How to Identify Phishing Emails: 10 Techniques Attackers Use

Phishing emails have gotten much harder to spot. The obvious typos and Nigerian prince scams still exist, but the attacks targeting businesses today are far more polished. Here are the techniques attackers use and how to catch them.

1. Spoofed Email Addresses

Attackers forge the sender’s email address to make it look like it’s coming from someone you trust. They use subtle substitutions that are easy to miss at a glance:

• rn instead of m (looks identical in many fonts)
• 1 instead of l
• .co instead of .com

How to catch it: Hover over the sender’s name to see the actual email address. Compare it character by character against known addresses.

2. Homoglyph Attacks

URLs that use characters from different alphabets (Cyrillic, Greek) that look identical to Latin characters. аpple.com using a Cyrillic “a” looks exactly like apple.com but leads to a completely different server.

How to catch it: Don’t click links in emails. Navigate to websites directly by typing the URL yourself or using a bookmark.

3. Compromised Legitimate Accounts

Attackers gain access to a real email account and send phishing messages from it. Since the sender is genuine, standard email checks won’t flag it.

How to catch it: Watch for messages that seem out of character for the sender, unexpected requests, or communications at unusual times. Verify unusual requests through a separate channel.

4. Personalized Content (Spear Phishing)

Using data from social media, LinkedIn, data breaches, or company websites, attackers craft messages tailored to you specifically. They reference real projects, colleagues, or events to build credibility.

How to catch it: Be suspicious of unexpected messages even if they reference real details about your work. Attackers research their targets.

5. HTTPS and Security Indicators

Phishing sites now routinely use HTTPS with valid certificates. The padlock icon means the connection is encrypted – it says nothing about whether the site is legitimate.

How to catch it: Never rely on the padlock icon alone. Check the full URL carefully. Better yet, navigate to websites directly rather than clicking email links.

6. Urgency and Emotional Manipulation

Messages designed to trigger panic: “Your account has been compromised,” “Payment is overdue,” “Act within 24 hours or your data will be deleted.” The goal is to make you act before you think.

How to catch it: Treat urgency as a red flag, not a reason to rush. Legitimate organizations give you reasonable time to respond and provide multiple ways to verify the message.

7. Malicious Attachments in Common Formats

PDFs, Word documents, Excel spreadsheets, and ZIP files that contain macros, scripts, or embedded malware. They often look like invoices, contracts, or reports.

How to catch it: Don’t open unexpected attachments. Verify with the sender through a separate channel. Keep macros disabled by default in Office applications.

8. Cloned Brand Emails

Attackers copy legitimate emails from companies like Microsoft, Google, DHL, or your bank pixel-for-pixel, then swap the links for malicious ones. The visual match is often perfect.

How to catch it: Inspect links before clicking (hover to see the destination). Be especially careful with password reset emails, delivery notifications, and account alerts you weren’t expecting.

9. Dynamic Personalization

Phishing emails that automatically insert your name, company, job title, or other details pulled from public sources or stolen databases. This makes mass phishing look like a personal message.

How to catch it: Personalization alone doesn’t make an email legitimate. Focus on whether the request is expected and whether the sender address is verified.

10. Multi-Stage Attacks

The first email is completely harmless – a meeting request, a document share, a friendly introduction. It builds trust. The second or third message in the thread contains the actual attack: a malicious link or request for credentials.

How to catch it: Stay alert even in ongoing email threads. Attackers sometimes hijack real conversations after compromising one participant’s account.

Quick Reference Checklist

When evaluating any email, ask:

• [ ] Is this message expected, or did it arrive out of the blue?
• [ ] Does the sender’s full email address match who they claim to be?
• [ ] Is there pressure to act quickly or skip normal procedures?
• [ ] Am I being asked to click a link, open an attachment, or provide credentials?
• [ ] Can I verify this request through a different channel (phone call, in-person, separate email)?
• [ ] Does anything feel off, even if I can’t pinpoint what?

When in doubt, don’t click. Verify independently. Report it to your IT team. You can also forward suspicious emails to ForwardToSafety.com for verification before taking any action.