How to identify a phishing email

With increasingly sophisticated types of phishing attacks now used by hackers, it’s easier than ever to be duped. When an attack is successful, businesses can suffer substantial financial and reputational damage. They can also experience a loss of business and regulatory fines. For this reason, businesses and their employees must know how to spot and report phishing attacks quickly and efficiently.

As of 2022, it is thought that 96% of phishing attacks arrive by email. Additionally, research from Symantec suggests that one in every 4,200 emails is now a phishing email. While this may not sound like many on the surface, when you consider how many emails a business receives on a daily basis, this is a worrying statistic. This makes cybercrime prevention training vital for employees of the majority of modern businesses.

Teaching employees how to spot phishing emails starts with understanding what ‘phishing’ is. In this guide, we explain exactly what it means and how it can impact your business. We also outline the best methods of protecting your business by identifying and reporting phishing emails.

What is a phishing email?

Phishing emails are malicious digital messages designed to trick people into falling for a scam. The intent of these scams is usually to steal sensitive information. This can include financial information, personal data and system credentials.

Successful phishing emails typically see the sender pose as a trusted individual or institution. For example, a senior staff member or a bank. The email will then use this trusted-status to lure individuals into providing sensitive data. Stolen information is then used or sold by criminals.

Although some phishing emails are rudimentary and easy to spot, scams are becoming increasingly sophisticated. This makes them more difficult to identify. Below we outline our top tips for spotting and reporting phishing emails in an increasingly hostile cyber environment.

How to identify phishing emails

Successful phishing emails can cost businesses huge amounts of money, undermine customer trust, and lead to regulatory fines. This makes prevention protocols incredibly important. Here are some simple yet effective tips to help employees spot phishing emails before they can do any damage.

1. Look for unusual/inconsistent URLs and addresses

Whenever you receive an unexpected email, you should first take a close look at the sender’s email address. A large red flag when it comes to suspicious emails is when the actual email address does not match the name/brand the sender is purporting to be. For example, if the email is claiming to be from your bank, you would expect the email address to have a domain along the lines of @[insert bank name].co.uk. If this is not the case, the email is likely a scam.

Similarly, when it comes to links included in scam emails, links will lead to sites that have nothing to do with the purported sender’s domain. For this reason, it is sensible to hover over a link before clicking. This will show you the address without taking you to the potentially dangerous site.

2. Be careful when it comes to attachments

Just as links can be dangerous, so too can email attachments. Whenever an unexpected email is received, make sure you are 100% sure of the sender’s identity before opening any attachment. Even if the email appears to be from a trusted source, it is a good idea to double check that the sender has knowingly sent an attachment before opening it.

3. Look out for poor spelling/grammar

Phishing emails often originate in other countries. With this in mind, one of the fastest ways to identify a scam email is through inaccurate spelling or unusual use of language. Due to the sheer frequency and scale of some phishing campaigns, would-be cybercriminals also get sloppy when it comes to their content. This means, even if the email does originate from your country, poor spelling and grammar is a reliable indicator that you’re dealing with a phishing email.

4. Be wary of urgent calls to action

A telltale sign of a phishing email is the inclusion of an ‘urgent’ call to action. By creating a false sense of urgency and demanding immediate action, cybercriminals hope you will fall into their trap without properly inspecting the credentials of the email. To avoid this, be suspicious of all emails that claim you must ‘act now’ by following a link or opening an attachment. These calls to action will usually be presented as ways to avoid financial penalty or claim a reward. So, if you see something like this in an email, don’t rush into anything. Try to slow down and carefully examine the email for other red flags.

How to report a phishing email

If you believe you have received a phishing email, you should report the message to your business’ IT department or security team. As discussed above, never open any attachments or click on included links. The relevant team in your organisation will be able to examine the email and determine whether or not it is a legitimate threat.

If the email is considered dangerous, IT security should report it to the UK’s National Cyber Security Centre. To do this, all they have to do is forward the email to report@phishing.gov.uk. If you are self-employed or your business does not have a dedicated IT or security team, you should report any suspicious emails in the same way. Remember – it’s always better to be safe than sorry.