Question
How to Spot a Phishing Email: With Examples IT Governance 22nd March 2022
Email phishing is one of the most frequent forms of cyber crime, but despite how much we think we know about these scams, they still catch us out all too often.
According to Proofpoint’s 2022 State of the Phish Report, 83% of organisations fell victim to a phishing attack last year.
Meanwhile, Verizon’s 2021 Data Breach Investigations Report found that 25% of all data breaches involve phishing.
These figures help explain why phishing is considered to be among the biggest cyber security risks that organisations face. With a single email, criminal hackers can steal our personal information or infect our devices with malware.
Fortunately, preventing these attacks can be as simple as knowing how to identify phishing emails.
But how do you spot a scam email? This blog uses five real-life examples to demonstrate the common signs that someone is trying to scam you.
🎯 Protect your organisation: With 83% of organisations falling victim to phishing, comprehensive staff training is crucial. Get started with our Phishing Staff Awareness course to help employees understand social engineering attacks and their business impact.
Quick checklist: signs of a phishing email
Use this checklist to quickly spot potential phishing emails. A single “yes” answer may indicate fraud.
Examine the sender
Does the email come from a public domain (e.g. ) while claiming to be from a company?
Does the sender’s domain contain misspellings (e.g. “paypl” instead of “PayPal”)?
Does the sender’s address differ from the organisation’s usual email format?
Review content & style
Does the message contain grammatical errors or unusual phrasing?
Does the email create artificial urgency (e.g. “Act now”, “Account suspension imminent”)?
Does the writing style differ from the organisation’s normal tone?
Check links & attachments
Does the hover-over link URL differ from the displayed text?
Does the email ask you to download unexpected files?
Does the message include generic action buttons (e.g. “Click Here”, “Log in now”)?
Look for security red flags
Does the email request sensitive information (e.g. passwords, account details)?
Does the message pressure you to bypass standard security procedures?
Does it threaten negative consequences if you don’t act immediately?
If you answered “yes” to any of these questions:
Don’t click any links or download attachments
Contact the supposed sender through a verified channel
Report the suspicious email to your IT department
1. The message is sent from a public email domain
No legitimate organisation will send emails from an address that ends ‘@’.
Not even Google.
Except for some small operations, most companies will have their own email domain and email accounts. For example, genuine emails from Google will read ‘@’.
If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate.
By contrast, if the email comes from an address that isn’t affiliated with the apparent sender, it’s almost certainly a scam.
The most obvious way to spot a bogus email is if the sender uses a public email domain, such as ‘@.’.
PayPal phishing email example
Image: Pickr
In this example, you can see that the sender’s email address doesn’t align with the message’s content, which appears to be from PayPal.
However, the message itself looks realistic, and the attacker has customised the sender’s name field so that it will appear in recipients’ inboxes as ‘Account Support’.
Other phishing emails will take a more sophisticated approach by including the organisation’s name in the local part of the domain. In this instance, the address might read ‘.’.
At first glance, you might see the word ‘PayPal’ in the email address and assume it is legitimate. However, you should remember that the important part of the address is what comes after the @ symbol. This dictates the organisation from which the email has been sent.
If the email is from ‘@gmail’ or another public domain, you can be sure it has come from a personal account.
📧 Build your defence: Our Phishing Staff Awareness Training Programme teaches employees to identify fraudulent domain names and email addresses. Learn practical tips for spotting social engineering attacks targeting your business. Enrol now →
2. The domain name is misspelt
There’s another clue hidden in domain names that provides a strong indication of phishing scams – unfortunately, it complicates our previous clue.
The problem is that anyone can buy a domain name from a registrar. And although every domain name must be unique, there are plenty of ways to create addresses that are indistinguishable from the one that’s being spoofed.
Take a look at this example:
Microsoft phishing email example
Image: PTG
Here, scammers have registered the domain ‘microsfrtfonline’, which to a casual reader mimics the words ‘Microsoft Online’, which could reasonably be considered a legitimate address.
Meanwhile, some fraudsters get even more creative. The Gimlet Media podcast ‘Reply All’ demonstrated that in the episode What Kind Of Idiot Gets Phished?.
