Security Awareness Training: What Does a Phishing Email Look Like?

Learn why phishing emails are a threat to organizations and how your can train your employees to spot one.

What Does a Phishing Email Look LikeOne key element of proactive cybersecurity measures for organizations is regular security awareness training for all employees. Security awareness training helps end users to know what steps they can take to protect their organizations more effectively. As mentioned in previous articles, we all need to follow  good password practices and be able to detect phishing attacks by successfully identifying suspicious URLs and spoofed email domains.

Ideally, we must scan the body of the email to see if there is any suspicious behavior of the sender contained inside. Also, checking the domain and address of the individual email is important. Hackers practice an attack method called social engineering, which attempts to manipulate, influence or trick an end user to gain control of IT systems. In this post, we’ll cover why phishing emails are an issue to organizations and what a phishing email looks like in order for you and your team to successfully spot one.

Why Do Threat Actors Send Phishing Emails?

The main goal of a phishing attempt can be one of many things and can sometimes include a combination of multiple factors. Below are two reasons why threat actors utilize phishing emails as the main source of attack against consumers and organizations:

1. Ransomware

Threat actors will encrypt  your personal and company files and then send you a ransom note that your systems are locked until you pay a fee – which is usually via digital payments or cryptocurrency.

This type of attack (that derives from phishing) can happen to businesses of all sizes and industries. This includes industries like educational institutions,  government municipalities, hospitals, banks, retail, manufacturing, etc. Although the ransom can be paid to release the files and systems back to you, unfortunately that won’t stop the threat actor from targeting you again.

2. Malware

Some threat actors aim to achieve the goal of dropping a probe on your network to gather more data before launching a more sophisticated attack. You might not even detect any wrongdoing after clicking on a malicious link.

This is incredibly important in the world of intellectual property where a threat actor may be acting on behalf of a nation state or one of your largest competitors, attempting to steal patent, blueprint or script information to clone your valuable assets and beat you to market. It can happen to any organization regardless of size or industry. 

What Does a Phishing Email Look Like?

Train your employees to question the validity of what is being asked of them in emails or other communication mediums before acting on anything. Doing this will greatly reduce your security risk. It can also support your employees becoming better security advocates for your organization and more effectively protect your data.

There are currently several common characteristics of phishing emails. This is why training end users on how to recognize phishing emails and implementing a “do not engage” or a “don’t click or reply” mindset can be the simplest measure to protect your organization from adversaries. Developing a policy around what employees should do if they receive a phishing email, such as reporting it, helps to better mitigate phishing attempts more successfully. Below are some characteristics to train employees to identify when determining what a phishing email may look like.

Spoofed Emails

Threat actors are known to be monitoring your email system. They are looking for patterns in your organization: Who sends emails to one another? Who sends wire transfers? They can easily source email addresses from your company website or even from .xls or .pdf documents via a Google search on your company domain. Your email, and those of your peers, are easily accessible. Therefore, you can’t trust anything sent via email without analyzing it first.

Urgency Is the Reddest Red Flag

Any email that says, “login immediately,” “click here now” or “action required” is bogus. Nothing via email is sent with explicit urgency. That’s the whole point of email communication as it waits for the user to be ready for it. Manufactured urgency is one of the easiest ways to get a user to stop thinking critically and mindlessly click a malicious link. Be wary of an email requesting immediate attention. If it were that important, they would have called you or walked over to your desk.

Wire Transfers/Receipt of Payment (Spear Phishing)

These are some of the most typical phishing attempts out there; asking for a wire transfer, to change banking information or asking for the user to click a link or open a file to check on payment receipt. Clicking on that link or opening that file will deploy  malware on the machine.

This is a type of phishing attempt that needs to be taken seriously, especially for those that are in positions dealing with transactions daily. You should have policies in place that require at a minimum of one person to verify the requests by phone, if not two. Never trust the phone numbers or names of individuals in these emails. Always use your trusted internal contact information for that organization or use the organization’s website to get the numbers. Be clear with your clients and vendors that you are doing this for their safety and make it part of your standard policy for new accounts.


How do threat actors attempt to fool you regarding attachments? They may change the file name so it reads as “proposal.pdf” but when you download the file you notice at the bottom of your browser it says “proposal.pdf.exe” – that’s an executable file program and potentially malicious.

Threat actors also might send you a zip file (.zip) that could have any number of malicious files within it. It’s important to be critical about these attachments. Don’t open an attachment unless you have checked these factors and most importantly, you were expecting the attachment.

Uncharacteristic Language

Is the email full of typos, poor sentence structure or has an inconsistent tone and language? Does the tone of the email seem like someone on your leadership team? Is this a normal request for your organizational culture via email?

If it seems suspicious or questionable, it’s better to confirm with the sender before assuming it is safe.  Unfortunately, because of the rise of artificial intelligence (AI) tools that can better craft these messages, this is becoming less and less common but is still used by some in an attempt to cast a wide net and most commonly to personnel email accounts.

Links, Links and More Links

If the email is full of multiple links, you’ve got to stop and pause. What kind of sane email user puts multiple links all over their emails? It looks desperate and suspicious. Just delete the email and move on. They’ll email you again if it’s legitimate.

Forwarding Request

You may not be the actual target. But someone in your address book might be. Be suspicious of any emails asking you to forward the message to anyone in your organization, regardless of the tenure/title requested.

Pro Tips for Training End Users to Recognize Phishing Emails

Utilize one of the many phishing awareness tools available today to both educate and test your users.  Make sure this isn’t a one-and-done practice but something that occurs throughout the year. People forget or get distracted and only with continuous training can they be aware.

Put our security awareness training tips into action with the free guide, 7 Security Hacks to Use Now.

Check out the whole series on security awareness training:

Email us at [email protected] for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment