February 14, 2019

Phishing has become one of the words of the century. It is the most popular and successful method that a cybercriminal can use to perpetrate a cybercrime. If you ever become infected by ransomware or have had personal data, such as login credentials, stolen, chances are a phishing email was behind it.

Cybercrime is rife, and phishing is the hackers favourite tool. In 2017, according to security firm, Norton, 35 percent of UK citizens had been a victim of a cybercrime. Of those, 37 percent had become a victim by clicking on a link in a malicious email.

Every year, Verizon produce a study, the Data Breach Investigation Report. In 2018, they found that 93 percent of breaches were phishing related, with phishing emails being the main source of the breach.

Phishing is a scourge of modern times. The method is something that businesses of all sizes, across all sectors, are up against. To keep our organisations and ourselves safe from its impact, we need to know what we are dealing with. So, what is phishing and how can you spot the tell-tale signs of a phishing email?


What is a Phishing Email?

What is a phishing email?

Phishing emails are malicious. They have one job and that is to trick you out of data – usually login credentials or personal data. How they do that varies. Typically, a phishing email will either:

  1. Have a link in the body of the email that if clicked will take you to a website. This website may:
    • Ask you to enter login credentials
    • Ask you to enter personal data like your name, address, etc.
  2. Contain an attachment, which if opened, will infect your computer with malware. This malware is typically keylogging software – if you type a password on the infected computer it will capture this and send it to the phisher

The trouble is, it is often difficult to spot if an email is legitimate or phishing. This is why they are so popular. The success rates of phishing emails can vary, depending on how well executed the email phishing campaign is, but successful phishing campaigns can trick up to 90 percent of recipients.  


The Special Case of Spear Phishing

What is spear phishing

Some phishing emails are named “Spear phishing” because they carefully choose their victim and tailor the phishing email based on what they know about the target. In a report by Symantec they found that spear phishing attacks used to steal credentials, were used in 71 percent of cases of data breach.


What Are the Tell-tale Signs of a Phishing Email?

Now that you have the low-down on how dangerous phishing emails are to business, let’s look at how to spot one.

Before we start, remember this. Phishing is about the manipulation of natural human behaviour. It is about getting someone to click a link or open an attachment before thinking about it. Phishers are looking to capture that knee-jerk reaction and turn it into a win for them.

With this in mind, here is a list of ways that you can use to check out if an email is legitimate or not:

The well-known brand

Was that a phishing email?

Phishers like to make you feel at ease. Trust is a big driver when making decisions. If you trust something or someone you tend to do what they say, with little question. Phishing emails depend on this natural human behaviour to encourage you to do something.

Phishing emails typically take on the guise of a well-known trusted organisation. For example, your bank or government service or Apple or PayPal. Many of the most popular organisations have already and will continue to be used by phishers. Which brand a phishing campaign uses often depends on topical issues or the time of year. For example, around tax return time you will often see a spate of phishing emails that are disguised as the Inland Revenue brand.

If you see a trusted brand come into your inbox then you are more likely to do what that email asks, like click on a link.

The sender’s email address

Email Address

The cybercriminal behind the phishing email will do their utmost to make the email look like it is from a legitimate sender, for example, the email may look like it is from the Inland Revenue. However, if you look closely at the sender’s email address it will not be the real HMRC domain. Here are some examples – this shows typical HMRC phishing domains. Other well-known brands are disguised in a similar manner:

  • phishing@hmrc.gsi.gov.uk  – correct
  • service.refund@hmrc.gov – phishing email
  • secure@hmrc.co.uk – phishing email

Some phishing emails use quite blatantly illegitimate email addresses. For example, one phishing email received that was purporting to be from HMRC had this address: email-7501290535@message-0851936445.revenuenet.co.uk

Link URL

Phishing email URL link

The links that the cybercriminal want us to click on will usually be concealed in a button or a similar. If you hover your mouse over the link, in most browser or desktop client email Inboxes, you will see the actual URL (website address) appear in the bottom corner of the screen. This will not reflect the actual brand that it pretends to be from, or it will be close, but misconfigured in some way, e.g. apple.com/login will be something like, app1e.com/login

NOTE: There used to be a simple way to check if a website was secure and that was if the HTTP had an S (for secure), i.e., the website started with HTTPS://websitename.xxx. However, just as a word of warning – the Anti Phishing Working Group (APWG) has found that over half of websites used for phishing are HTTPS, so it doesn’t always mean that a website can be trusted just because it is HTTPS.

The email content

Phishers are getting adept at copying the style and branding of big-name company emails. However, they often make mistakes. Look out for poorly written and misspelled body and title content.

Also, one of the key ways that you can spot a phishing email is the salutation used. One of the ways a company helps to prevent phishing is by using your name in the salutation of an email. For example, Dear Ms. Your surname or your first name or your full name. Phishing emails usually get this incorrect and may often use your email address, e.g. Dear, youremailname@yourdomain.com as a greeting.

NOTE: Spear phishing emails, which target specific people, will use their real name, so the above does not apply.


If you want to really deep dive into a website that you suspect might be used by a phishing campaign, you can do a check of ownership using the Internet standard body ICANN, Whois, site ownership checking tool. If the site is legitimate it should say it belongs to the brand; if it is illegitimate it will have a more dubious entity or ownership will be hidden altogether, this should raise a red flag.

It’s just too good to be true

Phishing emails rely on tricking us by manipulating natural human traits. This translates to including things like a sense of urgency or a reward in an email. These are used to trick you into clicking a malicious link or opening an infected attachment. If you are not expecting an email saying you are owed hundreds of pounds or if it really looks too good to be true, chances are it is a phishing email.

A sense of urgency

Another trick that phishers use is to cause fear, uncertainty, and doubt (FUD). This is usually in the form of “your account has been hacked, click here to update your password” or “support have seen a number of failed attempts at login to your account, click here to change your password”.


Think, before you click, before you open that attachment.


Prevention is Better Than Cure for Phishing Emails

Preventing your organisation becoming a victim of a phishing campaign is an ongoing process. Phishing emails are frequent visitors to the Inbox of all of us.  Security awareness training offers focused phishing simulation exercises which help to teach people, using realistic examples, how to know if an email is a phishing attempt. Keeping one-step ahead of the cybercriminals is a way to keep on top of this most insidious of cybercrimes.

Share this: