Phishing emails come in many forms, but there are some common throughlines: namely, a scam artist trying to steal your money, passwords, or personally identifiable information.
In this article, I’ll walk you through several example phishing emails, alongside commentary on how they work and how you can spot the phish before it’s too late. To wrap it up, I’ll go over some key pointers on how you can detect phishing emails in general.
Example #1: Advance Fee Fraud
When you think of a phishing email, this is probably the first one that comes to mind. In this type of phishing email, someone you don’t know promises a vast sum of money if you offer them a little advance fee. Take a look:
I hope this email finds you well. I write to ask for your aid in remitting a sum of $18.4 million. These funds were awarded as part of a government contract, and I want to safely move them out of my country under your supervision.
My name is Adomas Masiulus and I am the Director of Extraction for the Lithuanian Department of Energy. It is in my power to move this money to a safe destination. All I ask from you is that you safeguard these funds. For your service, you would be eligible to transfer 15% of this money to your own personal accounts.
It is necessary that you handle this business with the highest discretion. Should you do so, the profits described above can be arrived at with a minimum of personal risk.
Kindly reach out to me for further information at email@example.com.
I eagerly await your reply.
Mr. Adomas Masiulis
How It Works
The con here is pretty straightforward. They promise a large sum of money, and ask a transfer of cash to pull off the transaction. In some cases, they might ask for access to your bank account – in which case you should be especially wary.
Because the pitch is so universal, the phisher can readily send this email to hundreds or even thousands of people. Most people won’t fall for it, but even if 1% of people do, the scam artist can make some money.
Keep an eye out for variations. The classic example involved a deposed Nigerian prince. But you’ll also see government contractors, fake inheritances, unused bank accounts, high yield investments, and other “opportunities”.
How to Spot the Phish
Think about the person sending this email. They’re a complete stranger to you, and you’re a complete stranger to them. Why would they trust a random stranger with this much money? Why should you trust them by giving them money or bank account access?
You simply shouldn’t trust random strangers with money or personal information. If someone you don’t know asks you for hundreds or thousands of dollars, you should not count on them to pay you back a penny in return, no matter what they say or who they claim to be.
You should also keep an eye on their email address. In the above example, you would expect this person to have an official email address – not just some Gmail account.
Example #2: Spoofed Bank Email
The more advanced phish use clever tricks to make their emails appear legitimate. Through email spoofing, a phishing email can look exactly like the real thing, down to the from line. See for yourself:
How It Works
This email looks exactly like one you might receive from your own bank – in fact, they’ve copied the email wholesale. I sent this email from my own email address to myself. But in only a few minutes, a scammer can even insert your bank’s email address in the from line. Given that this is nearly indistinguishable from the real thing, it’s no surprise people sometimes fall for this cleverly disguised trap.
The disguise is coupled with urgency and an emotional appeal to fear, both of which can override one’s natural caution. Without thinking twice, the victim clicks through to a fake version of their bank’s website and types in their login information. And just like that, they’ve given bank account access to a scammer.
How to Spot the Scam
Stay wary of any links you receive via email. The from line can be faked, making it an imperfect way of spotting phishing emails. The actual web domain of a link cannot be faked exactly.
At the very least, mouseover every link before you click. You’ll see the actual URL in the bottom left corner of your browser. Instead of clicking the link, right click and copy the URL. Once you paste it in your address bar, you can take a closer look before pressing enter.
Better yet, just type in the address manually, without even looking at the link in the email. You’ve been to your bank’s website before. If you visit it directly, without reference to any email, you can check your bank account without any risk of getting phished.
One last note on URLs – these can’t be faked exactly, but they can be closely imitated. A one-letter difference is just a few pixels, and can be very hard to spot unless you’re being very diligent. So pay close attention, or just type in the URL manually.
Example #3: Fake IRS Emails
One of the most frequent tactics used by phish is to imitate a government entity such as the IRS or the FBI.
How it Works
Just like in example #2, this phish is doing everything they can to impersonate the real thing. IRS impersonators usually exploit fear – if you think you’re going to get audited by the IRS, you might react before you have time to think through it.
These types of phish are especially likely to go after tax professionals. So if you’re a tax pro, you should be especially wary – for your sake, and for your clients’ sake as well.
How to Spot the Scam
This one’s easy once you know the secret: per IRS policy, the IRS never contacts taxpayers via email, text message, or social media to request personal or financial information. So if you get an IRS email out of the blue requesting any kind of information, it is almost certainly a scammer.
