How to Spot Phishing Emails—A Brief Guide

Sep 14, 2023

Some fraudulent emails are obvious while others are more complicated. Take our test to find out how well you can spot a phishing scam.

Zach CapersSr Specialist Analyst
How to Spot Phishing Emails—A Brief Guide

Phishing tactics are constantly evolving and becoming more sophisticated. Modern phishing schemes involve everything from social media messages to vishing (voice phishing) and deep fake technology. But its original form, the humble phishing email, remains a potent cybersecurity threat to your business that must not be overlooked.

GetApp’s 2023 Data Security Survey* finds that top vulnerability IT security managers are currently struggling with is susceptibility to phishing and social engineering schemes. What’s more, IT security managers are most concerned about advanced phishing attacks heading into 2024. For these reasons, we’ve created this guide to help to mitigate phishing threats that expose your company to everything from malware infection to data breaches, account takeovers to ransomware attacks.

What are phishing emails?

Phishing emails are bogus messages intended to manipulate you into clicking a link, downloading an attachment, or providing sensitive data such as network credentials or financial information. These fraudulent emails typically include either a malicious link, a malicious attachment, or both.

A malicious link typically takes you to a bogus website to trick you into entering banking credentials or providing confidential information. A malicious attachment infects your system with malware. These are a phisher’s most basic tools—be on the lookout.

Avoid clicking malicious links

Rarely is there a good reason to click a link in an email, whether it’s valid or not. Let’s say you receive an email from your bank asking you to click a link to verify some information. Instead of clicking, type your bank’s web address directly into your browser and check to see if you have any messages. If the link is to something more specific, such as an article, search for it online and navigate to it safely.

Be suspicious of any link in an email, whether in the text of the email or in the sender’s signature. Hover over it to see the URL preview at the bottom of the screen. Does it make sense? Is it pointing to the expected address? Is it suspicious in any way?

Quick takeaway: Think before you click an email link.

Steer clear of malicious attachments

A malicious attachment is any type of document embedded in an email (think a Word doc or PDF)  that includes malware or other means for an attacker to gain access to your network.

Email attachments can be ticking time bombs. You open an attachment and nothing out of the ordinary happens—for now. It may be that you’ve allowed an advanced persistent threat (APT) into your network whereby attackers access your systems and methodically take action over an extended period of time. It’s not until months or even years later that you realize you’ve been breached.

Always be wary of unexpected email attachments and contact the sender via secondary means (phone call, text message) to verify legitimacy if you have any doubts. If your company continually exchanges sensitive data through email attachments, consider using a secure cloud storage platform or virtual data room software instead so you can share documents in a secure, encrypted environment.

Quick takeaway: Consider if an attachment might be entrapment.

Guard against email spoofing and fear tactics

Email spoofing is one of the most common phishing email tactics. An impostor creates an email that appears to come from a known entity or trusted brand, such as a financial institution. And while today’s spoofed emails don’t typically include glaring grammatical or spelling errors, they often contain multiple inconsistencies and usage errors, sometimes resulting from poor translation or fabricated details.

Spoofed email headers with convincing graphics and logos put you at ease while a misleading domain name makes the scam even more persuasive. A message that pressures you to take action or provokes interest (you’ve won!) completes the scam.

Watch out for bogus domain names

Bogus domain names might be slightly misspelled so you read right past them without noticing. For example, a cybercriminal might register the domain name using the letters r and n to form “rn” in place of the letter “m” so the recipient doesn’t notice the deceptive URL, believing the email came from Amazon.

Cybercriminals also register domain names that are similar to a known entity such as (which Amazon smartly purchased for just this reason), easily mistyped (, or use an alternate top-level domain such as .app instead of .com.

Quick takeaway: Examine the sender to determine if they’re a pretender.

Don’t give in to pressure

Another goal of a phishing email is keep you off-balance so you don’t think twice before clicking a link, downloading an attachment, or giving out personal information. That's why you can usually spot a phishing email by its pressure to take action or attempt to convince you that you’ve been victimized by some sort of breach or cyberattack—when the attack is right there in front of you.

This tactic is a type of social engineering that preys on your human nature. Don’t fall for it.

Quick takeaway: Always be suspicious of a message that piques your interest.

Test your ability to spot a phishing email

Now that we’ve reviewed how to spot phishing emails, let’s take a look at a mock phishing test created for this article.

You’ve just received an email from your bank alerting you to a problem with your account. See if you can identify all of the indicators that this is a phishing scam (answers are at the bottom of the page).

‘Support’ via Security Team <>

Capital One cardmember alert,

We detected an unusual behavior on your account. A suspicious log in attempt was made from an unrecognized source. Our security team believes your account might be compromised.

Log-in details

Country: Malta

IP Address:

Date: 21/09/2020

 If this was you, please disregard this message. If you do not recognize this activity, please change your password immediately.

Kind regards

CapitalOne security team

Protect sensitive information to avoid a bad situation

Email is fundamentally vulnerable to phishing due to the interoperability of various email providers. In other words: you can send an email from a Gmail account to a ProtonMail account without an issue. This makes authentication difficult because most email standards—such as Simple Mail Transfer Protocol (SMTP)—were never intended to verify the sender or authenticate email addresses. And while a spam filter and other email security strategies can stop most phishing emails from getting through, they won’t stop them all.

Unfortunately, it only takes one person to compromise an entire company by clicking on a malware-laden attachment or handing over their network login credentials to a cybercriminal. It’s critical that all employees learn how to spot phishing emails.

Remember to:

  • Double-check the sender’s email address

  • Check for grammatical and spelling mistakes

  • Ensure salutations are used correctly

  • Beware of emails that create a sense of urgency or spike your curiosity

  • Hover over URLs in the email body to check where the URL actually takes you

  • Refrain from downloading unexpected email attachments

  • Guard sensitive data and be suspicious of any email that requests personal information

To learn how to protect your company from advanced social engineering attacks such as spear phishing and business email compromise (BEC), read our guides:

Phishing Test Answers and Survey Methodology

Test answers:

  1. The sender’s email address is @capitolone instead of @capitalone.

  2. It is unlikely that a well-known bank would use .info as their top-level domain.

  3. The use of “an unusual behavior” is an error that might result from poor translation.

  4. Hyphenation for the term “log in” is inconsistent.

  5. Maltese IP addresses begin with 2 or a 5. The IP address listed would be based in North Macedonia, indicating poorly fabricated details.

  6. The date is provided in dd/mm/yyyy format instead of mm/dd/yyyy which is standard in the U.S.

  7. The message pressures the recipient to take immediate action.

  8. The comma is missing after kind regards.

  9. Capital One is two words when it first appears and one word when it appears a second time.

  10. The underlying URL for the change password link is a Rick roll, an internet scam nearly as old as phishing itself. Were this an actual phishing email, the link likely would have brought you to a bogus login page where you might have entered your personal details and compromised your bank account.

Survey methodology

*GetApp’s 2023 Data Security Survey was conducted in August 2023 among 872 respondents to learn more about data security practices at U.S. businesses. All respondents were screened for full-time employment at U.S. businesses. 362 respondents identified as IT management professionals and 271 identified as IT security managers.

About the author

Zach Capers

Sr Specialist Analyst
Zach Capers is a senior analyst at GetApp, covering IT security, data privacy, and emerging technology trends. A former internal investigator for a Fortune 50 company and researcher for the Association of Certified Fraud Examiners (ACFE), his work has been featured in publications such as Forbes, Business Insider, and Journal of Accountancy.
Visit author's page