Learn to recognize a phishing email

There are some hallmarks of a phishing email that you should be able to recognize. But be careful — none of these traits are common to every phishing email, and most of them won’t be present in more sophisticated phishing campaigns.

1. Branding

When you receive an email, ask yourself “Does this look right?” A good first step is to check for inauthentic or amateurish logos and email signatures.

Here’s an example: on the left is a genuine email from shipping company DHL, and on the right is a fake, taken from a 2020 phishing campaign:

In this side-by-side example, you can see a real email from DHL, and a phishing email that's been sent to appear like it's from DHL.

You can see that the email on the right is trying to look like DHL. It’s using DHL’s red and yellow branding, but it’s clearly a cheap imitation. If you receive an email looking like this, alarm bells should immediately start ringing.

2. Spelling and grammar

Second, check the email for spelling and grammar mistakes. Again, while poor spelling and grammar is a good indicator that an email is inauthentic, it’s increasingly common for phishing campaigns to contain very few errors.

Check out this example:

This image comes from a Netflix phishing scam that has been active since at least May 2018.

This fake Netflix email is a real-life example of a credential phishing attack that has been circulating since at least May 2018.

Not sure what credential phishing is? We explain everything you need to know in this article: What is Credential Phishing? How Does it Work?

Unlike the DHL email, this Netflix scam is pretty convincing, except for a couple of tiny errors that give it away. There’s an unnecessary space in the greeting (“Hello ,”) and a missing apostrophe (We re here if you need it).

These errors don’t necessarily indicate a phishing email — they might have gotten past Netflix’s quality control team — but they’re a red flag (if you notice them).

3. Sense of urgency

Third, a phishing attack usually conveys some sense of urgency. Whether the attacker is trying to persuade you to make a payment, download a file, or click a link — they know you’re more likely to do so if you’re feeling anxious. Stressed people make bad decisions.

Here’s an example of an American Express scam that emerged in 2020:

This is example of an American Express phishing scam.

Many people will panic when receiving this and immediately click “NO.” They might even do this despite having second thoughts about the nature of the email. Of course, this is exactly what the cybercriminal wants.

4. Inauthentic sender address

Finally, there might be some more subtle indicators that the email you’ve received is part of a phishing scam. These have to do with the sender’s email address.

A phishing email is more likely to succeed if it appears to come from an authentic email address. This type of phishing is called Business Email Compromise (BEC), and the FBI estimates that it cost businesses $1.7 billion in 2019.

Cybercriminals use three main techniques to make email addresses look authentic:

Email impersonation: The email looks similar to a genuine business email address (think “b.gates@micros0ft.com” or “elonmusk@tessianmail.com”). Impersonation can be easy to spot if you’re paying attention.
Email spoofing: The fraudster amends the email’s headers, so the receiving email client displays a false address. In some cases, spoofing is only noticeable if you inspect the email header information.
Account takeover (ATO): The email arrives from an authentic account that has been hacked. ATO is nearly impossible for a person to detect and requires email security software.