Everything I said about bank account phishing emails holds true here as well. Look carefully at any URLs in an email. If you’re concerned that the IRS may actually be trying to reach you, you can call them directly. Remember, there’s no chance you’re getting phished if you reach out to an organization on your own, using the contact details on their official website.
Finally, it can’t hurt to familiarize yourself with the different scams being perpetrated under the IRS’s name, especially since they’re such a common vector for phishing emails. You can see the IRS’s page on scams here.
Example #4: CEO Fraud
When targeting a business, phish frequently like to impersonate the CEO. How would you react to the following email?
Hi James – please take care of this invoice for me: https://bit.ly/2P6Akll
No need to reply, I’m on vacation right now. See you when I get back.
— Edgar Halcott, CEO
How It Works
At most companies, when the boss says something, you do it. If you’re in a position to regularly handle direct requests from the CEO, this might just look like a routine request.
If you don’t normally work directly for the CEO, this looks like your chance to shine – or at least not drop the ball. You might be so eager you’ll take care of the request on the spot, which is exactly what the scam artist wants you to do. Because a capable phish can falsify the from line, many employees will think the message really is from the CEO and act accordingly.
Suffice to say, when someone pays the invoice, the scam artist walks away with the money. It’s that simple.
How to Spot the Scam
First of all: as with any request for money or personally identifiable information, take a minute to think before you proceed. You can start with these questions:
- Who is the person or company in question?
- Does your company regularly do business with this person or company?
- Have you handled financial transactions with them before?
- And is the CEO really on vacation right now?
If you’re not sure about the request, the best way to clarify is to talk to someone else. If you don’t handle business with the company in question, you can talk to the person who does. If you are, you can talk to the company in question directly to see whether the invoice is legitimate or not.
If you’re not sure whether the CEO is in the office or on vacation, you can ask around. But be aware that this doesn’t prove much on its own – through spearphishing tactics, scammers often research their target to carefully plot their attack. They might wait to attack, for instance, until they see on social media that the CEO really is on vacation. Sneaky stuff.
Crucially, do not forward this email to anyone else in the organization. If you do, you’re just spreading the scam! Believe it or not, people will still fall for a phishing email if you attach a warning to it.
Hopefully, your company has a a clear system in place to report suspected phishing attempts. If need be, you can always show someone the phishing email on your computer or send them a screenshot.
Example #5: The Grandchild in Peril
This is a spearphishing tactic, whereby a phish does careful research to prepare a personalized email aimed specifically at the target in question. In this instance, they would learn that someone has a grandkid visiting or studying in China, and write an email alleging that this grandkid is in peril.
For this example, assume the sender knows their target’s grandson is currently traveling in China.
I am writing to inform you that your relation, JONATHAN SMITH, has been arrested by the People’s Armed Police Force (中国人民武装警察部队) for the following offenses:
• Defacing a public monument
• Destruction of property of the People’s Republic of China
He is currently being held at Tilanqiao Prison (提篮桥监狱) in Shanghai. We are prepared to free him on the condition of his removal from the country. To do so, we will need $13,500 dollars to pay for damages and deportation expenses.
Please forward this money via the following web portal: https://bit.ly/2P6Akll
–– Yuan Baoquang 王寶強
How It Works
You can see how this kind of attack would be effective. As a starting point, the spearphisher researches their target to make sure the email is relevant to their victim. And because the supposed grandchild is in a foreign country, it might not be easy to reach them and verify.
From there, the scammer make a big emotional play by alleging that a loved one is in danger. Many parents and grandparents wouldn’t think twice to help out a family member – and it’s exactly this sentiment that the scam artist cruelly aims to exploit.
This kind of scam artist can target any family member, or even a close friend or other relation. These phish often go after grandparents, who might not be in as close touch as a parent would be with their child.
The scam artist might also expect the grandparent to be less tech savvy, and maybe a little easier to convince. Scammers seem especially likely to target the elderly in general, and have no qualms about exploiting the vulnerable.
Look out for variations. These scam artists don’t always say the person is in prison – they might also lie about a health crisis, hospitalization, or other danger. In all cases, the scammer is asking for money to help a loved one supposedly in distress.
How to Spot the Scam
The best way to verify this kind of email is to contact the person in question or another family member. If a grandparent receives the above email, for instance, they can try calling the grandchild, and if they don’t pick up, they can try the kid’s parent.
You can also try getting in touch with your country’s embassy, though I can’t guarantee they’ll get back to you in a timely manner.
