How to Identify Phishing and Spoofed Emails

As digital attacks become more sophisticated, being informed is essential to identify an attack or scam, and avoid a data breach.

phishing emails

Table of contents iconTable of Contents

    What Is Phishing?

    Phishing is the most common form of social engineering attack. Generally, it’s when hackers send an email designed to coerce the recipient to download malware, click a malicious link, or provide sensitive information about themself (such as a password). This is almost always done by instilling a sense of duress or fear in the recipient—creating an “urgent” scenario providing little time to think or notice the phishing scam.

    How Have Phishing Attacks Evolved?

    Gone are the phishing emails of yesteryear beginning with, “Greetings from the prince of the deposed King of… please wire me X amount and I’ll send you my millions” Or “Dear Sir or Madame, I am stranded in X country and need X amount of money to get home…”.

    As attackers develop better social engineering skills, it’s increasingly difficult to distinguish a fake email from a legitimate one.

    With much of the global workforce working away from the security of a corporate network, 2021 was one of the most active years for cyberattacks. According to CISCO’s 2021 Cybersecurity Threat Trends report, about 90% of data breaches occur due to phishing. These breaches, however, could have been prevented had users been aware of the subtle hints that an email is a phishing attempt.

    6 Questions to Dissect a Phishing Email

    1. Does The Email Header Have Specific Information?

    Email headers contain a bunch of info that can help determine if an email is legitimate or not. While some information in email headers can be spoofed, the following tips can assist you in identifying if someone is trying to deceive you.

    • Ensure the “From” email address matches what is contained in the display name. Just because the “From” portion of the email address looks legitimate, viewing the header may show a discrepancy between the “From” and the display name.
    • Verify that the “Reply-to” section matches the email’s source or “From” section. As this is usually hidden from the user and not verified before sending a response, spotting a difference can validate a phishing attempt.

    From: “Jane Doe” <>

    Reply-To: “Jane Doe” <>

    • Identify the ‘Return-Path’ as a legitimate source. The return path signals where the message originated from and, while possible to forge, it’s currently not standard practice to change it.

    From: “Jane Doe” <>

    Reply-To: “Jane Doe” <>

    Return-Path ”Jane Doe” <>

    2. Is the Email Content Generic or Targeted at You?

    Ask yourself, if you were expecting an email from this person or company, and if this email is specifically for you.

    Phishing emails typically begin with a generic greeting such as “Dear Valued Member, Dear User, Dear Customer, etc. A company you were expecting an email from should know your name and use it when contacting you.

    This isn’t completely foolproof as a targeted phishing technique called “Spearphishing” does use names and other personal info, so be on the lookout for other red flags.

    3. Does the Email Contain Poor Spelling or Grammatical Errors?

    Communications from most corporations are normally very professional and void of mistakes because they employ professional copywriters to write customer communications. Sure, the odd spelling mistake happens, but utterly nonsensical grammar or numerous errors is a big red flag.

    4. Are There Attachments You Didn’t Request or Expect?

    If you weren’t expecting a message from an organization and you’ve suddenly been sent a file to download without any action on your end, you should instantly be on guard.

    Most companies don’t attach documents in legitimate emails, so keep an eye out for potentially high-risk file types such as .zip or .exe. Legitimate companies will normally send a link to their site where you can safely download files.

    Just because a link says it will direct you to somewhere specific doesn’t mean it will actually lead you there. Click here to Login is an example of such a link, and phishing emails use this method regularly.

    Always hover your mouse over links to check if the hyperlink address is directing you to a legitimate source. If an email from Apple doesn’t direct you to an Apple website within the hyperlink address, that’s a red flag! 

    As an additional level of protection, look for “https://” at the start of a link. The S within “https://” stands for “secure”, and the alternative “http://” lacks a standard level of website security. As a general rule of thumb, don’t click on links that don’t use “https://”.

    6. Does the Email Attempt to Invoke a Feeling of Panic or Urgency?

    Headlines or email subject lines that contain messages such as: “URGENT ACTION NEEDED!”, “CLAIM YOUR PRIZE”, or “OVERDUE PAYMENT!” are commonly used in phishing attacks—the hacker’s goal is to make you think the email is legitimate.

    You may overlook other red flags in the email if you are nervous about punishment or fear missing out on a great deal. If you ever feel rushed by an unsolicited message, it’s definitely a sign to pause and take a second look at the email for other signs of phishing.

    What to Do if You Suspect an Email Is a Phishing Attempt?

    If you follow the previous 6 steps, you should be able to identify a phishing email and mark it as spam or delete it. However, if you’re ever in doubt, ask yourself this question: Do I have an account with the company or know the person that contacted me?

    If the answer is “No” it could definitely be a phishing attempt. If you find you need a refresher, bookmark this post and follow the 6 steps. If you identify any red flags, mark the email as spam and then delete it.

    If the answer is “Yes” but you are still suspicious, get in touch with the company or person being referenced in the email using contact information you can confirm is legitimate. This could be an email address or phone number obtained via a company “Contact Us” page. Make sure not to use any contacts, links, or attachments from the original email, as these could install harmful malware.

    Overall, be diligent, and know that we here at FreshBooks want to help you and your business stay secure in this ever-changing digital landscape.

    Venetia Verdicchio

    Written by Venetia Verdicchio, Director, Information Security, FreshBooks

    Posted on September 16, 2022