Phishing and how to identify them

How to identify phishing emails – 2023 update

March 1st, 2023 Posted in Information Security

It’s no surprise that the last 3 years have seen a surge in cybercrime, largely due to the COVID-19 pandemic, millions of workforces working remotely and healthcare data being the main target. Online crime has become a huge threat to organisations of all sizes across the globe, and phishing email is one of the most common and dangerous methods that criminals use. Although it might have been easy to spot in the past, as criminals become more sophisticated, it is becoming more difficult to identify phishing emails. 

Phishing motive

The idea behind these attempts is to secure personal or financial information from the victim, and hundreds of thousands of people fall victim to criminals every year. The COVID-19 pandemic has seen a significant rise in phishing attempts, and by the start of April 2020, over £1.6 million had been scammed by criminals. The latest Data Breach Investigations Report 2022 from Verizon, highlights the growing trends in cybercriminal activity, and the impact it has had on businesses throughout the pandemic. The report shows that phishing attacks are still prevalent with over 30% of breach cases involving some type of malware, and approximately 20% of cases involving a Social action.

Despite the rising sophistication of these attempts, there are still a number of ways to identify phishing emails.

How to identify phishing emails

Suspected Phishing Email? Check the sending address

One of the first ways to identify a phishing email is to check the email address that it has been sent from, not just the stated sender’s name. An immediate warning sign should be if it is coming from a public email domain such as Gmail or Yahoo or a strange email address. Any legitimate company will likely contact you from a personalised domain name, and these are very easy to check by just simply typing that domain into a search engine.

Scammers are able to adapt the appearance of the overall email, making it look as realistic as possible; however, the sending address is sometimes the giveaway. To get around this, many experienced criminals attempt to make it look believable at a quick glance, so make sure you check the address for any spelling mistakes or if it contains additional letters or numbers.

Take a look at the email pictured below (received this week by a colleague) – the sender address is unusual and the red padlock icon shows that TLS encryption was not used, which is also unusual. Both of these would immediately raise suspicions (click the image to make it larger).

Sending Address

Phishing emails are usually poorly written

One of the clearest ways to determine if an email is a phishing attempt is to check the overall spelling, grammar, look and feel. When a legitimate company contacts you, they are attempting to sell their brand and company to you, so will ensure that the email is captivating and well written. On the other hand, scammers do not have such concerns and are simply trying to send as many different emails to as many people as possible.

Although there is a common belief that scammers keep these mistakes in on purpose in order to filter out the less gullible, the truth is that for many scammers, English is either not their first language or they may have had limited access to education. This means that they have run the email through spellcheck or a translation service, which often results in the messaging not quite conveying the right context.

Returning to the same email, you can see from the image below that the look and feel are odd. There is no sender name, brand, or logo; the email isn’t well personalised (instead, the first part of the recipient’s email address is used), and there is a clear call to action which is the button inviting the recipient to click. Because the sender isn’t named and the content of the ‘package’ isn’t mentioned the aim seems to be to get recipients to click the link to find out more.

Poorly Prepared

Suspicious links or attachments in emails

Another common sign of a phishing email attempt is a message containing suspicious attachments. Usually, the email will not provide much information, encouraging the recipient to open the attachment, which will then lead to malware being installed on their device.

Suspicious links are also a clear sign of a phishing email attempt. Many scammers hide these links behind shortened links such as a link or behind a clickable button, preventing suspicions from being aroused by the recipient when they see the link.

While these three might be the key factors to consider, they are not the only warning signs. Any time you receive mail that you were not expecting, practice caution before clicking or responding. Scammers like to create a sense of urgency or force you towards a link to find out more, and it only takes a momentary lapse in concentration for you to fall victim.

In our case, the email below uses a combination of these techniques. Little information is provided to encourage the recipient to click the link, and a sense of urgency has been created by stating delivery is waiting for shipment. Although you can’t see it, the addresses linked to by the button and unsubscribe links are hidden behind links.


Scam mail: Don’t expect the unexpected

Our final tip is an important one because not all phishing emails are so obvious. They are becoming more sophisticated and created to look like genuine emails from HRMC, Amazon, Microsoft, and others. Be suspicious If you receive unexpected mail that that includes an attachment or link, especially if it is unexpected good news such as an HMRC refund email or a purchase order. Don’t open the attachment or follow the link.

If for any reason you do click a link in an unexpected email, never, in any circumstances, submit a username or password on a site it takes you to. Instead, call the sender (don’t email them as the attacker will be happy to email you back) or ask your IT or information security team to take a look. This shouldn’t slow you down and if the email wasn’t expected then a little delay won’t hurt. Sometimes they might be genuine – last week we received an unexpected purchase order; we ran it through malware scanners and contacted our customer separately to ask if it was genuine. It turned out it was, but we didn’t open it until we were sure.

Phishing awareness is key

Even though your employees might be trained annually on security, people forget things and make quick decisions when busy and under pressure. For this reason, it’s important to maintain ongoing awareness, such as employee phishing tests, ‘drip’ awareness campaigns with examples of phishing emails, and reminding people what to look for and what steps to take.

Phishing infographic

Download your free pdf for identifying phishing:

Identifying Phishing 1

Want some phishing awareness training for your organisation?

If you need help to improve security awareness and reduce the risks of phishing emails, please get in touch with our friendly team today.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Computer vector created by upklyak – – edited by Evalian

Written by Marcus Chambers

Marcus is a senior security consultant specialising in cyber security; including strategy, security transformation, risk management, incident response and supply chain assurance. His career started in the British Army where he delivered multifaceted operational solutions often in austere settings. Since leaving the military, Marcus has worked in senior security consulting roles, across numerous sectors. He has three Masters degrees including an MSc in Information Security from Royal Holloway, University of London; he holds ISACA's CISM and CGEIT certifications; is a Chartered Engineer and a graduate of the British Military's esteemed Advanced Command and Staff Course.