Phishing is one of the curses of the internet age. If you’ve ever received an email which outwardly seems legitimate, only to find that it seeks to take you to a completely irrelevant web page, you’ve been phished.
These days, if you fall victim to the various types of phishing, the results can be devastating, both financially and psychologically. So it makes sense to find out what is a phishing email, and how to avoid becoming prey to the online world’s most devious predators.
What is phishing?
If you’re wondering how does phishing work, you might be surprised by how simple the practice actually is. This isn’t a form of hacking which relies on cutting edge coding skills or specialist equipment. In fact, a successful phishing email resembles a magic trick more than a sophisticated hack.
All types of phishing have key similarities. Most importantly, phishing email examples will be persuasive. Their primary aim is to convince the recipient that:
- The sender is a legitimate individual or organization
- Their words should be taken seriously
That’s why you’ll often receive phishing emails seemingly coming from respected companies like Amazon or the Inland Revenue Department. People are more likely to open emails from organizations they trust or respect.
At the same time, there’s a technical side to the question of what is a phishing email. Phishers can’t just write a persuasive text. They also work hard to make their emails look as much like the “real thing” as possible, incorporating graphics and layouts which mimic legitimate communications.
In the United States alone, phishing costs around $1.6 billion (and that’s just the attacks that are reported.) And the average corporation spends $3.6 million on measures to detect phishing attacks – so it’s a major concern.
In 2019, Google security researcher Elie Bursztein and University of Florida professor Daniela Oliveira explained that Google blocks 100 million phishing emails for its Gmail users every single day: an indication of the sheer scale of the problem and the popularity of phishing amongst hackers.
So why is it such an effective tactic? According to the research, 68% of phishing emails blocked by Google at any one time are new variations never before seen. “This fast pace adversarial evolution requires humans and machines to adapt very quickly to prevent them,” it argued.
This challenge is compounded by the fact that many campaigns are targeted at small groups of users: perhaps just a few dozen. Such “boutique” campaigns also last just a few minutes – meaning that they could be over before you’ve even been able to update your guidance to staff.
Identifying phishing email
Phishing emails have to include a way to harvest information from recipients. This could entail the following:
- Clicking a link to a fake website
- Downloading an attachment with a Trojan horse
- Calling a fake customer service hotline
All of which gives hackers the opportunity to control your computer.
When you bring all of these elements together, it’s easy to see why people need to know what is a phishing email. These attackers tend to be very effective at targeting people who aren’t security-conscious, and they prey on vulnerable internet users.
5 most common phishing email examples
If you aren’t sure how to detect phishing emails, checking out some phishing email examples is definitely recommended. There’s no single template for these emails, but there are some categories which appear again and again.
1. Spear fishing
Spear fishing is a very precise form of phishing, where attackers work hard to include personal details such as the names of colleagues, past purchases, and contact information. By doing so, these emails try to establish a personal connection with the recipient. They tend to be associated with social networks like LinkedIn, where users regularly receive unsolicited (but legitimate) emails from recruiters.
Pharming is one of the most devious kinds of phishing attack. In these attacks, phishers actually “poison” the DNS server of a website and redirect users to the site of their choice. So the links in phishing emails can seem totally accurate, but they can still send users to dangerous sites. This makes it very important to take care when clicking any email links.
3. Simple deception
The classic answer to the question of what is a phishing attack, simple phishing emails are just generic appeals to take a particular action. In the past, they may have told stories about long-lost relatives in distant countries, and sudden inheritances. Nowadays, those stories have less power, and other narratives are employed. So always be skeptical about people contacting you out of the blue.
Whaling is a specific form of phishing that plays on the way businesses are structured. In these attacks, phishers target people high up in corporate hierarchies, probably hoping that they don’t have the security savvy of those lower down the food chain. So anyone in a position of authority should tighten up their anti-phishing knowledge.
5. Cloud phishing
With the rise of cloud-based apps like Google Docs and Dropbox, new forms of phishing email have emerged, expanding the answer to the question of how does phishing work. In these scams, phishers direct users of cloud-based services to completely fake versions of the apps they rely on. So if you use these apps, 2-step verification is advisable.
