How to spot phishing emails?

Most organizations use email as their primary source of communication. With email being used for all sensitive information exchange in a company, it becomes one of the most targeted mediums for cyberattacks. In parallel, threat actors have become smarter in crafting these attacks, making them more sophisticated and difficult to detect. 

Among all of the types of cyberattacks, phishing is one attack that has been in constant use by threat actors. Phishing attacks work on psychological manipulation of the email recipient, nudging them to take immediate action. Even today, humans are the weakest links in an organization's email defense, making phishing a popular choice for threat actors. 

Since deceptive phishing emails are here to stay, it's important for organizations and their employees to know what phishing is, how email phishing works, and the common indicators of phishing emails. In this article, we'll delve into how phishing emails can be identified. 

What is phishing?

Phishing is a technique where the attacker assumes the identity of someone the victim usually places their trust in to extract sensitive information. This impersonated identity might be a bank the target has an account with, an online platform they shop from, shipping agencies, or other such platforms that they regularly interact with. 

By impersonating a trusted identity, attackers nudge their targets into revealing sensitive information such as account numbers, credit card numbers, account credentials, and other confidential organization-related information. The attacker then uses this information for their own benefit.

How does email phishing work?

Email phishing is one of the most common methods in which attackers carry out phishing attacks. In a typical email phishing attack, the threat actor sends an email in which they impersonate someone the recipient closely interacts with. In the email, the attacker uses language that creates a certain sense of urgency while nudging the recipient to take action immediately. 

This action could be anything from clicking on a link, downloading an attachment, or sending confidential emails about their company in response to the email. Whatever the action is, in the end, the hacker either installs malware on the target's system or acquires the information they're looking for. Sometimes, they propagate the attack further by silently using this information, but in some cases, the impact is more apparent, such as withdrawal of huge amounts of money from bank accounts or account blockage.

Common characteristics of phishing emails

Every phishing email has a few indicators. Learning what these indicators are and gaining expertise on identifying them will help ensure that any such malicious emails are treated with caution. Let's look at some markers that might be common signs of phishing emails. 

Incorrect or bad language

Malicious emails are sent out in bulk to unsuspecting recipients. Attackers pay barely any attention to the language, grammar, and spelling errors within the email content. Threat actors amp up the volume of their emails in an attempt to get at least a few recipients to engage with the email. 

Another reason for emails with bad language could be that these emails are sent because of poor translation efforts by the attacker. Many email providers and security solutions have provisions to block emails in languages that are foreign to the email recipient. Therefore, while sending a translated version, they miss out on grammar and spelling errors.

Most reputable companies have editorial staff who proofread the email content before it's sent out to their customers or leads. This gives them less of a chance to make such blatant language errors. So if you receive an email with grammar, spelling, or language issues, it's best to be wary of the email and proceed with caution.

Sense of urgency

Phishing emails work effectively only if the email recipient acts before observing the email too closely. On closer look, it's possible that the recipient identifies some signs that signify that it could be a phishing email. Before the recipient has the time to take a deeper look at the email, the attacker tries to get them to complete the intended action. 

The simplest way to do this is by creating an unnecessary sense of urgency in an attempt to scare the recipient into responding. Attackers use a multitude of tactics to achieve this. They might demand that the recipient verify their email account credentials in a separate login page immediately, failing which their account might be deactivated. 

Sometimes, if the attacker is impersonating a shipping agency, they may demand that the recipient confirm their details since their product is being held at customs. If they fail to verify, the attacker threatens them with huge fines and the product being sent back. 

Other forms of such phishing attacks, such as bank account verification, urgent money transfers, and fake website scams, are also common. Even if an email mandates such urgent action to be taken, take your time to verify the authenticity of the email and then engage accordingly.

Inconsistency in the domain name

When threat actors plan a cyberattack, they research their targets and familiarize themselves with the companies or vendors that they usually interact with. Impersonating a brand that the target already knows and trusts makes it easier for the attacker to get placed in the target's mailbox and elicit a response. 

