti-virus company is incorporated into the URL to impart false assurance
- The urgency of the messaging – flagging it as high importance, use of “at the earliest” within the copy
These extra features make it even more difficult to spot phishing emails and highlight the importance of taking a minute to think before clicking or downloading anything.
11. Is the email digitally signed?
It’s no secret that we recommend digitally signing all company emails. Digitally signing an email ties a person’s third-party-verified online identity to their email communications. This means if you receive a digitally signed email from someone you know, you can be confident that the email actually came from them and not a phisher.
How can you tell if an email has been digitally signed?
Most enterprise email clients clearly indicate if an email has been digitally signed. For example, Microsoft Outlook includes a ribbon. Clicking the ribbon brings up additional information about the signer and the certificate used to apply the signature, so you can further validate the signer’s identity.
Find out more how to secure your company emails
When in Doubt – Don't Click!
If you’re still not sure if the email is legitimate, we urge you to err on the side of caution. Some phishing attempts can be quite sophisticated, involving detailed knowledge of the target and the company and can be difficult to spot. It never hurts to double check with the sender before you click any links or download any attachments. Your IT department may also be able to help you determine if an email is safe. If in doubt, forward any suspicious emails to your IT department, so they can verify if the email is valid and are aware of it if it is a phishing attempt.
Editor’s Note – this blog was originally published in 2016 but was updated October 2022