How to Detect Phishing Emails
You’ve surely noticed some common themes across the above examples. Though phish are always coming up with new scams to try, these pointers can help you spot all different kinds of phishing emails.
#1: Watch the Links
The best way to spot phishing emails is to carefully check any links before you click. Mouseover and look in the bottom left corner of your browser to see where the link’s actually pointing. If it doesn’t match up with the actual legitimate domain, they’re probably a scam artist.
That said, it’s surprisingly easy to fib the URL. Phishers will often create clone websites, with a URL that closely matches the real thing. For example, when I worked for fitsmallbusiness.com, we once had a scam artist operating out of the domain fltsmallbusiness.com. If you look closely, you can spot the difference, but a few out-of-place pixels can be easy to miss.
The best way to stay safe is to just manually type the URL into your browser bar. If you go to the website on your own, rather than through a second party, you’re essentially circumventing the phish.
You can also get to the real website by searching on Google. If it’s a company you’ve never heard of, stay careful, and maybe do some web searches to see if they’re for real. I like to search for “[company name] legit”, but you can run your own searches to see for yourself.
Besides typing in the URL yourself, you can right click on the link, copy the link address, and paste it into your address bar. Make sure to pause a few seconds and closely look over the link before you proceed. Because scammers often fool people with URLs that closely match the real thing, this method isn’t quite as effective as manually visiting the site in question.
#2: Watch the “From:” Line
The quickest way to spot a phishing email is often to just check the from line. If someone isn’t emailing you from an official address, you know right away they’re not credible.
So why isn’t this #1? Through email spoofing, phishers can send fake emails from any address they want. Your email service provider might flag these down, but I’ve also seen reputable email services fail to flag spoofed email addresses. Because scam artists can fake the “From:” line, it shouldn’t be taken as definitive proof that this person is who they say they are.
There are a few ways you can look deeper than the “From:” line to get more information from the sender. Let’s look at two examples, one spoofed, one legit:
Caption: Spoofed email
Caption: Real email
If you look at the real email example from spotify, you’ll see that not only is the from line from spotify.com, but the “mailed-by” and “signed-by” lines confirm that the email definitely came from Spotify.
You’ll see both of these have the same level of security encryption – I wouldn’t use that as any way to spot phishing emails.
So the “from:” line and additional sender information can be useful when trying to detect a phishing email. You just can’t rely on the “from” line alone.
#3: Watch out for login pages or requests for personal information
If you do click through a link and land on a login page, you should check twice before putting in any passwords or other information. Yes, even if you already checked the URL. If your bank account or other sensitive accounts are at stake, it’s worth taking a second look. Any request for either should be taken as a red flag, cause to investigate the email further.
#4: Research the sender if you’ve never heard of them before
When in doubt about an unexpected sender, do some research to see if they’re legit. Look on Google, Yelp, TrustPilot, or elsewhere to see if you can verify that you’re hearing from a real business or organization.
Getting an email from an unknown sender is a big red flag on its own, especially if they’re asking for login info, passwords, or money.
#5: Ask a friend
You can always doublecheck with someone else to see if they think the email is legitimate. Remember, forwarding the phishing email itself poses a big risk that they or someone else will fall for the forwarded email. It might sound incredible, but it happens way more often than you would think.
Instead, ask someone to look at the email in person, or send them a screenshot of the email in question. If you do have to send the email forward, put multiple warnings in the subject line and the email itself. You can never be too careful.
#6: Don’t for get to watch for your email’s warning signs
This one might seem obvious. But you’d be surprised how many people just ignore the warnings from their own email provider. I guess at some point, you just get so used to seeing warnings that you get careless. Stay vigilant, as those messages are there for a reason.
In Summary: Phishing Email Red Flags
The emails above are just a few examples of spam emails. For more, Berkeley has a great collection that is constantly getting updated.
It isn’t always easy to spot a phishing email. You can watch for the following flags that you might be getting scammed:
- Link to a different domain
- “From” address and other email information don’t match who they say they are
- Email from someone you don’t know
- A request for personal information
- Login page required
Obviously any one of these doesn’t necessarily mean the email is a fake. But they are red flags, indications that you should proceed carefully.
Email is not an especially trustworthy medium of communication. Because it’s so easy to send messages and so difficult to make sure someone really is who they say they are, scam artists have taken to phishing as a means to make a quick buck off unsuspecting people. By building your own awareness of phishing tactics and staying on your toes, you can hopefully minimize you’re risk of becoming a victim.