Last year, I received an email from my โbankโ alerting me to suspicious activity on my account. The layout and logo matched other official communications I had received from the bank, and I was naturally alarmed.
But a few things just didnโt add up. Instead of using my name, it addressed me as โDear valued customer.โ After that, I was supposed to verify my account details, which seemed contrary to bank security advice. The brightest red flag, though, was the email address that didnโt match the bankโs domain.
Scammers have become quite smart. Tools like generative AI have made it easy for them to mimic the branding, tone, and even the writing style of legit companies.
But there are still telltale signs that help you identify a phishing attempt. Here, Iโll discuss these signs and share phishing email examples that could fool anyone.
What is a phishing email?
A phishing email is a type of online scam that tricks recipients into providing sensitive information, such as login credentials, credit card numbers, or personal identification details.
For example, hereโs an email that Debbie Moran, marketing manager at RecurPost, received:
Cybercriminals design these emails to appear as if they come from legitimate sources โ banks, official agencies, or well-known companies to create a sense of urgency or fear to prompt immediate action.
The scammer then uses the stolen information to commit fraud or identity theft, access the victimโs financial accounts, make unauthorized purchases, or even launch further phishing attacks against others.
The Different Types of Phishing Emails
Phishing emails come in all shapes and sizes, each designed to exploit a specific vulnerability or scenario.
Each type of phishing email exploits specific human traits, such as trust, fear, or curiosity. Here are some common types, with phishing email examples of how they might look.
Spear Phishing
Spear phishing targets specific individuals or organizations through highly personalized emails. Attackers use information collected from social media or other sources to make the message seem legitimate.
For example, hereโs an email that Phan Sy Cuong, PR specialist at Awesome Motive, the parent brand of WPBeginner, received. At the time the companyโs employees received this, they were working with another company for employee insurance.
While the design was professional enough to fool people, the good thing is the company had checks and balances.
โWhenever something strange pops up, we always communicate in our company channel to check if anyoneโs receiving the same thing or directly with the one in charge โ in this case, it was the HR manager โ to ensure itโs something from our company,โ says Cuong.
According to Cuong, the team always receives a heads-up if something is coming. โWe were also briefed about the insurance we were in touch with before, so we acknowledged that the one in the email wasnโt correct,โ Cuong says.
Whaling
A whaling attack is a spear phishing attack that focuses on high-profile targets like CEOs, CFOs, or other senior executives. The goal is usually to steal sensitive information from the company or to initiate fraudulent financial transactions.
For example, the accounting department at the cybersecurity company Heimdal received this series of emails.
The attacker created two email addresses, sent multiple emails between them, and forwarded them to the companyโs accounting department. Itโs a nice trick to create a series of emails you forward for payment.
Valentin Rusu, the head of research at Heimdal, adds how whaling in particular is โa very dangerous trend since existing security systems work based on a flaw in grammar, suspicious email, suspicious links, and intent.โ
When an email doesnโt have any issues like that, a cybersecurity company like Heimdal gives customers a personal, tailored neural network that learns from their data and adapts to their email behavior.
Rusu gives an example. As an incident response manager, Rusu says, itโs normal to receive many malicious URLs and attachments. However, this isnโt normal behavior for a finance department.
โThis means you canโt create an email product that works for every scenario, so we built a custom neural network. This personal AI learns from company emails and detects behavior that doesnโt fit the patterns,โ Rusu says.
Pharming
Pharming redirects users from legitimate websites to fraudulent ones via DNS hijacking or poisoning to collect personal and financial information. The attack isnโt email-based, but itโs often paired with phishing emails.
Example: An email from your โbankโ asking you to log in to your account via a provided link, which then leads you to a fake banking site that looks identical to the real one.
Clone Phishing
Clone phishing involves creating a nearly identical copy of a previously sent email but with malicious links or attachments. The attacker might claim to be resending the email due to a failed delivery attempt or updating the content.
For example, hereโs an email imitating a FedEx delivery notification email.
Vishing (Voice Phishing)
Vishing, or voice phishing, uses phone calls instead of emails to scam victims. Itโs worth mentioning because it often complements email phishing.
For example, a voicemail or direct call claiming to be from your bank, stating suspicious activity on your account and asking you to call back using the provided number, which leads to a scammer.
Smishing (SMS Phishing)
Smishing is similar to phishing but uses SMS texts. It directs users to malicious websites or asks them to provide personal information via text.
For example, hereโs a supposed email from the Canadian Revenue Agency thatโs enticing me to click the click with a promise of $400.
How to Spot a Phishing Email
Phishing emails have become really sophisticated, especially since GenAI tools like ChatGPT have made it quite easy to create personalized phishing emails in seconds.
In fact, hereโs an example from Valentin using ChatGPT for the same:
Scary, isnโt it? According to Proofpointโs 2023 State of the Phish report, around 45% of people donโt know a familiar company brand doesnโt make an email safe.
To increase your chances of being protected against such emails, look out for these six signs:
1. Suspicious Email Addresses
Youโve received an email that looks like itโs from a company you know.
But take a closer look at the senderโs email address and if itโs a jumble of letters or subtle misspellings (like โamaz0n.comโ), thatโs a red flag. Legit companies have email addresses that match their domain names.
Legit companies also donโt use public domains like @gmail.com, @outlook.com, @yahoo.com, or any other free email service for official communications.
If you receive an email claiming to be from a reputable company but itโs sent from one of these public domains, be wary.
This detail is a key indicator in distinguishing between a genuine email and a potential phishing attempt.
2. Grammar and Spelling Mistakes
Ever cracked open an email and spotted a typo or two? Sure, we all make mistakes, but a message riddled with grammar errors and spelling slip-ups signals a serious problem.
