All posts by About Phishing

10 Tips on How to Identify a Phishing or Spoofing Email

Phishing attacks are more rampant than ever before, rising by more than 162 percent from 2010 to 2014. They cost organizations around the globe $4.5 billion every year and over half of internet users get at least one phishing email per day.

The best defense companies have against phishing attacks is to block malicious emails before they reach customers with the DMARC (Domain-based Message Authentication Reporting and Conformance) standard. Brands must also work with a vendor that can offer email threat intelligence data revealing attacks beyond DMARC (e.g., attacks that spoof their brand using domains outside of the company’s control).

Unfortunately, no matter what companies do, some phishing emails will always make it to the inbox. And those messages are extremely effective—97% of people around the globe cannot identify a sophisticated phishing email. That’s where customer education comes in.

Here are 10 tips on how to identify a phishing or spoofing email. Share them externally with your customers and internally with your company.

Tip 1: Don’t trust the display name
A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Return Path analyzed more than 760,000 email threats targeting 40 of the world’s largest brands and found that nearly half of all email threats spoofed the brand in the display name.

Here’s how it works: If a fraudster wanted to spoof the hypothetical brand “My Bank,” the email may look something like:

Since My Bank doesn’t own the domain “,” DMARC will not block this email on My Bank’s behalf, even if My Bank has set their DMARC policy for to reject messages that fail to authenticate. This fraudulent email, once delivered, appears legitimate because most user inboxes only present the display name. Don’t trust the display name. Check the email address in the header from—if looks suspicious, don’t open the email.

Tip 2: Look but don’t click
Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it. If you want to test the link, open a new window and type in website address directly rather than clicking on the link from unsolicited emails.

Tip 3: Check for spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

Tip 4: Analyze the salutation
Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

Tip 5: Don’t give up personal information
Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up.

Tip 6: Beware of urgent or threatening language in the subject line
Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”

Tip 7: Review the signature
Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details.

Tip 8: Don’t click on attachments
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

Tip 9: Don’t trust the header from email address
Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address. Return Path found that nearly 30% of more than 760,000 email threats spoofed brands somewhere in the header from email address with more than two thirds spoofing the brand in the email domain alone.

Tip 10: Don’t believe everything you see
Phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it’s legitimate. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, don’t open it.

Want to learn how to block phishing threats before they reach your customers? Check out our guide, Getting Started with DMARC.


5 Facts About Phishing That Will Surprise You

1. Cybercriminals purchase SSL certificates

An SSL certificate allows website operators to run their websites over HTTPS. HTTPS ensures that the data between your web browser and the website you’re visiting are encrypted and are not sent in plain text. While legitimate companies will setup HTTPS for their sites, cybercriminals will also implement HTTPS to appear credible.

Ask yourself these questions to stay safe online:

  • Is the address in my toolbar the correct address for the website that I want to be on?
  • Is there a picture of a lock in the address bar to let you know the website uses HTTPS? (example image shown below)
  • Did your web browser alert you to an error with the “security certificate”? If you ever see a certificate error in your web browser, make sure you’re on the correct website. Reporting this error to the targeted company helps to combat phishing

2. Phishers can hide the real address of websites using Javascript

JavaScript is a popular programming language used in websites. The key thing to be aware of here is that hovering over a link to see the address is not a failsafe way to prevent you from going to a bad website. Cybercriminals can change the actual address or even hide the address altogether. In general, it’s better to be aware of the sites you’re visiting and to do some research prior to conducting any business with the website.

3. Cybercriminals have graduated from grammar and spelling class!

The phishing toolkits available to cybercriminals these days can do everything from sending out mass emails to cloning actual websites and performing spelling checks. Phishing has become commercialized; so looking for poor grammar or misspellings is less relevant nowadays. To stay safe, just remember that the banks and retailers that you do business with will never contact you by email or phone and ask for login or personal information. When in doubt, contact the company by calling their official telephone number.

4. Today’s phishing kits can block search engine robots from seeing the phishing site

While phishing emails are less prevalent in our email inboxes thanks to industry advances such DMARC, the underground demand for phishing kits hasn’t likely decreased. Symantec reported over 800 phishing toolkits in the wild in their 2014 report and one of the features inside toolkits was the ability to prevent search engine robots from discovering the phishing content.

5. A phish that spoofs a given brand can involve dozens of unique domains

A domain name can be purchased for as little as $4 a year. At these costs, phishers can register dozens of domain names and stand up websites under a modest budget. When you’re online be sure to type in the correct address to the banks and retailers you do business with. It’s not uncommon for phishers to register misspelled variations to popular websites in the attempt to trick unsuspecting users. The actual practice of registering these spelling variations is typosquatting.