How to spot Phishing Emails: Phishing 101 for Beginners

How to spot Phishing Emails: Phishing 101 for Beginners

by

What are Phishing Emails?

Phishing emails put simply, is an email that you receive that is simply there to take advantage of you. Phishing emails, come from the same form of “fishing”, where an attacker (or fisher) is putting out bait in order to lure you into their trap. With cybersecurity and phishing emails – this applies the same way. An attacker is sending you an email as bait, hoping that you bite and reply or otherwise interact with it to give them their objective.

In 2022, there were 250,000+ unique phishing attacks ranging from your average, low-level phishing email to some very advanced, and very complex emails. This number is expected to hit nearly 1 million a day by 2025. On any given day in 2023, you can expect there to be around 340,000 phishing emails – per day, that aren’t blocked by conventional email filters.

How to spot Phishing Emails?

Phishing emails come in all kinds of ways, but will always have something that doesn’t quite look right. Below are some things you can check to ensure you’re working with a phishing email.

The Sender/Recipients

One of the main things you’ll find with low-level phishing attempts are that the sender is completely wrong. An example of this could be.

  • The Sender shows a name you’ve not heard of before.
  • The Sender shows as a name you’ve heard of, but is spelt incorrectly.
  • The Sender shows as a name you’ve heard of, but the “sender” email is not what you’d expect.

You may also notice that the recipient’s list is either blank or sent to many people. If this is the case, then the chances are there is something secretive going on behind the scenes, again pointing to a phishing email. This isn’t always the case, however, does increase the likelihood of it.

Attachments

Does the email have attachments – we’re you expecting the attachments? Attachments are another pointer that you could be dealing with a phishing attack. In most cases, attachments are fine however if an attacker is sending a phishing email to you – then the attachment will be “loaded”. What we mean by this is an attacker will inject the attachment with malicious code, and upon opening the file you will execute it. This, in short, allows an attacker to do “something”, or really anything they wish.This could also be exploiting a vulnerability with your email client or browser.

Was the Email Expected?

Phishing emails will come in as and when an attacker wants to try their luck. Depending on when you receive the email, who by, and what the context is – this will all help identify if the email is malicious or not. When you receive an email from whoever that’s out of the blue, ask yourself these questions;

  • Do I know the user who is sending this email?
  • Is the content from the user expected for their job?
  • Have I spoken to this user before and does the content align to previous requests?
  • Does the user exist, and does their job match up? (i.e. look the user up on LinkedIn to make sure they are meant to be sending the emails they are).
  • Was the email sent at a normal time – either known or unknown sender?

The Content of the Email (Links/Requests)

Mostly, you will find phishing emails that contain links or requests that need you to do something urgently. Below are some examples of this.

  • You are asked to reset your password within 2 days.
  • A “friend” or “colleague” is asking you to purchase something urgently.
  • A “friend” or “colleague” is wanting you to do something for them quickly, or ask for a phone number etc.

When checking links in most browsers/email applications – you can usually hover over the link to see where it will take you. If this is not a well-known or expected link, then you shouldn’t click it. You can always speak to your IT helpdesk team, cybersecurity team, or a forum for more advice.

Advanced: Check Email Headers

If you have some technical experience, or have an IT/Cybersecurity team – then you can review the “email headers” which contain information about the sender, and how it was sent. It includes (in full);

  • Content-Encryption – How the email was encrypted, if at all.
  • Subject – The subject of the email.
  • Recipient – Who the email was sent to.
  • Sender – Who the email was sent from.
  • Date/Time – The date and time that the email was originally sent/received.
  • Mime-Version – Defines the version of the MIME protocol (Multipurpose Internet Mail Exchange Protocol).
  • ContentType – The type of the email is, so potentially “HTML” (the common one).
  • MessageID – The unique message-ID that allows for it to be searched/looked up.
  • Exchanges – The exchange servers that the email passed through (i.e where the email has gone before it got to you).
  • Return-Path – The email that is used when you press “Reply”. (i.e an email can be sent from one email, and replied to another one automatically).
  • Delivered-To – Who the email was delivered to (not including failures).

What are some common Phishing Email types?

Whilst there are no real classifications for phishing emails, but at Hakubi we’ve catgoriazed them into a few things.

Concern/Panic Phishing Emails

Concern phishing emails are phishing emails designed to cause concern. These are typically to you about a service or transaction you’ve made. This may be a “PayPal” transaction, or as the below – a Coinbase Cryptocurrency transaction. I, whilst I do use Coinbase, I do not buy Bitcoin (BTC). This – is supposed to cause me concern to open the attachment.