Look out for typos, weird grammar, and sentences that donโt sound right. Also, keep an eye out for awkward phrasing or misuse of common terms โ issues like โDear valued customer, confirm identity by click below.โ
Real businesses have proofreaders and spellcheck tools for their emails because they know mistakes donโt make the best impression.
3. Unfamiliar Greetings or Sign-offs
If an email starts with โDear Customerโ or some generic term instead of your name, it might be a scam. The same goes for weird or overly formal sign-offs. It might look formal, but itโs also a sign that the sender doesnโt actually know you.
Legit companies you do business with have your name in their database. The same goes for their sign-offs too. Stiff sign-offs, like a formal โCordiallyโ from your supposedly casual service provider or an abrupt โThank youโ with no follow-up details, are red flags.
4. Suspicious Links or Attachments
One of the trickiest parts of dealing with phishing emails is sketchy links and attachments. Click on them accidentally, and you might be introducing malware to your computer.
Always check the URL before clicking. If the email says itโs from your bank but the link points somewhere weird (like a random assortment of characters or a site that doesnโt match the bankโs actual URL), thatโs your cue to back away.
Also, a common trick is to send a document that claims to be an invoice, a receipt, or a โmust-seeโ offer. But the moment you open it, you could be letting malware or a virus walk right through your system.
The key? Hover over links to see where theyโre really taking you (without clicking!). And if thereโs an attachment you werenโt expecting, reach out to the sender through a different channel to confirm itโs legit.
5. Requests for Personal Information
No reputable company will ask for sensitive info via email. No matter how official an email looks, remember this โ genuine organizations donโt ask for sensitive details like passwords, credit card numbers, or Social Security numbers via email.
For example, an email might say, โWeโve noticed suspicious activity on your account. Please confirm your password to secure your account.โ Itโs a trap. Real banks and companies have secure processes for handling these situations, and they definitely donโt involve sending sensitive info into the email void.
Hereโs what you do: Never, ever reply with your personal info. If youโre even a little bit concerned, go directly to the source. Log into your account through the official website or call the official contact number.
6. Urgent or Threatening Language
Ever gotten an email that makes your heart skip a beat?
โImmediate action required!โ or โYour account has been compromised!โ โ sounds pretty urgent, right? But thatโs exactly what phishers want. They use urgent or threatening language to make you react without thinking.
For example, you might see phrases like, โYour account password has expired, update now before you lose access to your accountโ or โAttempt to deliver your package unsuccessful. Please update your information within the next 24 hours.โ
Legit organizations donโt typically scare you into action โ they reassure.
Instead, reach out to the company directly using contact information you find through official channels, not email. When someoneโs pushing you hard to act fast, itโs probably because they donโt want you to think too much about what youโre doing or consult with anyone else.
Phishing Emails I Could Have Fallen For (And Why I Ultimately Didnโt)
Iโve seen several convincing phishing email examples that could have conned me if not for a few crucial red flags. Here, Iโll share some of those close calls and explain why I ultimately didnโt fall for them.
PayPal
At first glance, the email nails PayPalโs branding with the color scheme and logo to suggest authenticity at a glance. But closer inspection showed numerous spelling errors like โby following link,โ โsuccessfuly,โ and โat the movement.โ
The greeting was also not personal (โHi dear customerโ), which deviates from PayPalโs standard communication style. Plus, the sign-off (โPayPal serviceโ) lacks the professionalism expected from the company.
Netflix
The subject line for this email stated, โYour Membership has been canceled due to payment failed,โ which instantly grabbed my attention.
But the content of the email contradicted this message, claiming, โWeโve locked your account, as you asked.โ This inconsistency was a clear warning sign.
Apart from this, the closing remark, โYour friends at Netflix,โ seemed unusually informal for official Netflix communication.
The most telling sign of a phishing attempt, however, was the senderโs email address: no-reply@talents-connect.fr, a domain distinctly unrelated to Netflix. These signs made it pretty obvious this email was a phishing attempt.
Apple
I got an email that looked a lot like it was from Apple, with the right logo and everything. The greeting was the first red flag โ addressed to โDear Customerโ instead of my name.
The email mentioned discrepancies in my account information, threatening to block my iCloud access if not resolved within 24 hours. Phishing attempts use this urgency to trick people into responding quickly and less cautiously.
It gave me a case number, even though I hadnโt contacted Apple regarding anything, so it was irrelevant. Plus, the subject line talked about my AppleID being locked and mentioned changes made from Ontario, which didnโt match the rest of the emailโs story.
These things didnโt add up: the weird greeting, the rush to fix my account, the case number out of nowhere, and the mismatched subject line. They all pointed to the email not really being from Apple.
Amazon
I recently received an email from Amazon that, at first glance, appeared to be from the company. The branding seemed accurate and matched Amazonโs color scheme and logo. There were a few discrepancies, though.
The senderโs email address was a nonsensical combination of letters and numbers. There was also an attached file (which is already a red flag) with a random, meaningless name that confirmed the emailโs illegitimacy.
The email also attempted to personalize the message using my email address rather than my name.
Plus, the use of โamazonโ without proper capitalization, a call-to-action labeled โMy Accountโ that seemed out of context, and an awkward closing remark, โThank you for doing business with us!โ, all contributed to the realization that this email was a phishing attempt.
Phishing No More
Scammers are smart, and they use a lot of tools to make emails that look authentic and convincing. But these tools and attempts are always based on human imagination.
They prey on emotions โ fear, urgency, curiosity โ to prompt quick, unthinking actions. Recognizing the patterns, like urgent language, requests for personal information, or links that donโt quite match the supposed senderโs website, can be your first line of defense.
Lastly, educate yourself and complement your knowledge with tools like spam filters, antivirus software, and email verification to protect your personal information from falling into the wrong hands.