Phia Bennin, the show’s producer, hired an ethical hacker to phish various employees. He bought the domain ‘gimletrnedia’ (that’s r-n-e-d-i-a, rather than m-e-d-i-a) and impersonated Bennin.
His scam was so successful that he tricked the show’s hosts, Gimlet Media’s CEO and its president.
As Bennin went on to explain, you don’t even need to fall victim for a criminal hacker to gain vital information.
In this scam, the ethical hacker, Daniel Boteanu, could see when the link was clicked, and in one example, that it had been opened multiple times on different devices.
He reasoned that the target’s curiosity kept bringing him back to the link but that he was suspicious enough not to follow its instructions.
Boteanu explains:
I’m guessing [the target] saw that something was going on, and he started digging a bit deeper and […] trying to find out what happened […]
And I’m suspecting that after, [the target] maybe sent an email internally saying, “Hey guys! This is what I got. Just be careful. Don’t click on this […] email.
Boteanu’s theory is precisely what happened. But why does that help the hacker? Bennin elaborates:
The reason Daniel had thought [the target] had done that is because he had sent the same email to a bunch of members of the team, and after [the target] looked at it for the fourth time, nobody else clicked on it.
And that’s okay for Daniel because he can try, like, all different methods of phishing the team, and he can try it a bunch of different times. [And] since [the target is] sounding alarm bells, he probably won’t include [him] in the next phishing attempt.
Therefore, criminal hackers often still win even when you’ve thwarted their initial attempt.
That is to say, indecisiveness in spotting a phishing scam provides clues to the scammer about where the strengths and weaknesses in your organisation are.
Launching subsequent scams that use this information takes minimal effort, and they can keep doing this until they find someone who falls victim.
Remember, criminal hackers only require one mistake from one employee for their operation to be a success. Everyone in your organisation must be confident in their ability to spot a scam upon first seeing it.
Take our phishing quiz
3. The email is poorly written
You can often tell if an email is a scam if it contains poor spelling and grammar.
Many people will tell you that such errors are part of a ‘filtering system’ in which cyber criminals target only the most gullible people.
The theory is that if someone ignores clues about how the message is written, they’re less likely to pick up clues during the scammer’s endgame.
However, this only applies to outlandish schemes like the oft-mocked Nigerian prince scam, to which you must be incredibly naive to fall victim.
That, and scams like it, are manually operated: once someone takes to the bait, the scammer has to reply. As such, it benefits the crooks to ensure the pool of respondents contains only those who might believe the rest of the con.
But this doesn’t apply to phishing.
See also:
The effects of phishing awareness training wear off over time
Phishing attacks: 6 reasons why we keep taking the bait
Catches of the month: A round-up of the latest phishing scams
With phishing, scammers don’t need to monitor inboxes and send tailored responses. They simply dump thousands of crafted messages on unsuspecting people.
As such, there’s no need to filter out potential respondents. Doing so reduces the pool of potential victims and helps those who didn’t fall victim to alert others to the scam, as we saw in the earlier example with Gimlet Media.
So why are many phishing emails poorly written? In this case, the most obvious answer is the correct one: the scammers aren’t very good at writing.
Remember, many of them are from non-English-speaking countries and backgrounds where they will have limited access or opportunity to learn the language.
With this in mind, it becomes much easier to spot the difference between a typo made by a legitimate sender and a scam.
When crafting phishing messages, scammers often use a spellchecker or translation machine, giving them all the right words but not necessarily in the proper context.
Take this example of a scam imitating Windows:
Email phishing is one of the most frequent forms of cyber crime, but despite how much we think we know about these scams, they still catch us out all too often.
According to Proofpoint’s 2022 State of the Phish Report, 83% of organisations fell victim to a phishing attack last year.
Meanwhile, Verizon’s 2021 Data Breach Investigations Report found that 25% of all data breaches involve phishing.
These figures help explain why phishing is considered to be among the biggest cyber security risks that organisations face. With a single email, criminal hackers can steal our personal information or infect our devices with malware.
Fortunately, preventing these attacks can be as simple as knowing how to identify phishing emails.
But how do you spot a scam email? This blog uses five real-life examples to demonstrate the common signs that someone is trying to scam you.
