Check 11 Tips on How to Spot Phishing from a Cybersecurity Pro

On October 24, 2024
7min read
Andrei Minca Malware Analyst @Heimdal
This graphics is a symbolic representation of phishing for an article that covers the topic in detail.
Table of Contents

Picture this – you get an email from a colleague with a link to an important document. You click the link and log in. A normal working situation, right? Except that the email was meticulously designed to trick you and steal your credentials.

The worst part? You are completely unaware of this until unauthorized transactions start appearing on your account, or you receive alerts about unusual activity.

But it doesn’t stop there. Soon, you notice your social media accounts have been hijacked, and your employer informs you that sensitive company data has been accessed from your account, jeopardizing your job and the entire organization’s security.

This chain of events can turn your entire life upside down, and the culprit? A seemingly innocent (phishing) email.

In this article, I’ll tell you how to spot phishing and talk about:

  • What phishing is
  • The most common methods of phishing
  • 11 telltale signs of phishing
  • What to do if you suspect a phishing attempt

Let’s dive right in.

What is phishing?

Phishing is a deceptive technique used to steal sensitive information like credit card data, usernames, and passwords. Attackers pretend to be trustworthy entities, often mimicking big brands, to trick victims into revealing their confidential data.

But phishing isn’t new; it has been around since the early days of the Internet. At first, it involved simple email scams in which attackers would send fake messages pretending to be from reputable organizations.

Over time, phishing tactics have become more advanced, targeting a wider range of platforms, including social media, messaging apps, and phone calls. Today, phishing attacks are highly personalized and often use social engineering techniques to be more effective.

What phishing methods are most common?

  1. Email Phishing – Attackers send fake emails that appear to be from legitimate sources. These emails often have links to fake websites designed to steal login credentials or other sensitive information. They’re usually sent in bulk.
  2. Spear Phishing – This is the scenario I covered in the intro. Attackers usually target specific individuals or organizations. They research their victims to create more convincing and personalized messages, increasing their chances of success.
  3. Whaling Targets high-profile individuals within an organization, like executives or senior officials. These attacks involve significant research and aim to exploit the targets’ influence and access. So, if you’re a CEO, you’d better pay close attention to your emails, especially the ones from finance.
  4. Smishing – Involves sending fraudulent text messages to trick recipients into revealing personal information or clicking on malicious links. Here’s an example of a smishing campaign targeting Booking.com’s clients.
  5. Vishing – Involves phone calls from attackers pretending to be from legitimate institutions, like banks or government agencies, to extract sensitive information from the victims. So next time a ‘bank agent’ calls, listen carefully and try not to give any personal information.

11 Telltale signs of phishing

Despite the constant threat of phishing attacks, there are telltale signs that help identify cybercriminal activities. Here are some of them.

1. Email spoofing awareness

Email spoofing allows cybercriminals to manipulate sender information, making an email seem like it’s from someone you know. Scammers can mimic the sender’s name, change the email address, or alter the domain name after the “@” symbol. Even if the sender looks familiar, don’t assume the email is legitimate.

To detect spoofed emails, look beyond the sender’s name. Cybercriminals often create a sense of urgency to pressure you into responding quickly. Always ask yourself:

  • Were you expecting this message?
  • Does the email’s content match your usual interactions with the sender?
  • Are you being pushed to act immediately?

By asking these questions, you can better identify and stop phishing attempts, protecting your personal and professional information.

2. Caution with attachments

So, an email arrives in your inbox with an attachment that has an unfamiliar extension—maybe a “.exe” or “.js” file. While these extensions might not immediately raise red flags, they are often wolves in sheep’s clothing.

Executable files (.exe) and JavaScript files (.js) can hide malicious intent, paving the way for malware or sneaky script execution when opened. Similarly, Microsoft Office macros (.docm, .xlsm, .pptm) may seem harmless but can contain harmful macros designed to damage your system’s security.

The risk doesn’t stop there. Cybercriminals also use zip or archive files (.zip, .rar) to hide their malicious payloads. These files act as Trojan horses, sneaking malware past email security filters because they are often password-protected, with the password included in the email body. While you know the password, antivirus software doesn’t.

Shortcut files (.lnk), usually innocent, can be repurposed to hide malicious executables or redirect users to dangerous websites. Scratchpad files (.scr) and batch files (.bat) are also often exploited to execute harmful scripts or automate malicious actions, leading to severe consequences.

3. Beware of man-in-the-middle

Let’s have an imaginary John, an account manager in the finance department, who gets caught in a major cyber scam.

It starts with a series of emails about an invoice payment. A malicious actor has infiltrated the email exchange and intercepted the communication with its client (man-in-the-middle).

As the payment deadline nears, John receives what seems like the final email from the trusted source, but the attacker has substituted their bank account details for the legitimate recipient’s.

Because it seemed urgent, John unknowingly transferred the funds to the attacker. He later realizes he’s been victimized by a man-in-the-middle attack. The attacker disappears, leaving John with financial loss and broken trust.

Moral of the story? Always double-check payment details, especially via email. Verify the recipient’s account through secure channels, like phone calls or in-person confirmation. This extra step can safeguard your money from fraudulent schemes.

4. Impersonation of big corporations

Phishing attackers often impersonate large corporations or well-known brands to make their scams seem credible. They use official logos, email templates, and branding to create convincing facades. This perceived authority can lower your guard, making you more susceptible to phishing.

Imagine receiving an email from your bank about a security update. The email urges you to click a link to verify your account details, and you trust the sender.

Source: Wikipedia

To protect yourself, always verify such communications by contacting the company directly through official channels to confirm the legitimacy of the request.

