Email is the primary means of communication for countless individuals and businesses alike, so it should be no surprise that some unscrupulous characters attempt to exploit the medium for personal gain. Learn how to spot every kind of phishing email with our easy-to-follow phishing awareness training.
You receive an email from a familiar website that claims there was an issue processing your payment method for a recent purchase, and asks you to resubmit your payment information. Two weeks later, you receive a call from your bank stating that there has been unusual activity coming from your account. You’ve just fallen victim to a phishing email scam.
We’ll show you how to identify and avoid phishing emails, what you should do if you open one, and how you can fortify your business against them. We’ll also show you how you can use ContactMonkey to try some phishing email awareness training.
Reach 10,000+ employees instantly
Email at Scale is made for teams with large audiences. Engage your workforce without sending limits.
What is a Phishing Email?
A phishing email is a deceptive email that attempts to trick the recipient into [1] providing personal information to the sender or [2] opening an attachment or link that installs malicious software onto the recipient’s computer.
Phishing emails disguise themselves as emails the recipient expects to receive, which can make spotting them tricky.
What does a phishing email try to do?
The goal of a phishing email is to trick the recipient into thinking that the phishing email is legitimate, so they won’t hesitate to enter personal information or open a link or attachment.
Most phishing emails try to collect your personal information. They do this by asking recipients to fill out forms in emails that appear to be legitimate. Some common emails that phishing emails pretend to be include:
- Receipts from online purchases
- Emails from management or executives from your organization
- Alerts of suspicious activity on an account belonging to you
- Confirmation of personal information
- Free offers or discount codes
- Verifying personal information regarding a recent purchase
An email may appear to be from Apple, stating that the recipient’s payment information needs to be resubmitted, and will provide a form identical to those actually used by Apple. The recipient fills out the form, and their information is immediately sent to the person who sent the phishing email.
Pro Tip: External email tools like Mailchimp are not for internal communications. Use dedicated internal tools like ContactMonkey to supercharge employee emails.
Phishing emails are sometimes even less direct. When a recipient clicks on a link within a phishing email, they can allow the phishing email to install malicious software on their computer. The primary kinds of malicious software used in phishing emails include:
- Spyware: an invisible program that records users activity and sends it to a third party, like logging what emails and passwords the user typed into their computer.
- Ransomware: a program that locks the user’s computer until they pay a third party to “unlock” their computer.
- Viruses: programs that reduce or prevent the functionality of the users’ computer.
Phishing Email Awareness and Training Tips
Although phishing emails are designed to appear legitimate, there are almost always telltale signs that the email you’re receiving isn’t what it purports to be.
Keep these following tips in mind the next time you receive an email that you suspect might be trying to steal your personal information.
How to spot a phishing email
If you receive a suspicious email or one that you didn’t expect, there are different aspects you can examine to determine if the email you received is a phishing email.
Verify the sender’s email address
The first thing to look at is who sent the email. Outlook and Gmail don’t always show the exact email address of the sender, opting instead to show the account name associated with the email address.
To verify that the email you received is actually from the account it purports to be, check the “From” field. If the email address doesn’t match the name shown in your inbox, you likely are dealing with a phishing email.
Check with other employees to see if they have also received a similar strange email. Because larger companies use distribution list, email scams are usually sent to a number of employees rather than a one-off. This creates a strong incentive to update your distribution lists in Outlook, as you want to prevent former employees from receiving phishing emails that they may fall for.
Check for typos and weird email formatting
Many phishing emails are hastily made, as the scammer will make numerous versions to imitate different “real” emails. If you spot weird grammar or spelling mistakes in the email subject line or body copy, it’s likely that this email is not what it purports to be.
Also keep an eye out for random bits of numbers, letters, or HTML code. Again, those sending phishing emails are not as rigorous in their email design as actual companies, so always keep an eye out for stray code.
Verify the hyperlinks in the email are legitimate
Phishing emails require the recipient to take some action in order to divulge their personal information. The most common method is to ask the user to follow a hyperlink.