🎯 Protect your organisation: With 83% of organisations falling victim to phishing, comprehensive staff training is crucial. Get started with our Phishing Staff Awareness course to help employees understand social engineering attacks and their business impact.
Quick checklist: signs of a phishing email
Use this checklist to quickly spot potential phishing emails. A single “yes” answer may indicate fraud.
Examine the sender
Does the email come from a public domain (e.g. ) while claiming to be from a company?
Does the sender’s domain contain misspellings (e.g. “paypl” instead of “PayPal”)?
Does the sender’s address differ from the organisation’s usual email format?
Review content & style
Does the message contain grammatical errors or unusual phrasing?
Does the email create artificial urgency (e.g. “Act now”, “Account suspension imminent”)?
Does the writing style differ from the organisation’s normal tone?
Check links & attachments
Does the hover-over link URL differ from the displayed text?
Does the email ask you to download unexpected files?
Does the message include generic action buttons (e.g. “Click Here”, “Log in now”)?
Look for security red flags
Does the email request sensitive information (e.g. passwords, account details)?
Does the message pressure you to bypass standard security procedures?
Does it threaten negative consequences if you don’t act immediately?
If you answered “yes” to any of these questions:
Don’t click any links or download attachments
Contact the supposed sender through a verified channel
Report the suspicious email to your IT department
1. The message is sent from a public email domain
No legitimate organisation will send emails from an address that ends ‘@’.
Not even Google.
Except for some small operations, most companies will have their own email domain and email accounts. For example, genuine emails from Google will read ‘@’.
If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate.
By contrast, if the email comes from an address that isn’t affiliated with the apparent sender, it’s almost certainly a scam.
The most obvious way to spot a bogus email is if the sender uses a public email domain, such as ‘@.’.
PayPal phishing email example
Image: Pickr
In this example, you can see that the sender’s email address doesn’t align with the message’s content, which appears to be from PayPal.
However, the message itself looks realistic, and the attacker has customised the sender’s name field so that it will appear in recipients’ inboxes as ‘Account Support’.
Other phishing emails will take a more sophisticated approach by including the organisation’s name in the local part of the domain. In this instance, the address might read ‘.’.
At first glance, you might see the word ‘PayPal’ in the email address and assume it is legitimate. However, you should remember that the important part of the address is what comes after the @ symbol. This dictates the organisation from which the email has been sent.
If the email is from ‘@gmail’ or another public domain, you can be sure it has come from a personal account.
📧 Build your defence: Our Phishing Staff Awareness Training Programme teaches employees to identify fraudulent domain names and email addresses. Learn practical tips for spotting social engineering attacks targeting your business. Enrol now →
2. The domain name is misspelt
There’s another clue hidden in domain names that provides a strong indication of phishing scams – unfortunately, it complicates our previous clue.
The problem is that anyone can buy a domain name from a registrar. And although every domain name must be unique, there are plenty of ways to create addresses that are indistinguishable from the one that’s being spoofed.
Take a look at this example:
Microsoft phishing email example
Image: PTG
Here, scammers have registered the domain ‘microsfrtfonline’, which to a casual reader mimics the words ‘Microsoft Online’, which could reasonably be considered a legitimate address.
Meanwhile, some fraudsters get even more creative. The Gimlet Media podcast ‘Reply All’ demonstrated that in the episode What Kind Of Idiot Gets Phished?.
Phia Bennin, the show’s producer, hired an ethical hacker to phish various employees. He bought the domain ‘gimletrnedia’ (that’s r-n-e-d-i-a, rather than m-e-d-i-a) and impersonated Bennin.
His scam was so successful that he tricked the show’s hosts, Gimlet Media’s CEO and its president.
As Bennin went on to explain, you don’t even need to fall victim for a criminal hacker to gain vital information.
In this scam, the ethical hacker, Daniel Boteanu, could see when the link was clicked, and in one example, that it had been opened multiple times on different devices.
He reasoned that the target’s curiosity kept bringing him back to the link but that he was suspicious enough not to follow its instructions.
Boteanu explains:
I’m guessing [the target] saw that something was going on, and he started digging a bit deeper and […] trying to find out what happened […]
And I’m suspecting that after, [the target] maybe sent an email internally saying, “Hey guys! This is what I got. Just be careful. Don’t click on this […] email.