6 ways to identify a phishing email
1. Check for unusual attachments
Many phishers will add attachments to their emails. These attachments tend to contain viruses or other software that actually does the damage, so never open them if prompted, and be very skeptical about emails with any unsolicited attachments.
2. Check the email address
Often, unsafe emails will appear to come from a major corporation, but the actual email they are sent from has nothing to do with the company they are imitating. A phishing email example could come from Amazon customer services, but if you check the email itself, it could have a generic Gmail account. That’s another major red flag as far as phishing is concerned.
3. Is the tone right?
Phishers thrive by encouraging you to click a certain attachment or link, and to do so they often adopt a certain tone. If an email seems to be written in an urgent style that seems to pressure you to take action, it could well be part of a phishing expedition.
4. Tiny errors can mean trouble
Phishers may be skillful, but they often aren’t actually brilliant English speakers. Their emails can flow well but are sometimes littered with mistakes, in a way that professional writers tend to avoid.
5. Be really careful about outgoing links
Aside from attachments, always double-check outgoing links. A key way of learning how to spot a phishing email is to check links for minor errors. Phishers know that people pay attention to these things, and will spell things like “Verizon” as “Verizom“ – often without users noticing. So stay vigilant.
6. What are they asking?
When parsing the content of suspected phishing emails, think about their intentions. Remember, banks and other credentialed financial institutions don’t ask for financial details out of the blue. They have protected channels to guard against theft and fraud. So whenever this happens, it’s time to flag an email as spam.
What to do if you receive a phishing email?
If you’ve been unfortunate enough to receive an email threat, and you’ve learned how to identify a phishing email, how can you respond safely? Well, there’s one thing that you definitely shouldn’t do. Never respond directly to the sender.
Never respond directly to the sender. All you’ll do is confirm to the sender that you are a genuine email contact.
It might be tempting to tell them how you feel, but this is almost always an error. All you’ll do is confirm to the sender that you are a genuine email contact, resulting in a torrent of phishing content further down the line.
If you are a part of a larger body like a University department or company, the best course of action is to report the phishing attack to the IT team, who can carry out virus checks and make sure your security systems are up to date.
Why it’s vital to report phishing email scams
Phishing is a worldwide phenomenon, but it’s experienced on a person-by-person basis. We come into contact with phishers via the emails they send and the websites they create, making it hard for the authorities and security companies to take action to neutralize them.
Because of this, it’s really important to report phishing text whenever you receive it. If we all report phishing email scams, we can protect the online community as a whole – but it takes a collective effort to inform people who have the power to act.
Sites like Google are a major platform for phishers who run illegitimate sites or send emails, but Google relies on individuals to flag up problems. The same applies to Apple and email providers like Yahoo. So make a point of finding out how do I report a suspicious email or Google search result. We’ll all benefit as a result.
Reporting phishing email
Reporting phishing scams is absolutely essential. However, it’s important to note that the situation changes if you have fallen victim to a phishing attack. In that case, a crime may well have been committed, so instead of reporting phishing text to different companies or organizations, you’ll need to report the issue to the Police.
If you haven’t given away any details or lost any money, things are much simpler. The first stage in learning how to report phishing emails is detecting phishing scams reliably. Double-check the suspicious email, matching each link against actual websites, and carefully reading the text. Even the most reputable companies sometimes make grammatical or factual mistakes in their emails, so don’t rush to a conclusion.
However, if you’re genuinely concerned by an email, the next stage is to arrange a report. How to report phishing emails varies depending on which site is involved. For instance, if you’ve received an email from Amazon, you’ll need to send the details to their “stop spoofing” team.
Often, a phishing scam will involve more than one organization. For example, it might come from a government department, but be sent via Gmail. In those cases, it makes sense to report phishing text to both the email provider and the organization being spoofed. People often forget one of these reports, but they are essential to keeping the internet safe to use.
How to tell Google about phishing emails or websites
Google is well aware of the dangers posed by phishers, and they make it fairly easy to report a phishing attack. If the phishing attack takes the form of an illegitimate website address, you can just head to this page, enter the URL and whatever background comments could help guide Google’s team.