Never click on a hyperlink that appears suspicious to you. When you open a hyperlink from an email in your browser, you can allow that webpage to access information about you like your IP address. It can also trigger an unwanted download onto your computer.
Always test hyperlinks before you open them. You can do this by right clicking the hyperlink and selecting “Copy Link”. Then, paste the link into a text file to view it. If the URL does not match with what the email claims to be (e.g. an email from Amazon should almost always link to an Amazon-related URL), then you’ve probably found a phishing email.
Never open suspicious email attachments
Some phishing emails will encourage recipients to download an attachment in order to steal their information.
Never open an email attachment from an email if it seems suspicious. Even if you are sure that you have received a phishing email, don’t even test the attachment to see what it is. Downloading a file can allow it to access other files and information on your computer and cause significant damage.
Spotting “well-made” phishing emails
The majority of phishing emails you’ll receive will have at least one of the indicators previously mentioned. But occasionally you’ll receive an email that really appears to be legitimate: the email and account name match, the design is the same as other emails you’ve received from that sender, and the hyperlinks match the information in the email.
If the email appears to be legitimate, question why you’re receiving this email at this time. Popular websites that phishing emails imitate, like Apple and Amazon, rarely ask users to verify information via email.
If you’re not sure, it’s best to contact your IT team to have them take a look at it. Never click on anything in an email that you think is suspicious.
Testing a phishing email link
For those who cannot consult an IT team and you have reason to believe that the email might be legitimate, there are ways you can test it.
But first, a disclaimer: test phishing emails at your own risk; the best course of action for a suspicious email is to delete it. If the sender is legitimate, they will almost always send you another email.
To test a phishing email, use a device that you wouldn’t mind being rendered unusable. If possible, use a mobile device to open a link in a phishing email, as mobile devices are less susceptible to automatically-downloaded malicious software (though not impossible).
Open the phishing email link on your test device. Most phishing email links will lead to online forms that ask you to enter your personal and financial information. Though these forms may look identical to the legitimate ones from real websites, there is an easy test to verify this.
Fill out the form using fake information; fill out the form fields with random letters and numbers. See if the form highlights incorrect formatting for the information you entered, as legitimate websites have restrictions to ensure people enter correctly formatted phone numbers, addresses, credit card numbers, etc.:
Most phishing emails do not have these restrictions, and will let you enter incorrect information (e.g. writing letters into a form field asking for a phone number). Try submitting your fake information to the form to see if it advances to the next webpage.
For almost everything phishing email, the webpage will advance to the next one without error, sometimes even showing a “completed” confirmation page containing your fake information. If this happens testing a suspicious email link, you’ve found a phishing email.
Phishing email examples for training
Now that you know how to identify phishing emails, let’s look at some common phishing email examples. We’ll look at both external and internal phishing email scams, as they are quite different.
External phishing emails
These are the phishing emails you’ve likely received in your personal inbox. These emails are targeted at large groups of people, and usually attempt to imitate the email format from popular platforms like Apple, Amazon, UPS, and others.
This is a particularly elaborate UPS phishing email:
The clean layout, the colours, the tracking number; all these features help sell the “legitimacy” of this email. But let’s look at what gives this phishing email away:
- The most obvious indicator of this phishing email is the sender. Usually, these types of emails have a format like “no-reply@domain.com”.
- The first parentheses is directly after the word “Failed”, where there should be a space separating the beginning of the parenthetical.
- Every subscriber-based email must legally include an unsubscribe option. The link at the bottom of this phishing email says “Opt Out”, which is not a common way to phrase an unsubscribe message.
- Testing the URL in a text file, we learn that the button links to a bizarre URL, rather than a UPS-based URL.
In retrospect, all the signs of this phishing email can seem obvious. And that’s a necessary hurdle for phishing scammers: they’re after quantity not quality, and it’s not worth their time creating the perfect phishing email if their half-efforts can convince even one person to enter their actual information.