Boteanu’s theory is precisely what happened. But why does that help the hacker? Bennin elaborates:
The reason Daniel had thought [the target] had done that is because he had sent the same email to a bunch of members of the team, and after [the target] looked at it for the fourth time, nobody else clicked on it.
And that’s okay for Daniel because he can try, like, all different methods of phishing the team, and he can try it a bunch of different times. [And] since [the target is] sounding alarm bells, he probably won’t include [him] in the next phishing attempt.
Therefore, criminal hackers often still win even when you’ve thwarted their initial attempt.
That is to say, indecisiveness in spotting a phishing scam provides clues to the scammer about where the strengths and weaknesses in your organisation are.
Launching subsequent scams that use this information takes minimal effort, and they can keep doing this until they find someone who falls victim.
Remember, criminal hackers only require one mistake from one employee for their operation to be a success. Everyone in your organisation must be confident in their ability to spot a scam upon first seeing it.
Take our phishing quiz
3. The email is poorly written
You can often tell if an email is a scam if it contains poor spelling and grammar.
Many people will tell you that such errors are part of a ‘filtering system’ in which cyber criminals target only the most gullible people.
The theory is that if someone ignores clues about how the message is written, they’re less likely to pick up clues during the scammer’s endgame.
However, this only applies to outlandish schemes like the oft-mocked Nigerian prince scam, to which you must be incredibly naive to fall victim.
That, and scams like it, are manually operated: once someone takes to the bait, the scammer has to reply. As such, it benefits the crooks to ensure the pool of respondents contains only those who might believe the rest of the con.
But this doesn’t apply to phishing.
See also:
The effects of phishing awareness training wear off over time
Phishing attacks: 6 reasons why we keep taking the bait
Catches of the month: A round-up of the latest phishing scams
With phishing, scammers don’t need to monitor inboxes and send tailored responses. They simply dump thousands of crafted messages on unsuspecting people.
As such, there’s no need to filter out potential respondents. Doing so reduces the pool of potential victims and helps those who didn’t fall victim to alert others to the scam, as we saw in the earlier example with Gimlet Media.
So why are many phishing emails poorly written? In this case, the most obvious answer is the correct one: the scammers aren’t very good at writing.
Remember, many of them are from non-English-speaking countries and backgrounds where they will have limited access or opportunity to learn the language.
With this in mind, it becomes much easier to spot the difference between a typo made by a legitimate sender and a scam.
When crafting phishing messages, scammers often use a spellchecker or translation machine, giving them all the right words but not necessarily in the proper context.
Take this example of a scam imitating Windows:
Answers
GPT-4o mini
**How to Spot a Phishing Email: Key Indicators and Examples**
Email phishing remains one of the most prevalent forms of cybercrime, with a staggering 83% of organizations falling victim to such attacks according to Proofpoint’s 2022 report. Phishing scams can lead to stolen personal information and malware infections, underscoring the need for vigilance in recognizing fraudulent emails. Below are essential strategies and specific examples to help identify phishing emails effectively.
### Quick Checklist: Signs of a Phishing Email
To quickly assess whether an email might be a phishing attempt, use this checklist. A single “yes” could indicate a fraudulent email:
1. **Examine the Sender**
- Is the email from a public domain (e.g., Gmail, Yahoo) while claiming to be from a company?
- Does the sender’s domain contain misspellings (e.g., “paypl” instead of “PayPal”)?
- Does the sender’s address differ from the organization’s usual email format?
2. **Review Content & Style**
- Does the message contain grammatical errors or unusual phrasing?
- Does the email create a sense of urgency (e.g., “Act now”, “Account suspension imminent”)?
- Does the writing style differ from the organization’s normal tone?
3. **Check Links & Attachments**
- Does the hover-over link URL differ from the displayed text?
- Does the email request you to download unexpected files?
- Does the message feature generic action buttons (e.g., “Click Here”, “Log in now”)?
4. **Look for Security Red Flags**
- Does the email ask for sensitive information (e.g., passwords, account details)?
- Does the message pressure you to bypass standard security procedures?
- Does it threaten negative consequences for inaction?
