Skip to main content

Security Awareness Training: What Does a Phishing Email Look Like?

October 27, 2023

One key element of proactive cybersecurity measures for organizations is regular security awareness training for all employees. Security awareness training helps end users know what steps to take to protect their organizations more effectively. As mentioned in previous articles, we all need to follow good password practices and be able to detect phishing attacks by successfully identifying suspicious URLs and spoofed email domains.

Ideally, we must scan the body of the email to see if the sender's suspicious behavior is contained inside. Also, checking the domain and address of the individual email is important. Hackers practice an attack method called social engineering, which attempts to manipulate, influence, or trick an end user to gain control of IT systems. In this post, we’ll cover why phishing emails are an issue for organizations and what a phishing email looks like so that you and your team can spot one successfully.

Why do threat actors send phishing emails?

The main goal of a phishing attempt can be one of many things and sometimes include a combination of multiple factors. Below are two reasons why threat actors utilize phishing emails as the main source of attack against consumers and organizations:

1. Ransomware

Threat actors will encrypt your personal and company files and then send you a ransom note stating that your systems are locked until you pay a fee—which is usually via digital payments or cryptocurrency.

Ransomware attacks (which derive from phishing) can affect businesses of all sizes and industries. These include educational institutions, government municipalities, hospitals, banks, retail, manufacturing, etc. Although the ransom can be paid to release the files and systems back to you, unfortunately, that won’t stop the threat actor from targeting you again.

2. Malware

Some threat actors aim to achieve the goal of dropping a probe on your network to gather more data before launching a more sophisticated attack. You might not even detect any wrongdoing after clicking on a malicious link.

This is incredibly important in the world of intellectual property, where a threat actor may be acting on behalf of a nation, state, or one of your largest competitors, attempting to steal patent, blueprint, or script information to clone your valuable assets and beat you to market. It can happen to any organization regardless of size or industry. 

What does a phishing email look like?

Train your employees to question the validity of what is being asked of them in emails or other communication mediums before acting on anything. Doing this will greatly reduce your security risk. It can also help your employees become better security advocates for your organization and more effectively protect your data.

There are currently several common characteristics of phishing emails. This is why training end users to recognize phishing emails and implementing a “do not engage” or a “don’t click or reply” mindset can be the simplest measure to protect your organization from adversaries. Developing a policy around what employees should do if they receive a phishing email, such as reporting it, helps mitigate phishing attempts more successfully. Below are some characteristics to train employees to identify when determining what a phishing email may look like.

Spoofed emails

Threat actors are known to be monitoring your email system. They are looking for patterns in your organization: Who sends emails to one another? Who sends wire transfers? They can easily source email addresses from your company website or even from .xls or .pdf documents via a Google search on your company domain. Your email and those of your peers are easily accessible. Therefore, you can’t trust anything sent via email without analyzing it first.

Urgency is the reddest red flag

Any email that says, “login immediately,” “click here now,” or “action required” is bogus. Nothing via email is sent with explicit urgency. That’s the whole point of email communication as it waits for the user to be ready. Manufactured urgency is one of the easiest ways to get a user to stop thinking critically and mindlessly click a malicious link. Be wary of an email requesting immediate attention. If it were that important, they would have called you or walked over to your desk.

Wire transfers/receipt of payment (spear phishing)

These are typical phishing attempts: asking for a wire transfer, changing banking information, or asking the user to click a link or open a file to check on a payment receipt. Clicking on that link or opening that file will deploy malware on the machine.

This type of phishing attempt needs to be taken seriously, especially for those in positions dealing with transactions daily. You should have policies in place that require a minimum of one person to verify the requests by phone if not two. Never trust the phone numbers or names of individuals in these emails. Always use your trusted internal contact information or the organization’s website to get the numbers. Be clear with your clients and vendors that you are doing this for their safety, and make it part of your standard policy for new accounts.

Attachments

How do threat actors attempt to fool you regarding attachments? They may change the file name so it reads as “proposal.pdf,” but when you download the file, you notice at the bottom of your browser that it says “proposal.pdf.exe”—that’s an executable file program and potentially malicious.

Threat actors might also send you a zip file (.zip) that contains malicious files. It’s important to be critical about these attachments. Don’t open an attachment unless you have checked these factors and, most importantly, were expecting the attachment.

Uncharacteristic language

Is the email full of typos, poor sentence structure, or inconsistent tone and language? Does the tone of the email seem like someone on your leadership team? Is this a normal request via email for your organizational culture?

If it seems suspicious or questionable, it’s better to confirm with the sender before assuming it is safe. Unfortunately, because of the rise of artificial intelligence (AI) tools that can better craft these messages, this is becoming less and less common, but it is still used by some in an attempt to cast a wide net, most commonly to personnel email accounts.

Links, links, and more links

If the email is full of multiple links, you’ve got to stop and pause. What kind of sane email user puts multiple links all over their emails? It looks desperate and suspicious. Just delete the email and move on. They’ll email you again if it’s legitimate.

Forwarding request

You may not be the actual target. But someone in your address book might be. Be suspicious of emails asking you to forward the message to anyone in your organization, regardless of the tenure/title requested.

Pro tips for training end users to recognize phishing emails

Utilize one of the many phishing awareness tools available today to educate and test your users. Make sure this isn’t a one-and-done practice but occurs throughout the year. People forget or get distracted; only with continuous training can they become aware.

Check out the whole series on security awareness training: