4 ways to identify a phishing email

There’s a saying: “If it’s not broke, don’t fix it.” Cyber criminals must take this adage to heart because they keep using phishing attacks, and employees continue to take the bait.

Phishing was used to gain access to an organization’s network in 41% of all attacks last year, making it the top infection vector, per IBM’s 2022 X-Force Threat Intelligence Index. According to a recent Proofpoint study, 83% of companies fell victim to a successful email-based phishing attack in 2021 – 46% more than the year before.

The reason for this burgeoning success rate is simple: Humans remain cybersecurity’s biggest adversary. From social engineering attacks to human error to the misuse of privileges, the “human element” is involved in 82% of breaches.

man standing before a chalkboard

Repeatedly reminding yourself not to open malicious emails sounds good in theory, but it’s not always that simple. An analysis of over 55 million emails discovered that one in every 99 emails is a phishing attack, while an Intel Security Quiz revealed that 97% of people can’t identify phishing emails.

Now’s the time to educate yourself on common tactics and signs so you can recognize a phishing email when it hits your inbox. Here are four key identifiers of a phishing email.

1. URL in email doesn’t match the business or individual

If the URL in the message fails to match up with the organization or person it claims to be, you probably shouldn’t trust the email. So, make sure you always cross-check the URLs.

Hover your cursor over the link – without clicking – to verify its legitimacy. An email from "Apple" redirecting you to a destination address like, "https://YourInfo.Now.com," for example, doesn't pass the smell test.

Any links that feel fishy (no pun intended), aren’t associated with the “real” company the sender says it is or don’t match the context of the email, are best left alone.

2. Email address and sender don’t line up

The “name” of the sender may seem authentic, but what about the email domain? These two should line up. It’s problematic if they don’t.

Hover your cursor over the “from” address and verify the email address matches the actual sender. You may know a “John Smith,” but if you receive an email from “John Smith <johnsmith@Hackers4Life.com>," there’s a good chance it’s not the same person.

3. Spelling and grammar mistakes

The hyperlinks contain misspellings of the actual domain name. The text in the body reads, “We regret inform you,” or “Take minute to fill form.” Spelling and grammatical mistakes are dead giveaways that something’s not right.

Look at the email carefully and pay close attention to how it’s written. If it reads like something that should be marked up with a lot of red ink, you have your answer.

4. Requests personal information

Many emails that request your personal information may appear legitimate, but don’t fall for them. Real companies don’t do this.

Refrain from supplying login credentials or personal identifiable information (PII) of any sort via email. If an email asks you for sensitive information or tells you to click on a link or download an attachment to fill it in, stop right there. It’s a trick.

Don’t fall hook, line and sinker

The average cost of a phishing attack is $4.65 million, and it only takes one employee to accidentally slip up to put your whole organization at risk.

Making sure they’re aware of these key identifiers of a phishing email is a good place to start, but there’s more you can do, beginning with education. Keep your employees abreast of the latest scams and phishing tactics and use mock phishing exercises as regular training.

The more sophisticated bad actors become, the more creative their phishing attacks will get. So, you must be ready to keep up with them. Do that, and you’ll be less likely to fall hook, line and sinker.