5. Fake URLs

You just received an email from your favorite online shopping platform offering a tempting discount. The email contains a link to “Claim Your Discount Now,” which displays a familiar web address.

However, when you click the link, you’re redirected to a convincing replica of the site. The URL has been forged to trick you into thinking it’s the real website.

This tactic is common in phishing attacks, where cybercriminals manipulate URLs to divert users to malicious sites designed to steal personal information or install malware.

To protect yourself, always be cautious when clicking email links, especially from unknown or unexpected senders. Hover over links to preview the URL and ensure they are legitimate. Alternatively, type web addresses directly into your browser or use bookmarks for trusted sites.

6. Phishing trends

Phishing trends are specific patterns or methods used by cybercriminals. These evolve with changes in technology and current events, ranging from new impersonation tactics to exploiting emerging tech vulnerabilities.

You can stay updated on new phishing methods by regularly checking news and security reports. For instance, last year, there was a spike in emails about missed shipments or credits to claim.

7. Common filesharing URLs

Attackers sometimes misuse trusted file-sharing platforms (e.g. Google Drive) for phishing scams. How does this happen?

Via a fake sharing link

You receive an email that seems to be from someone you know, sharing a Google Drive document. When you click the link, it takes you to a website that looks like Google Drive but actually isn’t.

The fake site then asks you to log in, and if you enter your credentials, the attackers steal your login details.

Real document with malicious links inside

The shared document is real and hosted on Google Drive, but it contains a link to a harmful website.

While file-sharing websites have built-in security, if a website considered legitimate is compromised or starts hosting malicious links, it might take a while before security systems flag it.

Clicking on these links could infect your device or steal your information.

To protect yourself, always verify unexpected shared documents (double check if the file was uploaded by someone you trust), check web addresses carefully, and be cautious with links inside documents.

8. Emails sent by people in non-business hours

Be cautious of emails sent outside typical business hours. Attackers can operate from any time zone, so emails received at unusual times may indicate phishing.

If you get emails outside the usual schedule, especially with urgent requests, scrutinize them carefully before acting.

9. Unsolicited investment opportunities

Be cautious of emails promoting investment opportunities or financial schemes that promise high returns with minimal risk. These could be phishing attempts to steal your money or personal information.

10. Tax season caution

During tax season, there’s a surge in phishing scams by imposters posing as “tax authorities.” These scammers request financial information or distribute fraudulent tax “receipts” that are actually malware. In 2022, the IRS identified $5.7 billion in tax fraud schemes.

Also, phishers often trick employees into revealing sensitive information, like W-2 forms, by sending emails that appear to come from the company’s HR department. If you fall victim, attackers may file tax returns in your name, stealing your refunds.

11. Generic greetings or salutations

Phishing emails often use generic greetings or omit personal salutations entirely. Common phrases include “dear customer,” “dear account holder,” “dear user,” “dear sir/madam,” or “dear valued member.”

If an email from a reputable source doesn’t address you by name, consider it a red flag.

By looking out for the signs above, you can significantly reduce your risk of falling victim to phishing attacks. The basic principle is – ‘always verify before you trust’.

What to do if you suspect a phishing attempt?

If you suspect an email is phishing, do or don’t do 😀 the following:

  1. Do not click: Avoid clicking on any links or downloading attachments in the suspicious email. These could lead to malicious websites or install malware on your device. 
  2. Verify sender: Check the sender’s email address carefully for any discrepancies or signs of impersonation. Look for misspellings or unfamiliar domains that may indicate a phishing attempt.
  3. Scrutinize content: Examine the content of the email for red flags such as urgent requests for personal information, grammatical errors, or suspicious attachments.
  4. Contact the sender directly: If the email appears to be from a legitimate organization, verify the request by contacting the sender directly through official channels, such as their website or customer service hotline.
  5. Report to IT: Report the suspicious email to your organization’s IT department or security team for further investigation and guidance.

How to report phishing attempts?

You can either report internally (for business accounts) or externally (for personal accounts);

Internal reporting – If you receive a phishing email at work, report it to your organization’s IT department or designated security contact immediately. They can take appropriate action to mitigate the threat and prevent further attacks.

External reporting – For personal email accounts, report phishing attempts to the appropriate authorities or organizations. Most email providers have mechanisms for reporting phishing emails, such as a “Report Phishing” button or email address.

How to prevent Phishing?

Apart from looking out for the signs above, you should also take some other proactive steps to protect yourself from phishing attacks:

  • Educate yourself and your colleagues about the dangers of phishing and how to recognize and avoid suspicious emails. 
  • Enable email filters and spam detection tools to automatically identify and quarantine suspicious emails before they reach your inbox. 
  • Enable MFA for your email and other accounts to add an extra layer of security against unauthorized access.
  • Keep software updated with the latest security patches to protect against known vulnerabilities.
  • Create strong, unique passwords for your accounts – and avoid using the same password across multiple platforms to minimize the risk of credential theft.
  • Boost your security with a next-gen email security solution that can detect and remove malicious attachments, filter through compromised IP addresses and domains, and identify suspicious links.

Final thoughts

Thank you for getting this far, and I hope you learned a thing or two about phishing, how to spot it, report it, and prevent it from ever becoming a life upside-down kind of nightmare.

If you found this guide helpful, make sure you add it to your favorites so you can revisit it whenever you need a refresher.

Article by Andrei Minca Malware Analyst @Heimdal

Andrei is a skilled malware analyst at Heimdal, a leading European cybersecurity company. With a sharp eye for detecting cyber threats and a passion for keeping digital spaces safe, Andrei excels in analyzing and mitigating malware risks. His expertise and dedication make him a key player in the fight against cybercrime.

Related Articles

Create Your Free Account

In 3 Clicks

Sign Up Now