If you’re using Gmail, the process is slightly different, but should be dealt with in the same way. Sometimes, Google will be able to detect dangerous emails, which may have been flagged up by other users, or just haven’t been constructed with care and attention by the phishers.
You can also manually register your concern about an email. All you need to do to report phishing email to Gmail is to move the offending message into your spam folder. This sends the message to Gmail’s analysis team, who will assess whether it poses a threat. So don’t leave possible phishing emails in your account, and don’t just trash them.
Finally, some phishers use Gmail accounts to target their prey. In that case, there’s a specialist answer to how to report phishing emails to Google. Just head here and specify the nature of the threat.
How to report phishing email to Apple
Attacks that aim to steal Apple ID information are the number one most common type of phishing attack in the world. Around 1 in 4 phishing attacks are linked to Apple accounts, and the tech giant has made a point of seeking information from as many affected users as possible.
As soon as you identify a potential phishing attack on your Apple ID, the best idea is to send an email to Apple’s phishing threats team. Just forward the offending message without changing the header, as this can include useful information for Apple to analyze.
You can also report phishing email to Apple regarding your iTunes ID. Attackers often try to obtain your payment details by posing as iTunes, and Apple are well aware of their strategies.
They advise that official emails from iTunes will never ask for credit card CCV codes, credit card numbers, your mother’s maiden name, or your social security number. So if these details are requested, be sure to raise an alert. And all legitimate receipts from iTunes will include your billing address. If it’s not there, it’s time to report phishing email to Apple.
How to report phishing emails and messages on social media
These days, many phishers choose to target social media networks and their messaging systems, so it helps to answer the question of how do I report a suspicious email to Facebook or Twitter as well.
If you’ve received a message on Facebook which links to a site asking for your account details, don’t enter anything. To be extra careful, you might want to change your password. But whatever the situation, be sure to send details of the sender and the message to Facebook’s anti-phishing department.
The situation is very similar where Twitter is concerned. Phishers can learn plenty about targets from their Twitter feeds, and often send DMs or comments to attract attention.
Most unsafe links will be flagged up by Twitter on your feed, but this isn’t always the case, so be very cautious about clicking links sent by strangers. If a particular profile appears to be phishing, go to their page and click the “…” icon, before choosing the “Report” option. If there’s an issue, Twitter’s admins should remove the offending user.
How to protect from phishing attacks
By now, you’ve probably had the same thought most people have when discussing phishing. Instead of learning these techniques about how to identify a phishing email, why not learn how to stop phishing emails and cut off the poison at the source?
This isn’t always easy (or we’d all be doing it), but there are definitely some easy measures to take which can limit your exposure to phishing scams.
Update your browser
For instance, regularly updating your browser to the latest version is a good idea. Phishers are always looking to exploit older software, and developers constantly have to keep pace with their activities, so don’t be lazy. Click on the update link when it’s available.
Choose a secure email provider
Secondly, choose an email provider that is serious about stopping phishers. While Gmail protects fairly well, you may need to spend more time marking spam emails manually for the best results. That’s why we recommend picking one of the secure mail providers.
Secure mail providers can help to deploy basic spam filters to warn you when an email is suspicious and possibly phishing-related. There are quite a few that we’ve tested and can recommend.
One of our favorites is the Swiss-based ProtonMail, which has rightly gained a reputation for being one of the strongest, most secure email providers available. FastMail is generally well thought of in this regard, offering a system called SpamAssassin which performs reasonably well. Their spam filter is world-class and they have pretty good options for free users, with a starting allowance of 2 GB storage.
There are also plugins which download global phishing databases and then upload these to email clients like Outlook, keeping them up to date with what to filter out. The leader here is SpamSieve, which is only for Macs, although Windows alternatives are appearing and are worth a look.
There’s no reason to be caught out by phishers any more. So stop asking yourself how does phishing work, and start changing your behavior to detect the specific strategies that cyber-criminals use.
Anyone has the skills to decide what is phishing attack and what isn’t, but you need to take care. And don’t be afraid to bring in specialist security solutions like VPNs, which can screen email accounts against illicit emails.