But there is another variety of phishing emails that are much tricker to spot: internal phishing emails.
Internal phishing emails
Internal phishing emails attempt to trick employees of a company by pretending to be someone from within the company. A common internal phishing email is someone pretending to be the CEO of a company requesting information from employees:
These can be much trickier to spot. Company email addresses are often publicly available, which lets the scammer accurately imitate the sending address, which can make the internal phishing email appear legitimate. Since these phishing emails often attempt to imitate legitimate employee communications, there is no faulty formatting or weird links to give away the game. Sometimes there isn’t a link at, with the email instead requesting information via an email reply.
The best way to detect an internal phishing email is to scrutinize the request itself. Ask yourself: why would the CEO be requesting this information from me? Why is this internal email being sent now? Did other employees receive this email too? These are all questions you should ask yourself when you encounter a suspicious email in your work inbox.
If you suspect you’ve received a phishing email in your employee inbox, immediately alert your IT department.
What to do if you open a phishing email
Even the most diligent email user can get fooled by a phishing email. Most of the time you’ll be fine if only viewing a phishing email within your inbox, as long as you don’t click on any links or attachments. And even if you end up following a link, you’ll often be fine as long as you don’t provide any personal information.
But phishing emails can be far more malicious, and dangerous. For phishing emails attempting to install spyware, ransomware, or viruses on your computer, sometimes all it takes is a click. If you think that you’ve exposed your computer to a malicious program via phishing emails, follow these precautions:
- Alert your IT department immediately. It’s likely you’re not the only person to receive this email, and your IT department will alert your organization of the threat.
- Disconnect your computer from all networks and attached storage drives. Either shut down your computer or run a virus scan.
- If you provided information to a phishing email, take steps to safeguard your information. Change/reset passwords, or alert your bank if you provided financial information.
Fortunately, the egregious examples of ransomware completely locking up computers are relatively rare; few phishing emails have the capabilities to cause serious damage. Despite this, you should always be diligent in detecting and reporting phishing emails.
How to Report a Phishing Email
Businesses large and small are concerned about phishing emails, and will have procedures in place to address their threat. If you come across a phishing email sent to your work email, follow the steps we outlined in the previous section.
However, if you receive a phishing email to your personal inbox there are steps you can take beyond simply deleting the email. For those in the United States, the FTC provides a web page that allows people to report fraudulent emails, including phishing emails.
In Canada, there is a similar system in place called the Canadian Antifraud Centre. Follow the steps on their website to report any phishing emails you receive to your personal or business inbox. With every report you’re making the internet a safer place for everyone!
Email template for phishing awareness
Preventing phishing scams at your business should be a cornerstone of your IT security strategy. Be sure to alert your employees of the threat posed by phishing emails, give them an easy way of reporting phishing emails they receive, and regularly test their phishing security awareness.
Pro Tip: Target the right employees with the right information using ContactMonkey’s Human Resource Information System (HRIS) integration.
Using ContactMonkey’s email template builder, you can create fake internal phishing emails and track how many of your employees correctly applied their phishing training. Design an email template that contains the hallmarks of phishing email (misspellings, strange formatting, suspicious link/hypertext) and send it to your employees:
Within your analytics dashboard, you can track how many of your employees opened the email, how many of them clicked on a link, or replied to it with sensitive information. We recommend sending these test emails at random times throughout the year to keep your employees sharp at spotting phishing emails.
Don’t Get Phished Ever Again
Phishing emails are always frustrating, and present a real risk to your business and employees. Now that you have strategies to detect and report phishing emails, share this information with your employees to help their efforts.
IT security is a collective, ongoing process. Ensure that your employees are up-to-date on your company’s latest phishing training, and stay on top of the latest news around internet security. It may just end up saving your business countless hours and resources.
Let your employees report phishing emails directly from their inboxes with ContactMonkey’s best email management software. Book a free demo to see how easy it is to build a phishing report email:
