phishing email

Anatomy of a Phishing Email

A phishing email is typically the starting point for many cyber attacks. While spam filters, whitelists, and anti-virus engines do an adequate job of keeping these emails from passing through to end users’ inboxes, there are still plenty of emails that make it through. GreatHorn’s 2017 Phishing Report revealed that the average business end user “faces at least one risky email per day,” while 91 percent of corporate phishing emails are display name spoofs.

Why do users keep falling for the bait? According to one study, user overconfidence can play a factor. But the reality is that a lot of these emails are so well crafted that they look like messages users typically trust from brands they know well. These aren’t emails coming from fraudsters posing as Nigerian princes.

Cyber security professionals say that a lack of user security awareness is the biggest factor in the success of these malicious phishing attempts. Still, if you take extra time and pay attention to the details, there are often very clear red flags you can spot in a phishing or spear phishing email.

Let’s take a deeper dive into the anatomy of a phishing email.

Sender Details

sender details phishing email

Oftentimes it’s difficult to tell if an email is safe purely from the visible sender info. Threat actors who send phishing emails can include misleading details in an email’s “From” field to make it look legitimate. A savvy user will examine an email header and the appropriate fields to verify the true origin of the email. However, users need to be aware that a phishing email can also come from the email account of someone they know. Phishing campaigns can be propagated by using a previous victim’s email client to forward the scam to more victims in their contact list.

Beyond simply verifying the sender, you need to ask yourself, is this the type of content I would normally see from this person? Would they be likely to send you only a link or a one-line “get rich quick” offer with no other context or content? Making a quick phone call or sending out a separate email to that person can make all the difference in avoiding a compromise.

It’s also important to carefully scan the email domain in context with the displayed sender information. For instance, reputable companies generally won’t use public email services like Gmail and Yahoo. You shouldn’t see a return email address of

Subject Line

subject line phishing emails

Emails, whether from a legitimate organization or a threat actor, often feature a catchy subject line to get readers’ attention. There is no definitive way to determine the validity of an email from the subject line alone. However, it can be yet another indicator that raises the suspicion of the recipient. Spear phishing email subject lines are more specific to the intended victim’s environment and need to be considered by the recipient as to their contextual legitimacy. However, many common phishing emails subject lines usually include an offer of money to pander to as many victims as possible. Beware of emails promising you money or other rewards “if you act fast!” This is a favorite social engineering technique threat actors use to get people to act without thinking.


content phishing email

The content of the email can provide many telltale signs that you’re dealing with a phishing scheme. When it comes to emails from a known organization, logos and names can be impersonated by malicious hackers, so don’t rely on them to judge the legitimacy of an email. Pay attention to the greeting and compare it to any previous correspondence you might have from that organization. Are you being addressed using the same nomenclature? For example, my bank addresses me by the name on my account, James, while most friends and colleagues address me as Jim. I wouldn’t expect to see my bank send correspondence regarding my account using the greeting of “Jim” or “Sir.”

Next, pay attention to the grammar and spelling. Legitimate organizations typically don’t make glaring mistakes in their communications. A little compositional review often reveals indicators of phishing.

You also need to confirm the overall context of the message. Phishing emails are designed to get the victim to reveal private or sensitive information. Be highly suspicious of requests for passwords, account numbers, or verification of sensitive information. Additionally, be aware of any implied sense of urgency in the message. It’s common for threat actors to push you into acting quickly without thinking or verifying the validity of the message. This might take the form of a monetary reward, or conversely, being threatened with penalties if action is not taken with a specified timeframe.

Your service providers are highly unlikely to ask you for information of this nature in an email. You should make a phone call to the purported sender organization to verify any request before giving up your information.

Links and Attachments

links and attachments phishing email

Phishing and spear phishing emails are also often designed to implant some type of malicious code on the recipient’s system. Links or attachments are the common vehicles of choice to deliver malicious code. Embedded links to seemingly legitimate sites take advantage of vulnerable browsers to download and execute the code from a waiting server. Most email clients will reveal the link address when you hover over it with your mouse. You can also verify links (malicious or safe) through an online third-party database search. It pays to study links carefully and only click links you know are safe.

Alternatively, attachments are the other way of delivering malicious code, and they are often buried in what looks like a legitimate attached document. People send attached pictures, PDFs, and MS Office documents to each other all the time, so it’s not uncommon to encounter these files in an email. Never open an attachment from an email until you verify the sender.


Emails remain the most prevalent means of communication for most businesses, and that’s not going to change any time soon. Therefore, phishing and spear phishing will remain a regular attack vector against organizational systems and enterprise networks. Users are the weakest link in the cyber security chain. Make sure you take the extra steps we discussed in this blog to verify the next questionable email that hits your inbox.

Training is an essential first step to improve your phishing awareness. Register for our Cyber Hygiene course to see where you stand, and learn more about our services.