Phishing is used by cyber criminals to impersonate a trusted source (a person, brand or business) to entice users to disclose essential or sensitive information. The motive for gaining sensitive information can vary, but data theft and financial gain are the most popular reasons.
Phishing is successful, from the cyber criminal’s point of view. But, why?
Phishing emails have become increasingly sophisticated over recent years. Cyber criminals can clone businesses emails, play on the receiver’s emotions and send phishing emails out at mass.
Why phishing emails work:
- Emotional Triggers: Cyber criminals are adept at leveraging urgency and concern. They might send an “urgent account notification” or a “payment overdue” alert, capitalising on the instinctive reaction to resolve potential issues.
- Professional Appearance: These emails are often indistinguishable from genuine ones. With official-looking logos, consistent formatting, and language that mirrors legitimate business communication, they are designed to deceive.
- Mass Distribution: Hackers employ a scattergun approach. By sending out vast amounts of emails, even a tiny response rate translates to many potential victims. It’s a numbers game, and cyber criminals send a lot.
- Embedded Threats: Beyond luring you to click on deceptive links, some phishing emails contain malicious software that can compromise your device or network, even if you don’t provide personal information.
- Adaptive Tactics: Cyber criminals are continually learning. Hackers innovate as consumers become savvy with one phishing method, adopting new, more convincing strategies.
Phishing emails are the modern-day equivalent of con artists, but their global reach and tactics are digital. The key defence is awareness and taking a moment to verify before acting.
Phishing Email Examples
Recognising common phishing tactics is a significant step towards protection. We’ll provide examples of the 3 most common phishing email examples and an advanced example.
1. Bank Account Verification [Phishing Email Example 1]
“Dear [Bank Customer], We detected unusual activity on your account. To ensure your account is secure, please click the link below to verify your identity. [Suspicious Link] Regards, [Bank Name]”
- Generic greeting: Reputable organisations, especially banks, have the resources and information to personalise their communications. A generic greeting is often a major red flag.
- Urgent tone: By inducing panic or urgency, scammers hope victims won’t take the time to double-check the email’s legitimacy. Always take a moment to think critically, even when faced with worrying statements.
- Suspicious link: Before clicking on any links, hover your mouse over them. This will display the URL, often revealing mismatches or odd-looking domain names. Please take the time to thoroughly review the email address.
2. Package Delivery [Phishing Email Example 2]
“Dear [Your Name], Your package couldn’t be delivered because of an unpaid shipping fee. Click below to resolve the payment. [Suspicious Link] Regards, [Courier Service]”
- Unsolicited: Scammers often use surprise packages as bait. Always correlate such emails with recent online purchases or shipments you’re expecting.
- Payment requests: Legitimate couriers usually handle payments at the source or through official channels, not email links. If unsure, contact the courier directly for official, and safe advice.
3. Account Suspension [Phishing Email Example 3]
“Dear User, Your email account will be suspended due to inactivity. Please click the link below to confirm your activity. [Suspicious Link] Best, [Email Service Provider]”
- Threats or penalties: Using fear as a motivator is a common phishing strategy. Be wary of any email that threatens account suspension, fines, or penalties.
- Direct verification: Instead of using links in such emails, go directly to the service in question—like your email provider’s official website—and check your account status there.
Whilst these 3 examples are the most common, cyber criminals are becoming far more advanced. Here’s an advanced phishing email example:
DropBox Sign-In [Advanced Phishing Email Example]
Subject: [Alert] Unusual sign-in activity detected in your Dropbox account
From: firstname.lastname@example.org (Note: This domain is likely close to the actual one, often just a slight change that is easy to overlook.)
Dear [Your First Name],
We hope this email finds you well. We noticed an unusual sign-in attempt to your DropBox account from a device and location you don’t commonly use.
Details of the sign-in attempt:
- Date and Time: August 19, 2023, 2:45 PM BST
- Location: London, United Kingdom
- Device: iPhone 14
For your protection, we’ve temporarily halted this sign-in attempt. If this was you, kindly verify the sign-in through the button below to continue accessing your files. If not, we recommend updating your password and enabling two-factor authentication for an added layer of security.