Upon opening the attachemnt (note: you should never do this unless you know it’s fine…) it shows that I paid $1094 for some Bitcoin, and suggests that if I did not do it – to contact their phone number in 4 hours.

Coinbase Email I recieved
An example “Concern” Phishing-Email I recieved just a few days ago…
Coinbase Scam Phishing Email
The Coinbase “Scam”

Within this email, the concern (and urgency within the attachment), there are a few things you can see.

  1. The email is not from Coinbase, but rather from a @gmail.com account.
  2. The email content itself does not look like a typical Coinbase email – and would not usually contain an attachment.
  3. The attachment itself contains information that I did not request, and not using the typical format.
  4. The number listed on the email is a +915 phone number, which is texas – however this is actually +91 52330888 – which is India.
  5. The Logo in the Email is not their logo, but rather just coloured text.

With all the above considered, this is a phishing email and was swiftly removed (after I took the screenshots obviously).

Urgent Phishing Emails

Urgent phishing emails are similar to the above, but often need you to do something quickly. Like above, where I only had 4 hours to react – urgent phishing emails are usualy from business owners or friends, who are actually impersonating. Below is an exmaple, where I impersonate my boss asking for urgent actions to be taken. In a normal business, this could be concerning as your boss has a lot of power over your employment, or so employee’s think.

Impersonation & Urgent Request Phishing Emails
Impersonation & Urgent Request Phishing Emails

These emails are usually quite short, snappy, just like some CEOs and even though it may be worrying – this will likely never happen in a professional environment and should be ignored, or verified by speaking to the CEO using another source.

Bribery/Blackmail Phishing Emails

Another common, and early-phone or phishing emails were actually somewhat ransom-oriented. Bribery emails are a type of phishing email that allows for urgency and panic to overwhelm you and eventually lead to you paying the price. Below is an example. In this email, a hacker claims to have seen me nude, watching dodgey websites, and much more and requires me to pay them to not release it. Again, I know these are false – however to soemoen who may have done this and is not tech-savvy, this could be worrying.

Bitcoin Scam
A Bribery-Email I recieved asking for $1200 in Bitcoin

Why do Attackers still use Phishing Emails?

Cybersecurity attacks often start with really, really low-level malicious activity. This could be as much as finding a post-it on someones monitor through a picture or window, using a low-level vulnerability to gain privilege, or by users clicking a phishing email.

These emails are the most common way for attackers to break into a system and are mostly low-level. They will likely get you to run a small script, sign into a fake login portal, or even just reply back to them to gain further trust. Unlike the other initial attack vectors, phishing emails rely on human error which unfortunately happens too often.

The CISA reckon this number is as high as 90%, where over 90% of cybercrime and attacks start with an email-based vulnerability. This just shows why attackers are still pushing hard with phishing emails to people like us, and hoping we can’t spot them.

How do I know if my email is a phishing email?

There is a clear sign if your email is a phishing email. Is it expected, does it look right..? These two items should be considered with every email you recieve, but the above guide should also help you identify when an email is a phishing email or not. Below is a small checklist to use to identify if an email could be a phishing one. Ask these questions on all your emails.

  • Is the email expected?
  • Is the email from someone you know? (both display name, and sending email (these are different!))
  • Does the email contain attachments that you’re not familiar with?
  • Does the email contain links that you’re not familiar with? (Remember: However over them to check!)
  • Does the email suggest urgency along with another tell-tale sign?
  • Does the email attempt to blackmail or bribe you?
  • Are there other emails/accounts within the recipients?
  • Does the email look “right”…?

If you ask these questions, you should be able to decide if the email is a phishing email or not. No to any of these would suggest something of concern and should be addressed with caution.

What to do when you see a Phishing Email?

There are a few things you can do when you see a phishing email. Let’s go through them categorically.

  • Report / Delete the email from your inbox – or speak to the sender to see if they are legitimate.
  • Report the email to your business cybersecurity team (or IT Team).
  • Delete the email from your inbox, and then your deleted folder.

You may also opt to report the email to your government’s cybersecurity department who can also likely perform further legal actions should they need to. They may also help you remediate any issues should anyone click the link.

Our Verdict

Overall, phishing attacks are usually the source of major mainstream cybercrime, and knowing how to spot them could make all the difference for you, and your business. We hope that this article has helped you identify the common tell-tale signs of a phishing email. Remember, if you aren’t expecting the email, or it looks in any way suspicious – report it, and find an alternative contact method.

Photo of author

About the Author

Charlie K

Charlie has been working with technology since the age of 6, and has skilled up on all things technical. Cybersecurity is one aspect that has never failed to disappoint. After several years in the industry, Charlie is branching out to help others get into the industry.

Leave a Comment