New Cyber Defense Brand DeepSeas to Unite Newly Acquired Commercial Managed Threat Services Business from Booz Allen Hamilton with Security On-Demand. Learn More

Phishing awareness training

How to Identify a Phishing Email

20% of employees click on phishing links (Terranova Security). Teaching your employees how to identify a phishing email through regular phishing awareness training can make all the difference. In today’s blog post we are sharing all the phishing awareness points to cover in your next phishing awareness training: 

Phishing Overview

A phishing email is a way for the bad guys to steal sensitive information from your company. Hackers can use phishing in emails, text messages, and advertisements. For companies, phishing attacks are most commonly seen in emails. Holding regular phishing email education sessions keeps your employees more likely to avoid phishing attacks that might compromise your data. 

The types of phishing emails are as varied as there are fish in the sea.  Some are very clearly and easily detected, others are very difficult.  Some look like generic advertisements others personalized to you from your bank and even still others appear to come from someone trusted in your organization or family.  Regardless of the approach used or the quality of the crafted email, phishing emails all have some common characteristics.  Let’s take a look at a few different phishing emails we pulled from our email filter and learn from them.

Simple, but Targeted Phishing

The above is an attempt at what we call Whaling – or going after the big fish in the company.  In this example, Peter is the CEO and Bill is the CFO.  In this attempt the sender is clearly trying to accomplish the following:

  1. Trick Bill into believing that Peter sent the email
  2. Assumes (or hopes) Bill is busy and will quickly reply out of reflex rather than really looking at the email.
  3. Hopes that Bill will reply to the email, in which case the attacker would probably follow up with an email that contains a link or attachment or perhaps with instructions to wire money somewhere.

Here are a few things that made this easy for our CFO to identify.

  • The email address does not match the sender’s name.  In the outlook inbox, you may not see this disconnect (which is why these sometimes work), but opening the email makes it very evident.
  • Bad spelling or grammar
  • Used the name William instead of Bill.  People who work as closely together as a CEO and CFO do will use the preferred name, not full name in most cases.

Standard Targeted Phishing

This one is fairly similar to what you might expect from a Marriott type email.  Appears to come from a legitimate source, in this case Cintas Corporation, with a professional signature. But this too is a fairly easy phishing email to identify.  Just like the previous email, this one has poor grammar and an email address that does not match the sender (clearly, we’d expect the sender’s email address to actually be from Cintas).  Here are some other clues:

  • This email makes the mistake of simply just saying “Hello”. The content of the email suggests they had a call earlier that day. We would expect it to be somewhat informal, but at least mention the recipient’s name.
  • Not just bad grammar, but bad English.  You would expect a professional from Chicago to have a more professional email.
  • There is an attachment of some sort in the email. It’s good best practice not to open them.
  • The link at the bottom of the signature block is a clear and evident sign of phishing. It is not tied to Cintas Corporation, it has a foreign top-level domain (.ga), and simply doesn’t match the sender.  The sender probably intended to send this as an embedded hyperlink rather than just a link in full view.

Using the Email Header

If you get an email in which you are not sure if it is phishing or not you could always do a bit of analysis of the email header to see the behind the scenes information. To find the header (in an Outlook email) expand the Tags section in the menu bar, when open you will see the internet headers.  It is easiest to simply copy everything in the Internet Headers box and paste it into a Notepad++ or Word document and work from there.


In the above header, some things you will want to look at and also look for (that are not here in this header):

  • The path the email took to get to your inbox goes from closest to furthest as you read through the header. So sometimes, you can identify the mail server IP address that the email actually came from. In this case, we are fortunate, and we have the IP. In this case it is: This IP, we know from the domain in front of it, belongs to (Not Centas) and a quick internet and WhoIs search tells us this is registered in Denver, CO and has been reported for illicit activity in the past.
  • Some (this does not) will have an X-Forward-For or X-Originating-IP field which will also give you the IP address where it came from.
  • The “From” line confirms the email address and the name don’t match
  • Sometimes the “Reply-To” field will be populated with a different email address. No legitimate email will have that unless it is a “do-not-reply” type email.
  • Some headers will also have an X-Mailer field which will tell you what email server / application was used to craft and send the email.  This can identify an obscure application that either is not common in U.S. corporate environments or is mostly used overseas.

These are just a few of the tips you can use to identify a phishing email.  In all candor, if you are not an information security professional, you probably do not need to get into the email header. Simply report the email up to your security team.  

Email Best Practices

Phishing emails are common and the ones that I presented here, are not the most sophisticated. Sometimes they are much more difficult to discern.  So, I follow a few simple rules that keep me safe from phishing:

  1. Only open emails from sources that I know and/or was expecting
  2. Do not click links in emails, I manually browse to what was linked if I can
  3. Do not open attachments unless I was expecting the attachment and am completely confident it is legitimate.
  4. If it smells phishy, it probably is.  I trust my gut. 

On this last point, this has saved me more than any other tip in this guide.  A couple of months ago, I received a well-crafted phishing email that appeared to come from one of our executives.  Almost everything about it looked legitimate, but it just did not seem right to me.  After taking a closer look at the email address that sent it, it was sent from an email address that was just one letter off from their legitimate address.  My gut’s suspicions were confirmed.   

Phishing is the #1 way hackers are finding success and compromising computers and corporate enterprises. The more you can do to familiarize yourself with how to identify phishing emails the safer you will be.  Education and experience does far more to protect you and your organization from phishing than any amount of email security applications you can employ.

About Security On-Demand

Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.