The Common Indicators of a Phishing Attempt


Phishing attempts are not rare. Some analysts claim that around 15 billion spam or fraudulent emails are sent daily, meaning that roughly 1% of all emails are classified as phishing attacks. While these numbers are massive, email is not the only way cyber attackers launch phishing scams, as attackers also use SMS text message phishing (smishing), phone call voice phishing (vishing), and other attack strategies like clone phishing and page hijacking.

Regardless of how a phishing attack is launched, it’s clear we are dealing with huge volumes of scamming. The prevailing assumption is that phishing attempts are clumsy, and we have seen it often: weird-looking scam emails in our spam folders, or bungling phone calls from someone poorly impersonating a bank or business. But this notion that phishing attempts are easy to recognize can lead to a false sense of security around the danger of phishing as, more and more often, phishing techniques are sophisticated and harder to spot.

Recognize Phishing to Protect Yourself

Every business, large or small, should make the awareness of the common indicators of phishing a central part of their phishing prevention strategy. This, coupled with robust anti-phishing software for business, will provide important pillars of your organization’s cybersecurity plan. But what are those common indicators? Some are obvious, others much more subtle.

Below, we discuss the most common signs of a phishing attack.

Notice an Unfamiliar Tone or Syntax, Errors in Spelling and Grammar

Arguably the most common signs of phishing communications show up in how they are presented. Most obviously, spelling errors and odd use of grammar. While all of us can be guilty of putting a typo in an email, an email full of misspellings should be enough to warrant caution and further investigation. The tone of the exchange is also very important. Often, scammers try to produce a sense of urgency in bogus phishing emails by capitalizing words, adding exclamation points, and using command language, e.g., “PAY NOW BEFORE ITS (sic) TOO LATE!”. The vast majority of legitimate business communications, even those requesting payment, use positive and diplomatic language, so alarm bells should ring when the tone becomes threatening, coercive, or overly urgent.

Scrutinize the Look of the Message

In addition to written cues, signs of a phishing email may also be evident in how the communication is presented. As mentioned, scammers often pose as the real deal, trying their best to impersonate a bank or business employee, creating fake websites and mimicking logos and overall design. While these cybercriminals are getting more adept at imitating the messaging of organizations, there still might be something off with an email’s look in terms of style, color, logo, and so on. The difference may be subtle, but if there is a discrepancy between what you receive and what you have received in the past in terms of the font, color scheme or logo, this inconsistency could indicate a phishing cyberattack.

Watch for Spoofed Hyperlinks, Domain Names, URLs, and Attachments

“Hover before you click” and “think before you click” are two of the fundamental maxims of phishing prevention strategies. In the simplest terms, it means taking a moment to think before you click on potential spoof hyperlinks within an email or message. The hovering technique means using your cursor to linger over a link to see the full URL before clicking. Doing so will expose any difference between the link address and the purported sender of the email. On websites, you should look for the HTTPS URL, designating an SSL security certificate. Legitimate companies will most likely have “clean” domain names and email addresses, like, so exercise caution when you feel the address doesn’t quite fit the sender.

However, you should be aware that sophisticated phishing techniques can trick people with links and addresses that do look legitimate. Consider, for example, that the lowercase “l” and uppercase “I” can look very similar on a computer screen. Can you spot the difference between “AppIe” and “Apple”? The former is misspelled using an uppercase “i”. When in doubt, go to the actual website (not clicking on the provided link) and check out your concerns. And what about downloading attachments? The answer is simple: You should never download an attachment that looks suspicious or that has arrived from an unknown sender.

Be Diligent about Unsolicited Communications and Possibly Fake Companies

In 2019, a man was convicted of swindling Google and Facebook out of over $100 million dollars using one of the most sophisticated phishing schemes ever recorded. Essentially, the scammer set up a fake company, complete with phony email addresses and invoices. Now, your small business would likely notice if $100 million walks out the door, but the scam perfectly encapsulates the phishing threat posed by bogus companies. Indeed, we can point to other recent examples of phishing fraud where scammers impersonated executives within the targeted company, presenting themselves as high-ranking employees.

Halt for Unusual Requests, Demands for Payment or Personal Information

Beyond how a communication is presented, what it contains, and who is sending it, recipients should always be questioning what they are being asked to do. The key is to be skeptical, particularly when you – as the recipient – did not initiate the communication and especially when you have not heard of the company that has contacted you. It is unlikely any executive, manager, or CEO would be upset if a diligent employee double-checks who is behind the email, specifically if they are demanding payment or company-related data, or soliciting personal information. Whether it is within your job role or not, promoting the culture of phishing prevention within your business is smart.

Demands for sensitive information, including pin codes and passwords, should always raise a red flag. Similarly, if the sender is asking for personal information, such as date of birth, addresses, and even simple things like names, it warrants further investigation. Remember, phishing is a type of social engineering, and scammers can patiently build up a profile of employees, using the information obtained to trick people into believing they are legitimate. In fact, around 96% of phishing attacks are said to be created for intelligence gathering!

The Bottom Line: Understand the Common Hallmarks of Phishing to Protect Yourself

The bottom line is while phishing attempts can sometimes seem clumsy, featuring strange-looking emails full of errors or communications from businesses you’ve never heard of, today’s cybercriminals are more refined, with their efforts often more clever than we expect. Scammers can be particularly skilled at instilling a sense of urgency – even panic – through their use of language and pretending to be company bigwigs demanding action now. Despite their new sophistication, there are steps everyone can take to protect themselves against phishing attempts.

Checking carefully for sloppy errors and the telltale signs of inauthentic emails should be an obvious first step. Spending a moment to verify the authenticity of the sender – checking the URL, asking for more information, calling the company if necessary – will also provide an extra layer of protection against phishing scams. Requiring a deeper commitment to spotting and stopping phishing is education of yourself and your team. Of course, for the best protection against a range of scams, to prevent cyberattacks as well as falling prey to phishing, ongoing education should be implemented alongside the use of business security software for your organization. But no matter what, avoid handing over vital data and requests for payment, particularly if they come from unsolicited communication.