If you answered “yes” to any of these questions, take the following actions:
- **Do Not Click any Links or Download Attachments**
- **Contact the Supposed Sender Through a Verified Channel**
- **Report the Suspicious Email to Your IT Department**
### Examples of Phishing Emails
1. **Public Email Domain**
Legitimate organizations do not send emails from public domains. If you receive an email claiming to be from a company but it’s from an address like ‘@gmail.com’, it’s likely a scam.
**Example:**
A phishing email might claim to be from PayPal but is sent from ‘[email protected]’ instead of a legitimate PayPal domain.
2. **Misspelt Domain Names**
Scammers create domain names that look similar to legitimate addresses but contain subtle misspellings.
**Example:**
A phishing email from a domain like ‘microsfrtfonline.com’ instead of ‘microsoft.com’ can trick casual readers.
3. **Poorly Written Content**
Phishing emails often contain grammatical errors and awkward phrasing, which can alert recipients to their illegitimacy.
**Example:**
An email purporting to be from Windows may include sentences like, “Your account is on risk, please confirm your details,” which points to lackluster language skills common among non-native speakers.
### Conclusion
Falling victim to phishing scams can have serious consequences. Armed with these identification techniques and examples, you can bolster your defenses against such threats. Remember to rely not only on your instincts but to consult with your IT department or security team when in doubt. Regular training and awareness are also key to ensuring that everyone in your organization is equipped to spot phishing attempts effectively.
Email phishing remains one of the most prevalent forms of cybercrime, with a staggering 83% of organizations falling victim to such attacks according to Proofpoint’s 2022 report. Phishing scams can lead to stolen personal information and malware infections, underscoring the need for vigilance in recognizing fraudulent emails. Below are essential strategies and specific examples to help identify phishing emails effectively.
### Quick Checklist: Signs of a Phishing Email
To quickly assess whether an email might be a phishing attempt, use this checklist. A single “yes” could indicate a fraudulent email:
1. **Examine the Sender**
- Is the email from a public domain (e.g., Gmail, Yahoo) while claiming to be from a company?
- Does the sender’s domain contain misspellings (e.g., “paypl” instead of “PayPal”)?
- Does the sender’s address differ from the organization’s usual email format?
2. **Review Content & Style**
- Does the message contain grammatical errors or unusual phrasing?
- Does the email create a sense of urgency (e.g., “Act now”, “Account suspension imminent”)?
- Does the writing style differ from the organization’s normal tone?
3. **Check Links & Attachments**
- Does the hover-over link URL differ from the displayed text?
- Does the email request you to download unexpected files?
- Does the message feature generic action buttons (e.g., “Click Here”, “Log in now”)?
4. **Look for Security Red Flags**
- Does the email ask for sensitive information (e.g., passwords, account details)?
- Does the message pressure you to bypass standard security procedures?
- Does it threaten negative consequences for inaction?
If you answered “yes” to any of these questions, take the following actions:
- **Do Not Click any Links or Download Attachments**
- **Contact the Supposed Sender Through a Verified Channel**
- **Report the Suspicious Email to Your IT Department**
### Examples of Phishing Emails
1. **Public Email Domain**
Legitimate organizations do not send emails from public domains. If you receive an email claiming to be from a company but it’s from an address like ‘@gmail.com’, it’s likely a scam.
**Example:**
A phishing email might claim to be from PayPal but is sent from ‘[email protected]’ instead of a legitimate PayPal domain.
2. **Misspelt Domain Names**
Scammers create domain names that look similar to legitimate addresses but contain subtle misspellings.
**Example:**
A phishing email from a domain like ‘microsfrtfonline.com’ instead of ‘microsoft.com’ can trick casual readers.
3. **Poorly Written Content**
Phishing emails often contain grammatical errors and awkward phrasing, which can alert recipients to their illegitimacy.
**Example:**
An email purporting to be from Windows may include sentences like, “Your account is on risk, please confirm your details,” which points to lackluster language skills common among non-native speakers.
### Conclusion
Falling victim to phishing scams can have serious consequences. Armed with these identification techniques and examples, you can bolster your defenses against such threats. Remember to rely not only on your instincts but to consult with your IT department or security team when in doubt. Regular training and awareness are also key to ensuring that everyone in your organization is equipped to spot phishing attempts effectively.