[Verify Sign-In Attempt] (Note: This would be a malicious link leading to a fake login page.)
We appreciate your understanding and apologise for any inconvenience caused. Your security is paramount to us. For more details or if you believe this is an error, please contact our support directly through our official website or mobile application.
Best regards, DropBox Security Team
This email is crafted with several elements to make it seem authentic:
- Personalised greeting using the recipient’s first name.
- Detailed sign-in attempt information making it appear genuine.
- A sense of urgency to provoke immediate action.
- Professional tone and language to mirror genuine communications from service providers.
Remember, even with advanced phishing attempts, always verify through official channels and never click directly on links in such emails. For an in-depth phishing email example, check out the Microsoft OneDrive Scam.
How to Avoid Phishing Emails
- Educate: The more you know about the signs and tactics of phishing, the better equipped you’ll be to spot them. Participate in our online phishing email simulator with Excellence IT – It’s short, interactive and affordable.
- Verify Before Trusting: Before acting on an email’s instructions, verify its legitimacy. This can mean calling your bank directly, checking with a colleague, or confirming with a service provider through official channels.
- Don’t Rely on Links: Links in emails can be misleading. It’s safer to manually type the official URL into your browser or use bookmarks you’ve previously saved.
How to Stop Phishing Emails
- Use Spam Filters: Make the most of your email service’s built-in spam filters. Check and adjust their settings to ensure maximum protection, and regularly review messages in the spam folder to avoid missing genuine ones.
- Report Suspicious Emails: Email providers can refine their filtering methods when users actively report phishing attempts. This not only protects you but also helps the broader community.
- Be Careful With Your Email Address: Be selective about where and to whom you give your email address. The fewer sign-ups and subscriptions, the fewer chances scammers will target you.
** A tip from our cyber security experts is to create a secondary email address for signing up to email addresses and websites. It can be beneficial to have a secondary email address, as it dramatically reduces the amount of spam and phishing emails that can enter your inbox, and similarly decreases the chances of appearing in a data leak. **
What to Do if You Receive a Phishing Email
- Avoid Interacting: Interacting with a phishing email can signal to scammers that your email is active, potentially leading to more targeted attacks. Avoid clicking on links or downloading attachments.
- Report It: Beyond your email provider, consider reporting to the Anti-Phishing Working Group or local cyber crime units. This collaborative effort can lead to a reduction in such threats.
- Stay Alert: If you’ve accidentally interacted with a phishing email, monitor your accounts for unusual activity and consider running a malware scan on your computer.
How to Block Phishing Emails
- Use Filters: Most email services offer customisable filters. These can be set to move emails from specific senders or with certain keywords directly to the trash or a designated folder. This is a game changer when your inbox gets targeted by spam.
- Security Software: Some platforms have premium security features, such as machine learning algorithms, that can detect and block sophisticated phishing attempts. Consider investing in these for added protection.
- External Security Tools/Software: Numerous third-party software solutions provide advanced email screening, looking for telltale signs of phishing and blocking them before they reach your inbox. This software is essential for our business and strongly recommended to all our current and potential customers of Excellence IT. If you want to learn more about this software, submit a form at the bottom of this page.
Phishing Email Simulator
Whilst we’ve provided examples in this blog, the dangers are not as easy to spot when it comes to real-life situations. Excellence IT has a cyber security training platform, SecureIT, which actively trains users to spot the dangers of finishing before it’s too late for your business.
Given that 82% of data breaches result from human mistakes, it’s imperative to educate your team now more than ever.
Check out our brief overview video:
If you’re interested on deepening your knowledge about Secure IT, our cyber security training platform is perfect for you. It’s a cost-effective, concise, and engaging course delivered to a user’s inbox at your discretion.
For more information regarding our cyber security tool and phishing email simulator, contact us on the form below.
Excellence IT is a cyber security first Managed Service Provider based in Cardiff, South Wales, and are experts in their field with over 20 years of experience.
Writes about IT Support and Cyber Security.