To impersonate popular domains, attackers register domain names that closely resemble the legitimate domain that they'll be impersonating. For example, if the target regularly interacts with a shipping agency that owns the domain name greenkart.com, the hacker will create variations of the domain name such as greencart.com or grenkart.com. 

Using the emulated domain, they'll send emails faking scenarios where the recipient is asked to enter their account credentials or transfer money to receive the package. It's important to check whether the domain name in the email is spelled correctly or if there are any inconsistencies.

It's also important to consider whether the display name and the username part of the email address are consistent with the claims mentioned in the email. For example, if the display name says "Shipping Updates" but the email address is sales@greenkart.com, it exhibits a lack of professionalism. While the email address and username mismatch may not always be a problem, it's always best to proceed with caution.

Lack of specificity or familiarity

Phishing emails are sent in bulk with the hopes of getting a few favorable responses or engagements from their targets. Threat actors pick organizations and email addresses from bulk mailing lists off the internet or leaked email accounts that are often posted on the dark web. They use these lists to send emails to people randomly. 

Because the email addresses they pick are random, they don't have any insight into the name of the person they're sending the email to, the organization they're a part of, or other cues of familiarity. And these lists are often too long to conduct any intensive research about the owner of the email account. So phishing emails are sent without any personal greeting or sense of personal connect. This is often a cause of suspicion. 

However, in specialized attacks, threat actors create spear-phishing emails. Spear phishing is a type of phishing in which the hacker targets specific people after conducting extensive research about the person and their communication patterns. They'll often phrase the email in a way that exhibits some sort of personal connection. In general, conduct all of the required checks before engaging with the email to make an informed decision.

Suspicious links and attachments

External links and attachments are prevalent in most phishing emails. The intention is to create a sense of fear in the recipient while nudging them to furnish the details they've requested. Rather than getting the target to reply to the email, which might elicit suspicion, they send a professional-looking external website link or ask them to download an attachment as part of their attack. 

If there's a link present, it redirects the user to a website that's a replica of the brand that's being impersonated. In this link, the user is asked to enter their account credentials to check the status of something or as part of account verification. Once entered, the attacker receives these credentials because the impersonated website is designed and maintained by them. To ensure that the link is legit, hover over the link to see if the redirection is the same as the link displayed. 

In some cases, attachments are present in the email, and the hacker mandates that the attachment be downloaded by citing reasons such as organization policy changes or other documents that are mandatory reads. Downloading these attachments executes viruses or some malicious software that'll cause issues such as encrypting the organization's system and locking the user out. Attachments with the extension .exe have a particularly bad reputation for being malicious. When you receive an email that looks suspicious, stay away from the links and attachments since they could cause huge trouble to you and your organization.

Unfamiliar email sender

While most phishing emails are sent under the pretext of being a popular brand or a known acquaintance, it's also possible that there are first-time email senders who are trying to extract sensitive information from you. If you come across an email sender you've previously never interacted with, it could be a sign of a phishing attempt. 

Verify the source of the email, read through the content without opening any links or attachments, and conduct all of the necessary checks to see if there's a need for the sender to initiate communication with you. If you feel like the email sounds too good to be true or if it's an unsolicited email that seems suspicious, steer clear.

Warnings by the email provider

When email providers come across emails that seem suspicious on some level, they try to warn users of potential danger with alerts and warning banners. Popular email providers display alerts for unauthenticated email senders (senders who have not verified their domain's SPF, DKIM, and DMARC authentication), email senders who aren't part of the organization, and even if the email is sent from a new domain. 

Pay heed to these alerts since there's always more than meets the eye, especially if such warnings are displayed. If you feel that there's malicious content in the email, report it to your email administrator so they can warn other users in the organization and tailor your email security policies accordingly.

Wrapping up

While it's a scary reality that 1 in every 4,200 emails are phishing scams, there are ways to protect ourselves by following these steps to verify the nature of the email. 

But by seeing what the human eye can't see, email security solutions provide an additional layer of security by scrutinizing these emails and keeping them away from your mailbox. Adopting an email security solution that works in tandem with your email provider is essential to keep your employees and organization secure. 

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.