GetApp offers objective, independent research and verified user reviews. We may earn a referral fee when you visit a vendor through our links.
Our commitment
Independent research methodology
Our researchers use a mix of verified reviews, independent research, and objective methodologies to bring you selection and ranking information you can trust. While we may earn a referral fee when you visit a provider through our links or speak to an advisor, this has no influence on our research or methodology.
How GetApp verifies reviews
GetApp carefully verified over 2 million reviews to bring you authentic software experiences from real users. Our human moderators verify that reviewers are real people and that reviews are authentic. They use leading tech to analyze text quality and to detect plagiarism and generative AI.
How GetApp ensures transparency
GetApp lists all providers across its website—not just those that pay us—so that users can make informed purchase decisions. GetApp is free for users. Software providers pay us for sponsored profiles to receive web traffic and sales opportunities. Sponsored profiles include a link-out icon that takes users to the provider’s website.
Phishing tactics are constantly evolving and becoming more sophisticated. Modern phishing schemes involve everything from social media messages to vishing (voice phishing) and deep fake technology. But its original form, the humble phishing email, remains a potent cybersecurity threat to your business that must not be overlooked.
GetApp’s 2023 Data Security Survey* finds that top vulnerability IT security managers are currently struggling with is susceptibility to phishing and social engineering schemes. What’s more, IT security managers are most concerned about advanced phishing attacks heading into 2024. For these reasons, we’ve created this guide to help to mitigate phishing threats that expose your company to everything from malware infection to data breaches, account takeovers to ransomware attacks.
Phishing emails are bogus messages intended to manipulate you into clicking a link, downloading an attachment, or providing sensitive data such as network credentials or financial information. These fraudulent emails typically include either a malicious link, a malicious attachment, or both.
A malicious link typically takes you to a bogus website to trick you into entering banking credentials or providing confidential information. A malicious attachment infects your system with malware. These are a phisher’s most basic tools—be on the lookout.
Rarely is there a good reason to click a link in an email, whether it’s valid or not. Let’s say you receive an email from your bank asking you to click a link to verify some information. Instead of clicking, type your bank’s web address directly into your browser and check to see if you have any messages. If the link is to something more specific, such as an article, search for it online and navigate to it safely.
Be suspicious of any link in an email, whether in the text of the email or in the sender’s signature. Hover over it to see the URL preview at the bottom of the screen. Does it make sense? Is it pointing to the expected address? Is it suspicious in any way?
Quick takeaway: Think before you click an email link.
A malicious attachment is any type of document embedded in an email (think a Word doc or PDF) that includes malware or other means for an attacker to gain access to your network.
Email attachments can be ticking time bombs. You open an attachment and nothing out of the ordinary happens—for now. It may be that you’ve allowed an advanced persistent threat (APT) into your network whereby attackers access your systems and methodically take action over an extended period of time. It’s not until months or even years later that you realize you’ve been breached.
Always be wary of unexpected email attachments and contact the sender via secondary means (phone call, text message) to verify legitimacy if you have any doubts. If your company continually exchanges sensitive data through email attachments, consider using a secure cloud storage platform or virtual data room software instead so you can share documents in a secure, encrypted environment.
Quick takeaway: Consider if an attachment might be entrapment.
Email spoofing is one of the most common phishing email tactics. An impostor creates an email that appears to come from a known entity or trusted brand, such as a financial institution. And while today’s spoofed emails don’t typically include glaring grammatical or spelling errors, they often contain multiple inconsistencies and usage errors, sometimes resulting from poor translation or fabricated details.
Spoofed email headers with convincing graphics and logos put you at ease while a misleading domain name makes the scam even more persuasive. A message that pressures you to take action or provokes interest (you’ve won!) completes the scam.
Bogus domain names might be slightly misspelled so you read right past them without noticing. For example, a cybercriminal might register the domain name arnazon.com using the letters r and n to form “rn” in place of the letter “m” so the recipient doesn’t notice the deceptive URL, believing the email came from Amazon.
Cybercriminals also register domain names that are similar to a known entity such as amazonstore.com (which Amazon smartly purchased for just this reason), easily mistyped (yahooo.com), or use an alternate top-level domain such as .app instead of .com.
Quick takeaway: Examine the sender to determine if they’re a pretender.
Another goal of a phishing email is keep you off-balance so you don’t think twice before clicking a link, downloading an attachment, or giving out personal information. That's why you can usually spot a phishing email by its pressure to take action or attempt to convince you that you’ve been victimized by some sort of breach or cyberattack—when the attack is right there in front of you.
This tactic is a type of social engineering that preys on your human nature. Don’t fall for it.
Quick takeaway: Always be suspicious of a message that piques your interest.
Now that we’ve reviewed how to spot phishing emails, let’s take a look at a mock phishing test created for this article.
You’ve just received an email from your bank alerting you to a problem with your account. See if you can identify all of the indicators that this is a phishing scam (answers are at the bottom of the page).
Capital One cardmember alert,
We detected an unusual behavior on your account. A suspicious log in attempt was made from an unrecognized source. Our security team believes your account might be compromised.
Log-in details
Country: Malta
IP Address: 62.162.111.101
Date: 21/09/2020
If this was you, please disregard this message. If you do not recognize this activity, please change your password immediately.
Kind regards
CapitalOne security team
Email is fundamentally vulnerable to phishing due to the interoperability of various email providers. In other words: you can send an email from a Gmail account to a ProtonMail account without an issue. This makes authentication difficult because most email standards—such as Simple Mail Transfer Protocol (SMTP)—were never intended to verify the sender or authenticate email addresses. And while a spam filter and other email security strategies can stop most phishing emails from getting through, they won’t stop them all.
Unfortunately, it only takes one person to compromise an entire company by clicking on a malware-laden attachment or handing over their network login credentials to a cybercriminal. It’s critical that all employees learn how to spot phishing emails.
Remember to:
Double-check the sender’s email address
Check for grammatical and spelling mistakes
Ensure salutations are used correctly
Beware of emails that create a sense of urgency or spike your curiosity
Hover over URLs in the email body to check where the URL actually takes you
Refrain from downloading unexpected email attachments
Guard sensitive data and be suspicious of any email that requests personal information
To learn how to protect your company from advanced social engineering attacks such as spear phishing and business email compromise (BEC), read our guides:
Test answers:
The sender’s email address is @capitolone instead of @capitalone.
It is unlikely that a well-known bank would use .info as their top-level domain.
The use of “an unusual behavior” is an error that might result from poor translation.
Hyphenation for the term “log in” is inconsistent.
Maltese IP addresses begin with 2 or a 5. The IP address listed would be based in North Macedonia, indicating poorly fabricated details.
The date is provided in dd/mm/yyyy format instead of mm/dd/yyyy which is standard in the U.S.
The message pressures the recipient to take immediate action.
The comma is missing after kind regards.
Capital One is two words when it first appears and one word when it appears a second time.
The underlying URL for the change password link is a Rick roll, an internet scam nearly as old as phishing itself. Were this an actual phishing email, the link likely would have brought you to a bogus login page where you might have entered your personal details and compromised your bank account.
Survey methodology
*GetApp’s 2023 Data Security Survey was conducted in August 2023 among 872 respondents to learn more about data security practices at U.S. businesses. All respondents were screened for full-time employment at U.S. businesses. 362 respondents identified as IT management professionals and 271 identified as IT security managers.
Zach Capers